Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Malware-1-...30.exe
windows10-ltsc 2021-x64
10Malware-1-...40.exe
windows10-ltsc 2021-x64
10Malware-1-...32.exe
windows10-ltsc 2021-x64
10Malware-1-.../5.exe
windows10-ltsc 2021-x64
10Malware-1-...91.exe
windows10-ltsc 2021-x64
10Malware-1-...ey.exe
windows10-ltsc 2021-x64
7Malware-1-...ad.exe
windows10-ltsc 2021-x64
3Malware-1-...ti.exe
windows10-ltsc 2021-x64
5Malware-1-...an.bat
windows10-ltsc 2021-x64
7Malware-1-...an.exe
windows10-ltsc 2021-x64
7Malware-1-...ve.bat
windows10-ltsc 2021-x64
7Malware-1-...ve.exe
windows10-ltsc 2021-x64
7Malware-1-...ya.exe
windows10-ltsc 2021-x64
Malware-1-...re.exe
windows10-ltsc 2021-x64
10Malware-1-...ry.exe
windows10-ltsc 2021-x64
10Malware-1-...ck.exe
windows10-ltsc 2021-x64
3Malware-1-...he.exe
windows10-ltsc 2021-x64
10Malware-1-...op.exe
windows10-ltsc 2021-x64
7Malware-1-...rb.exe
windows10-ltsc 2021-x64
10Malware-1-...ue.exe
windows10-ltsc 2021-x64
1Malware-1-...ng.exe
windows10-ltsc 2021-x64
6Malware-1-...kt.bat
windows10-ltsc 2021-x64
7Malware-1-...o3.exe
windows10-ltsc 2021-x64
10Malware-1-...ey.exe
windows10-ltsc 2021-x64
10Malware-1-.../m.exe
windows10-ltsc 2021-x64
Malware-1-...o3.exe
windows10-ltsc 2021-x64
9Malware-1-...32.exe
windows10-ltsc 2021-x64
10Malware-1-...nf.exe
windows10-ltsc 2021-x64
10Malware-1-.../o.exe
windows10-ltsc 2021-x64
3Malware-1-...B8.exe
windows10-ltsc 2021-x64
10Malware-1-...ic.exe
windows10-ltsc 2021-x64
3Malware-1-...in.exe
windows10-ltsc 2021-x64
10Resubmissions
13/02/2025, 01:26
250213-btppra1pcz 1017/01/2025, 20:14
250117-yz7h3s1qfw 1017/01/2025, 20:12
250117-yy9l2sslcr 1017/01/2025, 17:25
250117-vy9p9sxpez 1017/01/2025, 17:21
250117-vw8eesyjfp 1017/01/2025, 14:16
250117-rk9ass1rhk 1017/01/2025, 14:12
250117-rhv1ds1lds 1016/01/2025, 12:52
250116-p4et7a1mez 10Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
17/01/2025, 20:14
Behavioral task
behavioral1
Sample
Malware-1-master/2530.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral2
Sample
Malware-1-master/2887140.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral3
Sample
Malware-1-master/32.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral4
Sample
Malware-1-master/5.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral5
Sample
Malware-1-master/96591.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral6
Sample
Malware-1-master/Amadey.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral7
Sample
Malware-1-master/Download.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral8
Sample
Malware-1-master/Illuminati.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral9
Sample
Malware-1-master/MEMZ-Clean.bat
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral10
Sample
Malware-1-master/MEMZ-Clean.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral11
Sample
Malware-1-master/MEMZ-Destructive.bat
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral12
Sample
Malware-1-master/MEMZ-Destructive.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral13
Sample
Malware-1-master/Petya.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral14
Sample
Malware-1-master/Software.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral15
Sample
Malware-1-master/WannaCry.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral16
Sample
Malware-1-master/Win32.EvilClusterFuck.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral17
Sample
Malware-1-master/apache.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral18
Sample
Malware-1-master/butterflyondesktop.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral19
Sample
Malware-1-master/crb.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral20
Sample
Malware-1-master/eternalblue.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral21
Sample
Malware-1-master/fear.png.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral22
Sample
Malware-1-master/getr3kt.bat
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral23
Sample
Malware-1-master/iimo3.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral24
Sample
Malware-1-master/jey.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral25
Sample
Malware-1-master/m.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral26
Sample
Malware-1-master/mo3.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral27
Sample
Malware-1-master/mo332.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral28
Sample
Malware-1-master/mysqlconf.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral29
Sample
Malware-1-master/o.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral30
Sample
Malware-1-master/qOA7iZJcoB8.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral31
Sample
Malware-1-master/wintonic.exe
Resource
win10ltsc2021-20250113-en
General
-
Target
Malware-1-master/mo332.exe
-
Size
14.0MB
-
MD5
552326e3f16df1857e7918a569dcca50
-
SHA1
3a3fd7027c65c75b3e8930535b27e29b4681814c
-
SHA256
f5d20a2ef757dd374b1651a955a80113b33b87578e3484fd3589565d296d55cc
-
SHA512
a3d00cc28de8131484ebe29d1addfc9e27c9e782a6ec07bee2a19c88ee3afe0f867f8c0c933b6a83946266d46606483d87c8d57b5679cafeeae09eeae1ba41f3
-
SSDEEP
196608:OSfbf3vp28hgy4ohRID4CUAq52Zdm4nKJJmbmChthPtbSttLPSwYJQ:ffT3XhgQRI8C82ZP+MblGttLSpJQ
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mo332.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vpauhftihy.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ mo332.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ vpauhftihy.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mo332.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mo332.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vpauhftihy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion vpauhftihy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion userplus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion userplus.exe -
Executes dropped EXE 3 IoCs
pid Process 2844 vpauhftihy.exe 216 userplus.exe 3624 Process not Found -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Software\Wine mo332.exe Key opened \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Software\Wine vpauhftihy.exe -
Loads dropped DLL 3 IoCs
pid Process 216 userplus.exe 216 userplus.exe 3624 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\plus = "C:\\Windows\\kfjrrveg\\vpauhftihy.exe" vpauhftihy.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mo332.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vpauhftihy.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 checkip.dyndns.org -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\NlsLexicons00mmx.dll vpauhftihy.exe File created C:\Windows\system32\NlsLexicons00ssx.dll vpauhftihy.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2504 mo332.exe 2844 vpauhftihy.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\Media\shomll.log vpauhftihy.exe File created C:\Windows\Media\shomll.log vpauhftihy.exe File opened for modification C:\Windows\kfjrrveg mo332.exe File created C:\Windows\kfjrrveg\vpauhftihy.exe mo332.exe File opened for modification C:\Windows\kfjrrveg\conf.ini vpauhftihy.exe File created C:\Windows\Setup\Extensionm.dll vpauhftihy.exe File created C:\Windows\PLA\userplus.exe vpauhftihy.exe File created C:\Windows\kfjrrveg\Tempvpauhftihy.exe userplus.exe File opened for modification C:\Windows\Fonts.Lists vpauhftihy.exe File created C:\Windows\kfjrrveg\conf.ini vpauhftihy.exe File opened for modification C:\Windows\system\system.log vpauhftihy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mo332.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpauhftihy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ vpauhftihy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz vpauhftihy.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2504 mo332.exe 2504 mo332.exe 2504 mo332.exe 2504 mo332.exe 2844 vpauhftihy.exe 2844 vpauhftihy.exe 2844 vpauhftihy.exe 2844 vpauhftihy.exe 2844 vpauhftihy.exe 2844 vpauhftihy.exe 2844 vpauhftihy.exe 2844 vpauhftihy.exe 2844 vpauhftihy.exe 2844 vpauhftihy.exe 2844 vpauhftihy.exe 2844 vpauhftihy.exe 2844 vpauhftihy.exe 2844 vpauhftihy.exe 2844 vpauhftihy.exe 2844 vpauhftihy.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 2844 vpauhftihy.exe 2844 vpauhftihy.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 2844 vpauhftihy.exe 2844 vpauhftihy.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe 216 userplus.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2844 vpauhftihy.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 216 userplus.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2504 wrote to memory of 3548 2504 mo332.exe 81 PID 2504 wrote to memory of 3548 2504 mo332.exe 81 PID 2504 wrote to memory of 3548 2504 mo332.exe 81 PID 3548 wrote to memory of 2844 3548 cmd.exe 83 PID 3548 wrote to memory of 2844 3548 cmd.exe 83 PID 3548 wrote to memory of 2844 3548 cmd.exe 83 PID 2844 wrote to memory of 640 2844 vpauhftihy.exe 84 PID 2844 wrote to memory of 640 2844 vpauhftihy.exe 84 PID 2844 wrote to memory of 640 2844 vpauhftihy.exe 84 PID 640 wrote to memory of 216 640 cmd.exe 86 PID 640 wrote to memory of 216 640 cmd.exe 86 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mo332.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vpauhftihy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vpauhftihy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System mo332.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\mo332.exe"C:\Users\Admin\AppData\Local\Temp\Malware-1-master\mo332.exe"1⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\kfjrrveg\vpauhftihy.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\kfjrrveg\vpauhftihy.exeC:\Windows\kfjrrveg\vpauhftihy.exe3⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userplus.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\PLA\userplus.exeC:\Windows\PLA\userplus.exe5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:216
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52db7a58f4892054c7077dab88fd68b86
SHA1acf198a9160a872bc8633fc9185ad317e69bf2a4
SHA25601701b302ab45f11729fac64ba33cd7b53abbc94963578d9813a1f5848e75618
SHA51201926e211445f72f6637f7be04af33339f4acd78b3d2e8f4b6b4e0c28ea6c2662ea0aec976cc8a4f875ab1d12ca20eec7ebf59fe3704f76dc4adac3a0766511c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2503671516-4119152987-701077851-1000\3310a4fa6cb9c60504498d7eea986fc2_7264cad5-f4a8-4395-bb28-e66de2b65256
Filesize50B
MD545218adff3ea5bde8a8f61987f0f458b
SHA1cf7fffa410795cc2f7703755f0acd17b51a44ad7
SHA256f95361b82464704675f559b13c007c9567e5914984042f537122383e747194d4
SHA5128442cac48931075ec5bd31ea82faffc4f64d7b6845d5c477d06fc3d7eefeac1fa366b6880a85709a520a343b5dd3771e69bc4b7482cde50e69e04215927a2018
-
Filesize
2.3MB
MD5336cd9b9a8f4ce243c889407bcdcfa21
SHA14acf0664e7df5c87f9387bc7243b57050d7ce143
SHA256c17d51aac55953b4ca8b3d8c4725528e1eef8f53ac78bd9bdda512daeb1cc3da
SHA512033dd5bf02801ad34e6ea9b5571e9af74f5dc9e0aaf3b9f958a3052b0a579581da857269ddba3dd74f53e251dbcad396fba35ae5b4ae2d72e6e481b6eaa79fd0
-
Filesize
4KB
MD561830234ea9c313c27d2891f333328f9
SHA195cc2252ea481dc7d54838cd67e35e387bc8eb79
SHA256984f780ecbc97d108c0591f10acfb64866de14024626f07467d6c2d5156ed881
SHA512dcce834d90c3fc9d25a5d2727d54e669b65629ffc84fc15b6fadac1b2534cd32d8b006afc086748b2a5d430ddfa95494561c5b2e7bd8d1ff3620e56fccebb921
-
Filesize
4KB
MD5c685dc1895bf128edc1c815ddc8d245b
SHA17d55c48b38844385ab3134bc60a88c4ba619b4bb
SHA256083d4167ddbdcaddb02d6445447ec5604c5cab3ed39b105780287913aa553417
SHA512ca9afa2c8b0fb9573dcb3d15e4d09890fcba0b5808de36309783436fb7d8303f95776dfc30930bc4993defb955e5c83e322f3a934351dd73434edb33a7717751
-
Filesize
6.7MB
MD59f1facb9f7dd07342a07b0856c5b48f2
SHA144a23fe809534a90b31ac0c290aee432edc542c2
SHA256afbfdbfdda5fd42a6b4ea7b37f7222651e5461d8138355b9b233eba26766fa58
SHA512868371102c2f4559b5316d85ce6ce197ad60566c9ea81c47707e57b64c5c2c5a18615d9918fee1fc1250996b86ba0a375bfa896f0b3145e9d451de046256745f
-
Filesize
100KB
MD5ca43974f638606af7259397a344e0434
SHA102b7cf6e2a7fd77f619e27c7584180a950aa7fe8
SHA2564f394c128557a3f05c817aae8ddd005e2f462b298b858b1d49277fe574ce6752
SHA512ab986229c156f1404895983399c64513cc13be3083309b9b61413024922fbf3322e203184e19bb5090c78b813a28362d345a1cb229e61e67d91dd803512a4786
-
Filesize
67KB
MD5b1a562ae50903a943e6e0884a7c3aa28
SHA157fcd5de222c7f99bd82372056127841fbc80e6e
SHA2568402155eb3a3fb0fdc7ce7bbea87e8a59d81ae03e46d5d2ff041663d7051d3fc
SHA512a1b7bcce916e80c2cf83029471f665bb0dfe411341c1817a0a3b0bdc758f24a45676b2b000890578320cbb6c4457ed23535188cff2d7fddcacedebcd8a414dab