Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

JaffaCakes...31.exe

windows7-x64

3

JaffaCakes...31.exe

windows10-2004-x64

3

$PLUGINSDI...sh.dll

windows7-x64

3

$PLUGINSDI...sh.dll

windows10-2004-x64

3

$PLUGINSDI...ar.exe

windows7-x64

7

$PLUGINSDI...ar.exe

windows10-2004-x64

3

$PROGRAM_F...er.exe

windows7-x64

3

$PROGRAM_F...er.exe

windows10-2004-x64

3

$PROGRAM_F...ar.dll

windows7-x64

7

$PROGRAM_F...ar.dll

windows10-2004-x64

7

$PROGRAM_F...rX.dll

windows7-x64

7

$PROGRAM_F...rX.dll

windows10-2004-x64

7

$PROGRAM_F...er.exe

windows7-x64

3

$PROGRAM_F...er.exe

windows10-2004-x64

3

$PROGRAM_F...rc.dll

windows7-x64

3

$PROGRAM_F...rc.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...pt.exe

windows7-x64

7

$PLUGINSDI...pt.exe

windows10-2004-x64

7

$PLUGINSDI...an.exe

windows7-x64

7

$PLUGINSDI...an.exe

windows10-2004-x64

7

$PLUGINSDI...an.exe

windows7-x64

7

$PLUGINSDI...an.exe

windows10-2004-x64

7

$PLUGINSDI...st.exe

windows7-x64

7

$PLUGINSDI...st.exe

windows10-2004-x64

3

$PLUGINSDIR/v9fft.exe

windows7-x64

10

$PLUGINSDIR/v9fft.exe

windows10-2004-x64

10

$TEMP/AskPIP_FF_.exe

windows7-x64

3

$TEMP/AskPIP_FF_.exe

windows10-2004-x64

3

$TEMP/AskT...IC.dll

windows7-x64

8

$TEMP/AskT...IC.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    21/02/2025, 20:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/hao123inst-egypt.exe

  • Size

    1.2MB

  • MD5

    c1392f10fbeafb4c15693add92e92961

  • SHA1

    24eacadaf8910146b00a3b6146fad19e11bff03b

  • SHA256

    051af720d19a480a6e54beadcf3947ec08ac555bdff69a477478ecfe97ba0ba0

  • SHA512

    a41a3a2681861af7b06c6ead0c8a5b73210d72d6cfc283ac1c9316a3205f47192a6c737a33ff9c44c554b4ff95b68474cf9fa5e28df1c531fb5cd7337816c353

  • SSDEEP

    24576:Z/vxuUOf5Hl2lHwJ4PEZB4gbZLPEZo74gbZm:ZHqf55IEZB4gbZzEZC4gbZm

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1248
      • C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\hao123inst-egypt.exe
        "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\hao123inst-egypt.exe"
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Users\Admin\AppData\Roaming\baidu\hao123-ar\hao123.1.0.0.1103.exe
          first_exec_from_inst
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:572

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\hao123.lnk
      Filesize

      944B

      MD5

      1bca5b1edba8f9bd4ffb794e81d30621

      SHA1

      de98a609115624962c9696b98f6cb2c56232007c

      SHA256

      6abf566b9024bcf1d52e33e0f8269b317284866488f11abe21adf91315b562da

      SHA512

      036c7b0cb16e99e8e59738259a5f8eedddcaf797fe8a4b72ce473cc0a7f1468d1c85109ec09b975776156a5629d8b9fbab56a3954d450f387a0f6262bc2a4113

      Download Submit

    • C:\Users\Admin\Desktop\hao123.lnk
      Filesize

      992B

      MD5

      30a48520887f0aaceebfc5093c153437

      SHA1

      ce035b41c9837701f54844c69f620c68c940007b

      SHA256

      7cb4827777ad30c921a00b9beaefe3851aa1128f7fd910a90d66deef159364d8

      SHA512

      e0176784ab319a0d91159b74dfd46b2c1e8b82a18cc85422bd2af3a00d8013dfdb14f63f4a5bc1ac581eb1d3681914e655b73574ac67bc2b09fd5d22d043ba9f

      Download Submit

    • \Users\Admin\AppData\Roaming\baidu\hao123-ar\hao123.1.0.0.1103.exe
      Filesize

      540KB

      MD5

      36d4f7773dae56f5cf766030256db486

      SHA1

      83172271d09bf1ed1b392063e7d0b475ea3a7ca0

      SHA256

      81a787620af1fe74f0a2612b113a4604f92525bac24c88fc2637260ea9ae6739

      SHA512

      8c538c3d4e6205dda2f53b8037c1d37d1893a8931155af5bb1bbec4fa9fa4b78aea05c3adff1b036dadfccf8ea9252c195920756a43062c2e8426c5b3a219af9

      Download Submit

    • memory/572-59-0x000000006FFF0000-0x0000000070000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/572-61-0x0000000002630000-0x0000000002632000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1248-62-0x0000000003230000-0x0000000003231000-memory.dmp

      Filesize

      4KB

      Download