Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

e897278899...1a.exe

windows7-x64

8

e897278899...1a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    02/12/2022, 00:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe

  • Size

    575KB

  • MD5

    424a3d376fef29b33eb0db07ab1b420a

  • SHA1

    9bc87cc0596eaf218fdd1086fd2cd78e37449f32

  • SHA256

    e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a

  • SHA512

    8ab47253a52d606bafd19a9535245c8769a650093c0520b694ccbd615e4990893eab7939fbdf2dc309dd05753a3255a1a8b0774ba616a8b7b026f4c4881f6c9d

  • SSDEEP

    6144:PVfjmNJbxaxzLu0Xz5WM7z6VVbwbyiKs/HPQhoYewxmQSENzC8Kwgb8:97+J41hz6VVMb0O8c8

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe
        "C:\Users\Admin\AppData\Local\Temp\e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6B6.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1356
          • C:\Users\Admin\AppData\Local\Temp\e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe
            "C:\Users\Admin\AppData\Local\Temp\e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe"
            4⤵
            • Executes dropped EXE
            PID:916
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1204
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:556
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1764

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\$$a6B6.bat
        Filesize

        721B

        MD5

        a14e16c6e5dd751ec304de92ef40cd5b

        SHA1

        42e95de858d9f145a358cc9da47f5e67a77ba3b8

        SHA256

        d4a27825ef378fd4f38f0e89f3985229e5e9c952360ab72f0518ae9c81c9a98d

        SHA512

        59fd68c63eafd09342ea27aa000c37906cf424709bfbe0d995ba04e244529d77fc820d102bb3e8ddb25eea861460271924d4be609544d9dfc15ed50f59bcc44c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe
        Filesize

        549KB

        MD5

        3f60ff27fa222e95795f6a15514f6af9

        SHA1

        fe89d4dd69fe3b0bb824928f4c93be0c3c951dd0

        SHA256

        ff48f7e1b80e7d20d8daa44a6f4d6acc248e6c65bec0d0f81ff7e8961b3dd4de

        SHA512

        ed25c588300bd9a6fcbf5ff4e48710a571d0637cb2c2cf599708bffab4cac1e8ad997b4214bcdc31dbcadbf3da12d13571feab3af2d8a72b6370a18b4aa7a3bf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe.exe
        Filesize

        549KB

        MD5

        3f60ff27fa222e95795f6a15514f6af9

        SHA1

        fe89d4dd69fe3b0bb824928f4c93be0c3c951dd0

        SHA256

        ff48f7e1b80e7d20d8daa44a6f4d6acc248e6c65bec0d0f81ff7e8961b3dd4de

        SHA512

        ed25c588300bd9a6fcbf5ff4e48710a571d0637cb2c2cf599708bffab4cac1e8ad997b4214bcdc31dbcadbf3da12d13571feab3af2d8a72b6370a18b4aa7a3bf

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        c6492befa5393b1a32402e84331b39ff

        SHA1

        c0958e4984463d37d236c5d4f2bad8bea5deeb96

        SHA256

        3cc6397951b24e26f6239d575174708ff1e13eb29492ee1de79ed3bb4c1d0030

        SHA512

        52c11947409c435e28f62ddb08124a4e027db0bf89460c3d2d569c7958fece03bbda9750f5a79a066c2dba7ecca4692eb09a340ebc893e58234a1bf1018de2a0

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        c6492befa5393b1a32402e84331b39ff

        SHA1

        c0958e4984463d37d236c5d4f2bad8bea5deeb96

        SHA256

        3cc6397951b24e26f6239d575174708ff1e13eb29492ee1de79ed3bb4c1d0030

        SHA512

        52c11947409c435e28f62ddb08124a4e027db0bf89460c3d2d569c7958fece03bbda9750f5a79a066c2dba7ecca4692eb09a340ebc893e58234a1bf1018de2a0

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        c6492befa5393b1a32402e84331b39ff

        SHA1

        c0958e4984463d37d236c5d4f2bad8bea5deeb96

        SHA256

        3cc6397951b24e26f6239d575174708ff1e13eb29492ee1de79ed3bb4c1d0030

        SHA512

        52c11947409c435e28f62ddb08124a4e027db0bf89460c3d2d569c7958fece03bbda9750f5a79a066c2dba7ecca4692eb09a340ebc893e58234a1bf1018de2a0

        Download Submit

      • \Users\Admin\AppData\Local\Temp\e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe
        Filesize

        549KB

        MD5

        3f60ff27fa222e95795f6a15514f6af9

        SHA1

        fe89d4dd69fe3b0bb824928f4c93be0c3c951dd0

        SHA256

        ff48f7e1b80e7d20d8daa44a6f4d6acc248e6c65bec0d0f81ff7e8961b3dd4de

        SHA512

        ed25c588300bd9a6fcbf5ff4e48710a571d0637cb2c2cf599708bffab4cac1e8ad997b4214bcdc31dbcadbf3da12d13571feab3af2d8a72b6370a18b4aa7a3bf

        Download Submit

      • memory/916-66-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1204-68-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1204-69-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1308-57-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download