Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

495abc8b93...b1.exe

windows7-x64

8

495abc8b93...b1.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    160s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 20:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    495abc8b9300ed9546bd4c8e0fbd9db681b5d4fc9930aff79af2a86928b90db1.exe

  • Size

    431KB

  • MD5

    916fa6842739dfa6ac86a2ed5b327fd0

  • SHA1

    19e0c9550b394466120daa26ca7b93de38dc7a24

  • SHA256

    495abc8b9300ed9546bd4c8e0fbd9db681b5d4fc9930aff79af2a86928b90db1

  • SHA512

    8b7a9320cb9016b612481ad63f45150dd5cf2b511246e48983f20f912e51c89350a8548ae51986df148633742e12c4ebf1108c1a7f0f922fbdec8f1b44133985

  • SSDEEP

    6144:B+aX3u6gT9op9A6TyE3ktD2OILj6c1EpQ+mpGS4nbGdLnVsT6szo0naGI:B+a9gx1yLbmpQ+AGSqb+IPaGI

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3044
      • C:\Users\Admin\AppData\Local\Temp\495abc8b9300ed9546bd4c8e0fbd9db681b5d4fc9930aff79af2a86928b90db1.exe
        "C:\Users\Admin\AppData\Local\Temp\495abc8b9300ed9546bd4c8e0fbd9db681b5d4fc9930aff79af2a86928b90db1.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1164
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3836
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2368
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2625.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:5116
            • C:\Users\Admin\AppData\Local\Temp\495abc8b9300ed9546bd4c8e0fbd9db681b5d4fc9930aff79af2a86928b90db1.exe
              "C:\Users\Admin\AppData\Local\Temp\495abc8b9300ed9546bd4c8e0fbd9db681b5d4fc9930aff79af2a86928b90db1.exe"
              4⤵
              • Executes dropped EXE
              PID:5028
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2980
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:956
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4968
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2992
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4512

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$a2625.bat
            Filesize

            722B

            MD5

            e3e8968868d7e53f92f3ced149f56ec1

            SHA1

            0af9d5c458cc8961f4801f9a803e25cd47ed82fd

            SHA256

            5c49f94ca59f7b2a15ebe0b0ccbb874c0c97a540b027df61d5fe4cbf195d349a

            SHA512

            54da405889902ec9879d4a6ecbdb0db738122daeedfc9dc71cddca77a443a7cd3540115a8206d8a5fb7d24e6b30155315b981966e959900eae3720f86ca2d6c5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\495abc8b9300ed9546bd4c8e0fbd9db681b5d4fc9930aff79af2a86928b90db1.exe
            Filesize

            398KB

            MD5

            ffefff1799d19de8f8d240bfc945775f

            SHA1

            2b77461bfaab6ee9d0dae522922865a0d6fbddd7

            SHA256

            6f20af99781fb61bd199c9594db183d972779d8543cd0d006c2fa63ed9c76c42

            SHA512

            307aeb0c1c24eae962fb5cec1276786abfa1a02141cd4195e25136c05191ec0f36598b441b8776ad094ce6c5fc2865ba76d318b6d8be1ef8866724622f48688e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\495abc8b9300ed9546bd4c8e0fbd9db681b5d4fc9930aff79af2a86928b90db1.exe.exe
            Filesize

            398KB

            MD5

            ffefff1799d19de8f8d240bfc945775f

            SHA1

            2b77461bfaab6ee9d0dae522922865a0d6fbddd7

            SHA256

            6f20af99781fb61bd199c9594db183d972779d8543cd0d006c2fa63ed9c76c42

            SHA512

            307aeb0c1c24eae962fb5cec1276786abfa1a02141cd4195e25136c05191ec0f36598b441b8776ad094ce6c5fc2865ba76d318b6d8be1ef8866724622f48688e

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            83bea2b007b8fd1813be2345a1292546

            SHA1

            5fd98e2a3cdcb930daeeb83f5e1140164ae8ee2b

            SHA256

            f18b6f11abf725756e86ff9c1baf7b8d35afb45e259ab0d79529d6292e14879f

            SHA512

            8ae46e92738289d2479ba9fecc7d4d484323d202acb796fa940933c8b63d978aaf9705f2d637be8665cdf1ba0eb6f3857f6d3cd60ed46ad7e94021d5153cba9a

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            83bea2b007b8fd1813be2345a1292546

            SHA1

            5fd98e2a3cdcb930daeeb83f5e1140164ae8ee2b

            SHA256

            f18b6f11abf725756e86ff9c1baf7b8d35afb45e259ab0d79529d6292e14879f

            SHA512

            8ae46e92738289d2479ba9fecc7d4d484323d202acb796fa940933c8b63d978aaf9705f2d637be8665cdf1ba0eb6f3857f6d3cd60ed46ad7e94021d5153cba9a

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            83bea2b007b8fd1813be2345a1292546

            SHA1

            5fd98e2a3cdcb930daeeb83f5e1140164ae8ee2b

            SHA256

            f18b6f11abf725756e86ff9c1baf7b8d35afb45e259ab0d79529d6292e14879f

            SHA512

            8ae46e92738289d2479ba9fecc7d4d484323d202acb796fa940933c8b63d978aaf9705f2d637be8665cdf1ba0eb6f3857f6d3cd60ed46ad7e94021d5153cba9a

            Download Submit

          • memory/1164-134-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1164-141-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1164-132-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2980-145-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2980-152-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/5028-148-0x0000000000400000-0x0000000000469000-memory.dmp

            Filesize

            420KB

            Download