Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

MuMuInstal...05.exe

windows7-x64

6

MuMuInstal...05.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    97s
  • max time network
    100s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/12/2024, 04:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe

  • Size

    5.3MB

  • MD5

    fbd9ad001bb2719f574c0705c5de05fb

  • SHA1

    d07e77a490ad677935ac8213b88237e94440e791

  • SHA256

    f0031f9d7f25d4d29581879f62565a5a565995899adc60213f9e218147c78593

  • SHA512

    5724e3f858ae7ea92ba4ce325f3f8f4b90ecc6d7c19476e2888c4b09f0913463191b977f71314300918cceb0a6ae0b80e29d3c70891e8aeb9314da233a929e96

  • SSDEEP

    98304:oeZOuRuvqAgef1ndGaX6tJJQv2FKA75OpVclc02vDRZTEB:1ZOPNdo3u0jc02vVZoB

Score
6/10
discovery

Malware Config

Signatures

  • Downloads MZ/PE file
  • Drops file in Program Files directory 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: LoadsDriver 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
    "C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Users\Admin\AppData\Local\Temp\7z696B4824\nemu-downloader.exe
      C:\Users\Admin\AppData\Local\Temp\7z696B4824\nemu-downloader.exe
      2⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Users\Admin\AppData\Local\Temp\7z696B4824\ColaBoxChecker.exe
        "C:\Users\Admin\AppData\Local\Temp\7z696B4824\ColaBoxChecker.exe" checker /baseboard
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2728
      • C:\Users\Admin\AppData\Local\Temp\7z696B4824\HyperVChecker.exe
        "C:\Users\Admin\AppData\Local\Temp\7z696B4824\HyperVChecker.exe"
        3⤵
        • Executes dropped EXE
        PID:2748
      • C:\Users\Admin\AppData\Local\Temp\7z696B4824\HyperVChecker.exe
        "C:\Users\Admin\AppData\Local\Temp\7z696B4824\HyperVChecker.exe"
        3⤵
        • Executes dropped EXE
        PID:2620
      • C:\Users\Admin\AppData\Local\Temp\7z696B4824\HyperVChecker.exe
        "C:\Users\Admin\AppData\Local\Temp\7z696B4824\HyperVChecker.exe"
        3⤵
        • Executes dropped EXE
        PID:1924
      • C:\Users\Admin\AppData\Local\Temp\7z696B4824\MuMuDownloader.exe
        "C:\Users\Admin\AppData\Local\Temp\7z696B4824\MuMuDownloader.exe" --log="C:\Users\Admin\AppData\Local\Temp\nemu-downloader-aria.log" --log-level=notice --check-certificate=false --enable-rpc=true --rpc-listen-port=49271 --continue --max-concurrent-downloads=10 --max-connection-per-server=5 --async-dns=false --file-allocation=prealloc --enable-mmap=true --connect-timeout=5 --rpc-max-request-size=1024M --stop-with-process=2304
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2112
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.mumuglobal.com/problem/q58/?lang=en
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3052
      • C:\Users\Admin\AppData\Local\Temp\7z696B4824\7z.exe
        "C:\Users\Admin\AppData\Local\Temp\7z696B4824\7z.exe" a -tzip "C:\Users\Admin\AppData\Local\Temp\nemux.zip" "C:\Users\Admin\AppData\Local\Temp\nemux"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a811f901bc3fdf5e2c4d3459cc305190

    SHA1

    a7231991787dfd0a5f6d3228997b67e73d1b3a18

    SHA256

    10cc69f4945b10194c42e02f1cb57ed5a88e34e62e799c5a22061758dc3d8b3b

    SHA512

    5aa3ca91d23b881b2e83ae0ec9bf2e07d83ea458fdae693c32417d9ba9ab56e02833ba3228e1983c57071f249252617a70ea8b37ac44e972e2e444b52ff2985b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e5d715f022fd78c7c273318e0517bf63

    SHA1

    d1f564380b6351e50ed6c0af7e1c20df2bb6dba1

    SHA256

    af8ff1466da24b11bcfe4c49d72079e3724d3d0b77639baeebd1c7911ffdb239

    SHA512

    56e40749d7737c39ad58228a742fc4d4bb0f0ecd28ae125f39ccf0b8bc41d4c095ae83d640e75e8190db4147a9cb7c1f053ef38b598c5dc3f36e21e82bed28f1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e6d452417c2cf39bc685f630ba8ca2d7

    SHA1

    f8bcb993e6385df65162b43c00e186ef91c32689

    SHA256

    1b1f75f341e85179401de71027eebaa381b94113cbdd095915f6c8de81468867

    SHA512

    7e3ba958869861085145f5e04395a9daf0f3666771a16bea7bd6b094158d4a0ed9d8e300a0005d04efcc24ca91a549fa1c602b2ee5c0467176d4f1fa14f76240

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9d9d87bee6acfbf45f39ae5f390bbd7c

    SHA1

    5f06e3c0e26586ab27d26aea3faa9e46635cb6be

    SHA256

    dd1bbccee98bcab064db0f78f2f6d78068161f27861f1a12462cae9c16b1b2b6

    SHA512

    86b962d52b09a38731c89851e48ffee105812390a3258b751f1f4faa1122171e79aff4aedc59d910f5afc9132e4efeea95ed1b0c41ad67596505bc42e01eb32b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8715750256c003e8977cbbb41c85bae1

    SHA1

    b8b19660ccf91d8de8065a7764588457cac0e406

    SHA256

    6102736206732148f9d230cb568b18899ffe184c3c6729f6f64a5e892d12472e

    SHA512

    5d5f446c75c2de1885814bacb9953abfdd38bdc24eceb637d9bf6524798956be8308f2e52ee0b84b06a9e505ae3880de0da90735de38477e76f21eb3684be0d9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8113942ef547eae7292ff1c09ea0bb2c

    SHA1

    4e253730492bacff3f73e7d12bdc274a8084adbc

    SHA256

    b952689366e36f430eade4a65d12305675908f5a2d84c120d8acf29d983373ce

    SHA512

    10fc516f5e29a8251715981044d7fb8432e4c23871632f7f7186524be3a102b07290cae04cc32c54658fbda00508a73641348d25cfc028e846213017a96fee41

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    017a1ff09e8300d58a022d4507a399d3

    SHA1

    36ad3bf37ae0902564fd0c2befd96a011b92fada

    SHA256

    74041c71dbeb0733484e7945942d912bf04fb37efe51449c382f2ca51e948290

    SHA512

    4bd1bc95bbf25ffc2ca62dc586fbb3bedc8c7a8ead15bdbac7637861f77dcb57b6c8d47e7ac73e0d96f16c82bee9dc479015aa0c27bdb0f0d1309741c79b5f7c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    081c5c7e69f6b7c112dd5f76d1a4b87e

    SHA1

    647ff96d0510874bdfa62cdead657e6aea8357cd

    SHA256

    5d2a3044a77ffc7d4fc11c21a893f40cb7aa120b3f7d8e055a94bc41383a5ddb

    SHA512

    16d4db5bec337d16b155aae6876ce2f8950fc5a68e06f4c69c2528d8a9fd3f3521dfcb71e7987a7e9ac9a42ada0dc8694ed7b33eb2c5e0da2e0aadaafb8d5012

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6186d60b5852689fdb067d5a44a5dc17

    SHA1

    38bf18211678369492b92e342c2263495cfe2454

    SHA256

    84c3f554265c223a531e63050f0816da864cf4f961c64570046e3b9cf1709bce

    SHA512

    2d710067feab3bddf589e3dd042c2036f66523e86c8ed52cf5c4fcdb0dbcef1c04199f5fe325d41b27817fb09bbd6e6b061e8ac5703b041ae8074e947f292ea8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\8A5Y72LX\research.easebar[1].xml
    Filesize

    13B

    MD5

    c1ddea3ef6bbef3e7060a1a9ad89e4c5

    SHA1

    35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

    SHA256

    b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

    SHA512

    6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\njqq61f\imagestore.dat
    Filesize

    4KB

    MD5

    8897d6d60d42e684964d1d77a41c4f1a

    SHA1

    69ea479813a445a4ca307a8ac6e267b0af321752

    SHA256

    ebb2f07b0d778fa16609b65a9fd06be6f4dce3933b776e872840af064558d67c

    SHA512

    cf80db9a98a304e0b4b7059b836398518afd4e7114aa7d11faf9ceb43e955859dd150dfb19678b9a4e7a0f79931dbb973caba56700336db85bc9fb4ab63248d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\favicon[1].ico
    Filesize

    4KB

    MD5

    0a2fa5526c59410046bd70a40567a182

    SHA1

    a559da1f8fa5b6251a8501c0de6a13c8531c97b2

    SHA256

    d9755ec6572e7e8623faa5c75408fda859817c6cb0ab01b39114fbd200029b24

    SHA512

    e51daa988d221d8251509b1b6904b126d51e9d095f95ac2b40a00bc614384823f7a1677bf810adadc8e703308cd0c21adf00b11791013950b49b443667ae4065

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7z696B4824\7z.exe
    Filesize

    292KB

    MD5

    97b382235264f18a53eff8e891997920

    SHA1

    cc0f3ad9411f54f70a2b1a1705e24048b06ea65c

    SHA256

    bf42783c293279c65b00e4f8b72be39e1cb0fcbe14d6679151b0d5e27fd8572d

    SHA512

    1e780698dbc0963ccbd73976da6898b3c0dc4b4e655a80563585518abd37a1a5561a980d035123011213a83c76320de6c08541caa71bfd6582eb93ff57672a83

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7z696B4824\ColaBoxChecker.exe
    Filesize

    4.0MB

    MD5

    839708e3f96cf055436fa08d6205263c

    SHA1

    a4579f8cb6b80fe3fd50099794f63eb51be3292f

    SHA256

    1373c5d006a5dbcd9b86cfff9a37616f1245d1333c4adcefc7cd18926b98d752

    SHA512

    ece67e031e06a0442d935e7d81d0eed57ae92b348b5d104423577478ce226e4a4bde834c54e31d33bfe6f574fb7798ba96886d9e8edb738edee6e7c9c43054cd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7z696B4824\HyperVChecker.exe
    Filesize

    117KB

    MD5

    dbd84c6083e4badf4741d95ba3c9b5f8

    SHA1

    4a555adf8e0459bfd1145d9bd8d91b3fff94aad0

    SHA256

    9ff467bc5a1c377102d25da9fa9c24dcc4375f456510f71584f0714fdfb2af39

    SHA512

    fb5fe74f64254609e07d6642acf904562bb905cd7c14c6f85ba31bcdbaf06686c0586609ec4f5d2f8f55ff90334dcbb774a3a6e78df74bf1b1d0cd03dec21870

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7z696B4824\baseboard
    Filesize

    114B

    MD5

    69454b24ac54d2da8544a93ca1561161

    SHA1

    af3f673fe717ed68b4fbeedaa800b071abbfca8e

    SHA256

    44cd60dfaf583725968853325c92f9f5c8fd9f5cf8f8ba852433b4c9c27c3b17

    SHA512

    54f0a42ae7c666a528198cb163fa451c300afb3cc5032051432ed0efd0373ab540af55915137723e7df93d3d222d4dd72ed091dfdc0790e786745c78675632f5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7z696B4824\config.ini
    Filesize

    346B

    MD5

    d00fb4c61a255b58ff09886c6c72461b

    SHA1

    4e4f7d7ae36f67a4d6fc8479f8400b3eb769e978

    SHA256

    77dec4d79e1e844a2156f101defc0fc81c138a989e8ba1c722c58feb91b3cd4a

    SHA512

    8494ab9fe0594f3ff7b0893ca3e25d6d0a706e546e92c5b662aa864affcefe5f9721a6a95f37f40cdacf39d27a23e2b3cd5dbca4d7b8909cd7c186209d4b46db

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7z696B4824\skin.zip
    Filesize

    509KB

    MD5

    ecb43530caf9566c1b76d5af8d2097f1

    SHA1

    34562ada66cd1501fcb7411a1e1d86729fd7fdc0

    SHA256

    a12381f97aee2d91568f44b23e866ccc99f0ae5e5961f318ed24b72f4f5da80a

    SHA512

    4a243c0bc4dbaf892bee91ea7eff9e6a7732d3aa2df5bebd9a4bea2859a30a8511945ce3bb823f7ef921f2e1a98906fb676fce85f25fd5908646b3a2f5d02563

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabEAFE.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarEAFF.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nemux.zip
    Filesize

    22B

    MD5

    76cdb2bad9582d23c1f6f4d868218d6c

    SHA1

    b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

    SHA256

    8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

    SHA512

    5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\7z696B4824\7z.dll
    Filesize

    1.1MB

    MD5

    0ffa2bff9e56e6122aec80d3c1119d83

    SHA1

    09b7eb124b8c83469ae7de6447d1b8a7f5c98c61

    SHA256

    609cba3a8704aa6f5e2623858402bc048de7198a3567a53183bf97de091a3e48

    SHA512

    42522bf850156577de397e527b8515b1bf0bdeceb170efae71d87c39a25c72c155a2fec6a88b5c3ae443752046f8840cd8afac9c42ed7bcf67aeb9e78aeb5f2e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\7z696B4824\MuMuDownloader.exe
    Filesize

    5.7MB

    MD5

    2f3d77b4f587f956e9987598b0a218eb

    SHA1

    c067432f3282438b367a10f6b0bc0466319e34e9

    SHA256

    2f980c56d81f42ba47dc871a04406976dc490ded522131ce9a2e35c40ca8616e

    SHA512

    a63afc6d708e3b974f147a2d27d90689d8743acd53d60ad0f81a3ab54dfa851d73bcb869d1e476035abc5e234479812730285c0826a2c3da62f39715e315f221

    Download Submit

  • \Users\Admin\AppData\Local\Temp\7z696B4824\nemu-downloader.exe
    Filesize

    3.2MB

    MD5

    cdf8047ceae80d9cd9eb798a57bf6084

    SHA1

    8e7971401fada3099aed61849745fda37e1c0d32

    SHA256

    1f01a9abac64fae72e0a253ad9ffe2d62cd2967c1c2bc90fb956ac446fe2b11e

    SHA512

    ac366f38f39b935110192d1355147392ced5a21966cc22386804356dce24b2da7971a6a60d675689f93d74014d961bfb3b0c13cf06809b9f9feef580045e20dc

    Download Submit

  • memory/2112-145-0x00000000010F0000-0x00000000016A5000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2112-126-0x00000000010F0000-0x00000000016A5000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2112-91-0x00000000010F0000-0x00000000016A5000-memory.dmp

    Filesize

    5.7MB

    Download