Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

a930b5698e...76.exe

windows7-x64

8

a930b5698e...76.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2022, 03:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a930b5698e8c74b31cf13d47611ad192aa841516e9ba35b4ff1645b59debe876.exe

  • Size

    248KB

  • MD5

    72de072b89b4d53079beaf16c4b50e28

  • SHA1

    57b60afcfee6cf8089234884b25a3041f4ee14a4

  • SHA256

    a930b5698e8c74b31cf13d47611ad192aa841516e9ba35b4ff1645b59debe876

  • SHA512

    d8e88814edd11641d84a28e3c546dbece75e9a9a03fecbb2c2066ec2fb7dc00df3e100079d28c1276f20ccd4529deb4ad28ebc800c7daada41fd6d5b49c773c8

  • SSDEEP

    6144:7uJ//26kJC3oghja3DpYGaYxKrNV0eS0HeMQTtF:lC4gNobaYoN2eS0WZF

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1280
      • C:\Users\Admin\AppData\Local\Temp\a930b5698e8c74b31cf13d47611ad192aa841516e9ba35b4ff1645b59debe876.exe
        "C:\Users\Admin\AppData\Local\Temp\a930b5698e8c74b31cf13d47611ad192aa841516e9ba35b4ff1645b59debe876.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:852
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2BA3.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1696
          • C:\Users\Admin\AppData\Local\Temp\a930b5698e8c74b31cf13d47611ad192aa841516e9ba35b4ff1645b59debe876.exe
            "C:\Users\Admin\AppData\Local\Temp\a930b5698e8c74b31cf13d47611ad192aa841516e9ba35b4ff1645b59debe876.exe"
            4⤵
            • Executes dropped EXE
            PID:624
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:976
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1020
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1332

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\$$a2BA3.bat
        Filesize

        722B

        MD5

        1afc514cd2476221fa658a970ac077ef

        SHA1

        6b127e185d3c65f2ed9155269df87647dd276e3b

        SHA256

        e229712559c121334db5fbae0ffd0af5fe54312d545a24660166fc2a64d7c340

        SHA512

        269a702c9d3ae4c96127fbe0dd54019e60f864b104e48401f284ddb62fb7d7609a2cb1c53d216c28f870a89e5882a06da2951a68078fdb243bb73da5aaf7000c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\a930b5698e8c74b31cf13d47611ad192aa841516e9ba35b4ff1645b59debe876.exe
        Filesize

        219KB

        MD5

        547ad163f7a06703b439d11c4710d53a

        SHA1

        e22644fb3321d031111b018899fbb3b8fa51a2e1

        SHA256

        21bfa40ebac55a0195dd0323aaba6eab25a4acd49ad3b6252ed77a5556c4928e

        SHA512

        01e30945f77f60f25111d5dc7af858876e6ffc3a84071c1917ffd4b7bff19aa9c7b0cc053aa99d41ba370063bfae6308f040b13f368d31abad1ad0e405b0d51e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\a930b5698e8c74b31cf13d47611ad192aa841516e9ba35b4ff1645b59debe876.exe.exe
        Filesize

        219KB

        MD5

        547ad163f7a06703b439d11c4710d53a

        SHA1

        e22644fb3321d031111b018899fbb3b8fa51a2e1

        SHA256

        21bfa40ebac55a0195dd0323aaba6eab25a4acd49ad3b6252ed77a5556c4928e

        SHA512

        01e30945f77f60f25111d5dc7af858876e6ffc3a84071c1917ffd4b7bff19aa9c7b0cc053aa99d41ba370063bfae6308f040b13f368d31abad1ad0e405b0d51e

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        b74ebaff81a1ab6d6d71795c0c5247d4

        SHA1

        08e8ed0b70413dda93bac71087cebdda93a8f9a3

        SHA256

        0b6419cc4ffd5710dab5b08c41c9aa240f104680e76a4fdf2d4d57110b0a9922

        SHA512

        fae8d2097638ace772e806dc1a5de7619cb13b6cbbab6c0484178711c07d68b482e0c502fcc0322fedbb06dd1dd781dffa8b0dd68fc8cedcb68c60a3b01d7946

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        b74ebaff81a1ab6d6d71795c0c5247d4

        SHA1

        08e8ed0b70413dda93bac71087cebdda93a8f9a3

        SHA256

        0b6419cc4ffd5710dab5b08c41c9aa240f104680e76a4fdf2d4d57110b0a9922

        SHA512

        fae8d2097638ace772e806dc1a5de7619cb13b6cbbab6c0484178711c07d68b482e0c502fcc0322fedbb06dd1dd781dffa8b0dd68fc8cedcb68c60a3b01d7946

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        29KB

        MD5

        b74ebaff81a1ab6d6d71795c0c5247d4

        SHA1

        08e8ed0b70413dda93bac71087cebdda93a8f9a3

        SHA256

        0b6419cc4ffd5710dab5b08c41c9aa240f104680e76a4fdf2d4d57110b0a9922

        SHA512

        fae8d2097638ace772e806dc1a5de7619cb13b6cbbab6c0484178711c07d68b482e0c502fcc0322fedbb06dd1dd781dffa8b0dd68fc8cedcb68c60a3b01d7946

        Download Submit

      • \Users\Admin\AppData\Local\Temp\a930b5698e8c74b31cf13d47611ad192aa841516e9ba35b4ff1645b59debe876.exe
        Filesize

        219KB

        MD5

        547ad163f7a06703b439d11c4710d53a

        SHA1

        e22644fb3321d031111b018899fbb3b8fa51a2e1

        SHA256

        21bfa40ebac55a0195dd0323aaba6eab25a4acd49ad3b6252ed77a5556c4928e

        SHA512

        01e30945f77f60f25111d5dc7af858876e6ffc3a84071c1917ffd4b7bff19aa9c7b0cc053aa99d41ba370063bfae6308f040b13f368d31abad1ad0e405b0d51e

        Download Submit

      • memory/852-57-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/976-67-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/976-68-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download