Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

83210f152a...55.exe

windows7-x64

8

83210f152a...55.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    176s
  • max time network
    181s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 20:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83210f152adb2e903a58d8c9d7edc14a5f28420ccaa1928e720667fb361f2c55.exe

  • Size

    656KB

  • MD5

    00b7c65ca3b12ad7a444a5b44da56220

  • SHA1

    00a4f28d98dc8b39cfb1ee8d6d2215b85517c7cb

  • SHA256

    83210f152adb2e903a58d8c9d7edc14a5f28420ccaa1928e720667fb361f2c55

  • SHA512

    889c369ab3c8265c44762c37bd84ccc431d559e5c914dc99822cb060f3412190204f29832481abf1cc5b4ce257636dd50d7e786b7075e6c47cf403e2118c4edb

  • SSDEEP

    12288:0+a5ShViVnhiAEZFkQWLTMrq2yh+SQPHNYnUDBcvODK6ZTbkYFHWJa:0BQhViVn4AEZa1Gq2HPNMUSODNZTL2c

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2592
      • C:\Users\Admin\AppData\Local\Temp\83210f152adb2e903a58d8c9d7edc14a5f28420ccaa1928e720667fb361f2c55.exe
        "C:\Users\Admin\AppData\Local\Temp\83210f152adb2e903a58d8c9d7edc14a5f28420ccaa1928e720667fb361f2c55.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2092
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:968
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4308
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEA.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1060
            • C:\Users\Admin\AppData\Local\Temp\83210f152adb2e903a58d8c9d7edc14a5f28420ccaa1928e720667fb361f2c55.exe
              "C:\Users\Admin\AppData\Local\Temp\83210f152adb2e903a58d8c9d7edc14a5f28420ccaa1928e720667fb361f2c55.exe"
              4⤵
              • Executes dropped EXE
              PID:5020
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:5092
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1376
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4032
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1316
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4312

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$aEA.bat
            Filesize

            720B

            MD5

            20808c56d0ec81d5c5bed82878a90169

            SHA1

            59aab6cf22029232e5b2967553c782d0fc4129d9

            SHA256

            88af518946c0efed7cfc550bea2cb7ec538c921b74e9e21e44e94af934e1ccba

            SHA512

            fe1b47986a2aa6ddee964371db434539479ac0313d3f46d6dc0000e5181af4d806ed874cadfa4e95d2fff7cf7c8e5dfb60bdbf1b7f9d8a77eccf09968bd24f1c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\83210f152adb2e903a58d8c9d7edc14a5f28420ccaa1928e720667fb361f2c55.exe
            Filesize

            623KB

            MD5

            e5ca2ebcf1d6ecb6dacef20fcde132e9

            SHA1

            bc3ad7d5b426535604b3573c960efb12cbb5d8f4

            SHA256

            6f952b39c013fced1686cf6fbcd2a7bc75d947629e3b9e5dbc7aceb7786d145f

            SHA512

            747f6b70524c10149111d0b1a0c5fc8224c324ea8e6914c511b002b6542d19cba460f9fdf77d97a2d6148f725d4e27d413f8406408ffb659b4644cace14ae1c7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\83210f152adb2e903a58d8c9d7edc14a5f28420ccaa1928e720667fb361f2c55.exe.exe
            Filesize

            623KB

            MD5

            e5ca2ebcf1d6ecb6dacef20fcde132e9

            SHA1

            bc3ad7d5b426535604b3573c960efb12cbb5d8f4

            SHA256

            6f952b39c013fced1686cf6fbcd2a7bc75d947629e3b9e5dbc7aceb7786d145f

            SHA512

            747f6b70524c10149111d0b1a0c5fc8224c324ea8e6914c511b002b6542d19cba460f9fdf77d97a2d6148f725d4e27d413f8406408ffb659b4644cace14ae1c7

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            6a6f427787f08bc9dd4011586840fea6

            SHA1

            bfdd466f2766de3873ea7fd8e0c11c4c15c67a2b

            SHA256

            10681f0d26abaa23bfc8f2aff9729f656ae9fefbf74e842a89529555b1d64c6c

            SHA512

            2bc15635aef97dba954a481b3f294e81348cd28aa238d5521d9e6bd9a66a378217460106bc0b301cb46e2a0fc0aee6e1a132cfe17eed87f2b6fe24fe699cd82b

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            6a6f427787f08bc9dd4011586840fea6

            SHA1

            bfdd466f2766de3873ea7fd8e0c11c4c15c67a2b

            SHA256

            10681f0d26abaa23bfc8f2aff9729f656ae9fefbf74e842a89529555b1d64c6c

            SHA512

            2bc15635aef97dba954a481b3f294e81348cd28aa238d5521d9e6bd9a66a378217460106bc0b301cb46e2a0fc0aee6e1a132cfe17eed87f2b6fe24fe699cd82b

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            6a6f427787f08bc9dd4011586840fea6

            SHA1

            bfdd466f2766de3873ea7fd8e0c11c4c15c67a2b

            SHA256

            10681f0d26abaa23bfc8f2aff9729f656ae9fefbf74e842a89529555b1d64c6c

            SHA512

            2bc15635aef97dba954a481b3f294e81348cd28aa238d5521d9e6bd9a66a378217460106bc0b301cb46e2a0fc0aee6e1a132cfe17eed87f2b6fe24fe699cd82b

            Download Submit

          • memory/2092-139-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2092-134-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/5092-146-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/5092-150-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download