Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

b3fea5464c...00.exe

windows7-x64

8

b3fea5464c...00.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 12:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b3fea5464c7d3e94de9d9bc746ab0ca18cffefcd701376dcfb669cb7d0203300.exe

  • Size

    43KB

  • MD5

    af29bb51932c629db68517588718951e

  • SHA1

    609810cd2fa4f35c58cad7fb0754f092fd29fd39

  • SHA256

    b3fea5464c7d3e94de9d9bc746ab0ca18cffefcd701376dcfb669cb7d0203300

  • SHA512

    6b31fbad7506f34aff42415e2de41392eb876274bbff37f82ecd89d33ca9f5e1f3d9a1cbdf46f57fd3843d5e87445c85e5df06ab28f9bf9c8dd317637ab9cd70

  • SSDEEP

    768:ptq16GVRu1yK9fMnJG2V9dHS8clXNGSs8zCaLWE4bCfJ:ptM3SHuJV9NwllCaadCfJ

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3036
      • C:\Users\Admin\AppData\Local\Temp\b3fea5464c7d3e94de9d9bc746ab0ca18cffefcd701376dcfb669cb7d0203300.exe
        "C:\Users\Admin\AppData\Local\Temp\b3fea5464c7d3e94de9d9bc746ab0ca18cffefcd701376dcfb669cb7d0203300.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA378.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4908
          • C:\Users\Admin\AppData\Local\Temp\b3fea5464c7d3e94de9d9bc746ab0ca18cffefcd701376dcfb669cb7d0203300.exe
            "C:\Users\Admin\AppData\Local\Temp\b3fea5464c7d3e94de9d9bc746ab0ca18cffefcd701376dcfb669cb7d0203300.exe"
            4⤵
            • Executes dropped EXE
            PID:1624
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3204
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3604
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:4444

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\$$aA378.bat
        Filesize

        722B

        MD5

        55ad31ca27ad9c5362d23096cc5e251f

        SHA1

        9096a486c7974a16f39f91cfbff816ec8ffb6ced

        SHA256

        49535424c80d07ff3a5a412e45f614c3d22da9b68c513e094e8f2a6e3f131d32

        SHA512

        3deba7e0e453a361ef0771bc3c8fe24dfe3b9d3c08c5aff4e97d7146ffc06df96827566824773b57b1af1ddee5bbbc7b4d7ec1552c3176cd4ac6150b7ad90cda

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\b3fea5464c7d3e94de9d9bc746ab0ca18cffefcd701376dcfb669cb7d0203300.exe
        Filesize

        14KB

        MD5

        13871c4426dda78f91e88e43d51844a8

        SHA1

        3e5dc5d662ac718ac29da73ef5ba00662a3601ce

        SHA256

        9c6a5caa334daecabb9b9080f10973aa3d3971ea12d16e218a71a23248634621

        SHA512

        020e67422bfc212aa0d7d45eeedb76bc86a8ad254ef1463fdc783596c400680e144bbd6859ae6a58db2cc4ddfaab25711cf8e3a20680e6d121c14d3fa9a32802

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\b3fea5464c7d3e94de9d9bc746ab0ca18cffefcd701376dcfb669cb7d0203300.exe.exe
        Filesize

        14KB

        MD5

        13871c4426dda78f91e88e43d51844a8

        SHA1

        3e5dc5d662ac718ac29da73ef5ba00662a3601ce

        SHA256

        9c6a5caa334daecabb9b9080f10973aa3d3971ea12d16e218a71a23248634621

        SHA512

        020e67422bfc212aa0d7d45eeedb76bc86a8ad254ef1463fdc783596c400680e144bbd6859ae6a58db2cc4ddfaab25711cf8e3a20680e6d121c14d3fa9a32802

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        bed9993f2e1de936175e3e499262bda3

        SHA1

        04d9ec2bcc4cc85dcd808b6488363885be37576c

        SHA256

        5ff2dbbf149a7e8813431b1ff403576a78c201e3d0c514e5f787cce55e4315f2

        SHA512

        a90e44de3aa527424f2fd9d3c4dc9e7ab39c444966bd0e27c65ebe00c724c4dfbd410aa3b7bb2687beb3b989a9cd07feabf9ee95d52324ea948dfae1c064b763

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        bed9993f2e1de936175e3e499262bda3

        SHA1

        04d9ec2bcc4cc85dcd808b6488363885be37576c

        SHA256

        5ff2dbbf149a7e8813431b1ff403576a78c201e3d0c514e5f787cce55e4315f2

        SHA512

        a90e44de3aa527424f2fd9d3c4dc9e7ab39c444966bd0e27c65ebe00c724c4dfbd410aa3b7bb2687beb3b989a9cd07feabf9ee95d52324ea948dfae1c064b763

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        29KB

        MD5

        bed9993f2e1de936175e3e499262bda3

        SHA1

        04d9ec2bcc4cc85dcd808b6488363885be37576c

        SHA256

        5ff2dbbf149a7e8813431b1ff403576a78c201e3d0c514e5f787cce55e4315f2

        SHA512

        a90e44de3aa527424f2fd9d3c4dc9e7ab39c444966bd0e27c65ebe00c724c4dfbd410aa3b7bb2687beb3b989a9cd07feabf9ee95d52324ea948dfae1c064b763

        Download Submit

      • memory/2148-137-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3204-144-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3204-145-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download