Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Instagram ....1.exe

windows11-21h2-x64

10

Instagram ...gn.dll

windows11-21h2-x64

1

Instagram ...ts.dll

windows11-21h2-x64

1

Instagram ...rk.dll

windows11-21h2-x64

1

Instagram ...ip.dll

windows11-21h2-x64

1

Instagram ...CE.zip

windows11-21h2-x64

1

Instagram ...er.exe

windows11-21h2-x64

8

Instagram ...gn.dll

windows11-21h2-x64

1

Instagram ...ts.dll

windows11-21h2-x64

1

Instagram ...rk.dll

windows11-21h2-x64

1

Instagram ...et.dll

windows11-21h2-x64

1

Instagram ...ml.exe

windows11-21h2-x64

10

Instagram ...op.ini

windows11-21h2-x64

3

Instagram ...an.txt

windows11-21h2-x64

3

Instagram ...et.dll

windows11-21h2-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30/01/2025, 17:59 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Instagram Account Checker By Amir v0.1/SHELL/Launcher.exe

  • Size

    53KB

  • MD5

    c6d4c881112022eb30725978ecd7c6ec

  • SHA1

    ba4f96dc374195d873b3eebdb28b633d9a1c5bf5

  • SHA256

    0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32

  • SHA512

    3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981

  • SSDEEP

    768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5

Score
8/10
discoveryexecutionpersistence

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Instagram Account Checker By Amir v0.1\SHELL\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\Instagram Account Checker By Amir v0.1\SHELL\Launcher.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2628
    • C:\Windows\IMF\Windows Services.exe
      "C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1388
      • C:\Windows\IMF\Secure System Shell.exe
        "C:\Windows\IMF\Secure System Shell.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2208
      • C:\Windows\IMF\Runtime Explorer.exe
        "C:\Windows\IMF\Runtime Explorer.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:460

Network

  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    63.141.182.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    63.141.182.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    144 B
     304 B
     2
    2

    DNS Request

    14.227.111.52.in-addr.arpa

    DNS Request

    63.141.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oarpeh4y.muq.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Windows\IMF\Runtime Explorer.exe
    Filesize

    128KB

    MD5

    48ce06f77a388b177c1734917c90680b

    SHA1

    90535ec2ab9335e02c322353dca8fae456ad9932

    SHA256

    4b18fc549b933c2d202a5ce684a062cb4c68c3ecdc695b83b365e0149c2d2a25

    SHA512

    64c05e79886af83d123c29dfcab40dc979e4aab1869543fbf97629fa6148eb5c08233b0cdade82b7c96db51d9b073b2712e5f044cf6ee9619bf9307fc71763bf

    Download Submit

  • C:\Windows\IMF\Secure System Shell.exe
    Filesize

    45KB

    MD5

    7d0c7359e5b2daa5665d01afdc98cc00

    SHA1

    c3cc830c8ffd0f53f28d89dcd9f3426be87085cb

    SHA256

    f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809

    SHA512

    a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407

    Download Submit

  • C:\Windows\IMF\Windows Services.exe
    Filesize

    46KB

    MD5

    ad0ce1302147fbdfecaec58480eb9cf9

    SHA1

    874efbc76e5f91bc1425a43ea19400340f98d42b

    SHA256

    2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3

    SHA512

    adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53

    Download Submit

  • memory/1336-62-0x00000000068F0000-0x000000000690E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1336-5-0x0000000074E80000-0x0000000075631000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1336-6-0x0000000005CD0000-0x0000000005D4E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/1336-7-0x0000000074E80000-0x0000000075631000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1336-81-0x0000000074E80000-0x0000000075631000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1336-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1336-4-0x0000000003010000-0x000000000301A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1336-3-0x00000000054A0000-0x0000000005532000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1336-48-0x0000000006910000-0x0000000006986000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1336-2-0x0000000005D90000-0x0000000006336000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1336-1-0x0000000000AE0000-0x0000000000AF4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1388-78-0x0000000000220000-0x0000000000232000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2208-89-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2628-11-0x0000000074E80000-0x0000000075631000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2628-65-0x0000000074E80000-0x0000000075631000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2628-26-0x0000000005E70000-0x0000000005EBC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2628-24-0x0000000005960000-0x0000000005CB7000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2628-14-0x0000000005690000-0x00000000056F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2628-50-0x0000000070070000-0x00000000700BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2628-49-0x0000000006DE0000-0x0000000006E14000-memory.dmp

    Filesize

    208KB

    Download

  • memory/2628-61-0x0000000074E80000-0x0000000075631000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2628-60-0x0000000006E20000-0x0000000006EC4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2628-59-0x0000000006400000-0x000000000641E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2628-20-0x00000000057F0000-0x0000000005856000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2628-13-0x0000000004F80000-0x0000000004FA2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2628-12-0x0000000074E80000-0x0000000075631000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2628-25-0x0000000005E20000-0x0000000005E3E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2628-80-0x0000000007180000-0x000000000719A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2628-79-0x00000000077C0000-0x0000000007E3A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2628-10-0x0000000005060000-0x000000000568A000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2628-8-0x00000000049F0000-0x0000000004A26000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2628-82-0x0000000007200000-0x000000000720A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2628-83-0x0000000007410000-0x00000000074A6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2628-84-0x0000000007390000-0x00000000073A1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2628-9-0x0000000074E80000-0x0000000075631000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2628-92-0x00000000073C0000-0x00000000073CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2628-93-0x00000000073D0000-0x00000000073E5000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2628-94-0x00000000074D0000-0x00000000074EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2628-95-0x00000000074C0000-0x00000000074C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2628-98-0x0000000074E80000-0x0000000075631000-memory.dmp

    Filesize

    7.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.