Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    156s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 16:37

General

  • Target

    68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe

  • Size

    1.1MB

  • MD5

    04406580f7a56a97734a4e98222e9361

  • SHA1

    486c6f5cbc0e63ff623aae5508e047b2ed99b1ed

  • SHA256

    68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e

  • SHA512

    69248fb6ac33541cbf0b30bf3db7fc78a97bb6faf401620b40c99b3de0385f714c2a17b007b8d841baa0c7a984432b3c3dde0befcef6434a170a2a7084997d25

  • SSDEEP

    12288:L3N4qOPajQUXXP8QvLWFx6Mo5rippDC7ee1hpls4Ey+g:L3N4najQEPnvg6PhWDC750g

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3024
      • C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
        "C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4652
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4440
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:204
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2105.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4032
            • C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
              "C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:1840
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1404
                5⤵
                • Program crash
                PID:4952
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Drops startup file
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3432
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4532
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1940
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2404
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3040
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1840 -ip 1840
            1⤵
              PID:4420

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\$$a2105.bat

              Filesize

              722B

              MD5

              d446e4f926f251fff2fb7a64c70d6738

              SHA1

              2d1a671e2c0ba899813954cd1ce1e66d10f343b7

              SHA256

              eff6722a97904e80c52ea96be88f14a2ee1ea3bd4f4e11c35b1e64ac1cee13ba

              SHA512

              d1860070c5acba3ba7a9a3754b5805ad8c4fc66ebc9939b9ca54bc047d3ed70d4437b557f021e2f0e67027e03cf4d74110ebf26b3ca8758309a709a56d89332a

            • C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe

              Filesize

              1.1MB

              MD5

              b0375fadbb808beaf33971aa2b1b56e2

              SHA1

              2b978167e0b264e7dd3484c61df8b31799f6867f

              SHA256

              92efe448504a68a44bdcdccad6c903580900a32977ef65b9af229f972551df33

              SHA512

              8e75fbda817d0c57e1206dbc689a0f2e2fc84f6af5774e0679c8b6088691b48e0399135b3ca9f530ded10a54ba84078f9b39060c54595b5ddd910b959a4f9d58

            • C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe.exe

              Filesize

              1.1MB

              MD5

              b0375fadbb808beaf33971aa2b1b56e2

              SHA1

              2b978167e0b264e7dd3484c61df8b31799f6867f

              SHA256

              92efe448504a68a44bdcdccad6c903580900a32977ef65b9af229f972551df33

              SHA512

              8e75fbda817d0c57e1206dbc689a0f2e2fc84f6af5774e0679c8b6088691b48e0399135b3ca9f530ded10a54ba84078f9b39060c54595b5ddd910b959a4f9d58

            • C:\Windows\Logo1_.exe

              Filesize

              33KB

              MD5

              fda93e69b1fe9e9ba2bf9faef22b6829

              SHA1

              f782afc8aae08a93a4e7d444efc680d17fce002b

              SHA256

              180298bb40291e89cd0a6d4526b1f694f5f2b579f36d6eab9ae9fd1925785739

              SHA512

              91e0c39c4890a1a49082bbf14e2ba553bf8f563805b265892e2c985bccff2e266e5e81e298bfb37b16b6468ccb6064e564d11794cf06e4d9d094a58af0ca19f6

            • C:\Windows\Logo1_.exe

              Filesize

              33KB

              MD5

              fda93e69b1fe9e9ba2bf9faef22b6829

              SHA1

              f782afc8aae08a93a4e7d444efc680d17fce002b

              SHA256

              180298bb40291e89cd0a6d4526b1f694f5f2b579f36d6eab9ae9fd1925785739

              SHA512

              91e0c39c4890a1a49082bbf14e2ba553bf8f563805b265892e2c985bccff2e266e5e81e298bfb37b16b6468ccb6064e564d11794cf06e4d9d094a58af0ca19f6

            • C:\Windows\rundl132.exe

              Filesize

              33KB

              MD5

              fda93e69b1fe9e9ba2bf9faef22b6829

              SHA1

              f782afc8aae08a93a4e7d444efc680d17fce002b

              SHA256

              180298bb40291e89cd0a6d4526b1f694f5f2b579f36d6eab9ae9fd1925785739

              SHA512

              91e0c39c4890a1a49082bbf14e2ba553bf8f563805b265892e2c985bccff2e266e5e81e298bfb37b16b6468ccb6064e564d11794cf06e4d9d094a58af0ca19f6

            • memory/3432-140-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

            • memory/3432-150-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

            • memory/4652-132-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

            • memory/4652-139-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB