Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

8d0fc277ad...59.exe

windows7-x64

8

8d0fc277ad...59.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    203s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 23:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d0fc277ad658f65028cd1405699068d260aab734839c27e3f0667f767f38c59.exe

  • Size

    56KB

  • MD5

    1061d59747c43b312f76dafa35c83e30

  • SHA1

    087156122d65dc49bf8eff5468c363a998a87b89

  • SHA256

    8d0fc277ad658f65028cd1405699068d260aab734839c27e3f0667f767f38c59

  • SHA512

    1df8001454ad3c830261a7a51ef69e73485931ca8824d7b8eaab66ccaa1c87d85615ae4d2793555ab6529ebd8e7be377b6a42f96f2a2e235b10c70a82a4aa580

  • SSDEEP

    768:pO16GVRu1yK9fMnJG2V9dHS8FY1st5LxI1Q4AwdVGWq0CVacOI+EfAympPvbr:pI3SHuJV9Na1O+GWq0CccR+eenbr

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1220
      • C:\Users\Admin\AppData\Local\Temp\8d0fc277ad658f65028cd1405699068d260aab734839c27e3f0667f767f38c59.exe
        "C:\Users\Admin\AppData\Local\Temp\8d0fc277ad658f65028cd1405699068d260aab734839c27e3f0667f767f38c59.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:960
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE18A.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1636
          • C:\Users\Admin\AppData\Local\Temp\8d0fc277ad658f65028cd1405699068d260aab734839c27e3f0667f767f38c59.exe
            "C:\Users\Admin\AppData\Local\Temp\8d0fc277ad658f65028cd1405699068d260aab734839c27e3f0667f767f38c59.exe"
            4⤵
            • Executes dropped EXE
            PID:844
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1492
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1104
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1332

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\$$aE18A.bat
        Filesize

        722B

        MD5

        823a726c4d9cd4565fa917a392617480

        SHA1

        60721db9647be8a5c07df3d8d67cd82ffdae90f2

        SHA256

        7c9b8076b659b03ec3076e37fa0a40837bf53f48ce1750e20ae23ce9133272ad

        SHA512

        d5819675d31c8ad66b1bf21dd9f0145c54c79e188a46acade112f05e290e6751c84671c5eb9e05979ca6a0184eec8935201f270733b21abfa0888ad222971fa4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\8d0fc277ad658f65028cd1405699068d260aab734839c27e3f0667f767f38c59.exe
        Filesize

        26KB

        MD5

        d45503f138788a2fbff13aa4b0dac123

        SHA1

        980166d3ef51cae11933cb398312686272dd8a18

        SHA256

        280e0d1d20a57f099994b228ea013e6e65d5534210d658aa154a90199ab17a72

        SHA512

        2287e99d8fd91c53694348cb75e8aa3f5dc82412061b3cf6c95e28863efce23613b17a0bddeb5309ec29b0c14385e5925b05910b2c143182f23b7975aa867c08

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\8d0fc277ad658f65028cd1405699068d260aab734839c27e3f0667f767f38c59.exe.exe
        Filesize

        26KB

        MD5

        d45503f138788a2fbff13aa4b0dac123

        SHA1

        980166d3ef51cae11933cb398312686272dd8a18

        SHA256

        280e0d1d20a57f099994b228ea013e6e65d5534210d658aa154a90199ab17a72

        SHA512

        2287e99d8fd91c53694348cb75e8aa3f5dc82412061b3cf6c95e28863efce23613b17a0bddeb5309ec29b0c14385e5925b05910b2c143182f23b7975aa867c08

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        77705d80528f0563515f76450582bfa4

        SHA1

        ce91c845049cbe7980acd5047956c84dbe2f58fe

        SHA256

        04f94b514859a1ed823e9a83b91fe81733b87582859167e67ed370c1c9a43edd

        SHA512

        67b1922db696f20afb95570d4cb55331827d55044a2448b79e708beec297d86983ef9c07c32e45732ed59465fb64c2a8bba5959430af5ac2bdb11edd6f421756

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        77705d80528f0563515f76450582bfa4

        SHA1

        ce91c845049cbe7980acd5047956c84dbe2f58fe

        SHA256

        04f94b514859a1ed823e9a83b91fe81733b87582859167e67ed370c1c9a43edd

        SHA512

        67b1922db696f20afb95570d4cb55331827d55044a2448b79e708beec297d86983ef9c07c32e45732ed59465fb64c2a8bba5959430af5ac2bdb11edd6f421756

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        29KB

        MD5

        77705d80528f0563515f76450582bfa4

        SHA1

        ce91c845049cbe7980acd5047956c84dbe2f58fe

        SHA256

        04f94b514859a1ed823e9a83b91fe81733b87582859167e67ed370c1c9a43edd

        SHA512

        67b1922db696f20afb95570d4cb55331827d55044a2448b79e708beec297d86983ef9c07c32e45732ed59465fb64c2a8bba5959430af5ac2bdb11edd6f421756

        Download Submit

      • \Users\Admin\AppData\Local\Temp\8d0fc277ad658f65028cd1405699068d260aab734839c27e3f0667f767f38c59.exe
        Filesize

        26KB

        MD5

        d45503f138788a2fbff13aa4b0dac123

        SHA1

        980166d3ef51cae11933cb398312686272dd8a18

        SHA256

        280e0d1d20a57f099994b228ea013e6e65d5534210d658aa154a90199ab17a72

        SHA512

        2287e99d8fd91c53694348cb75e8aa3f5dc82412061b3cf6c95e28863efce23613b17a0bddeb5309ec29b0c14385e5925b05910b2c143182f23b7975aa867c08

        Download Submit

      • \Users\Admin\AppData\Local\Temp\8d0fc277ad658f65028cd1405699068d260aab734839c27e3f0667f767f38c59.exe
        Filesize

        26KB

        MD5

        d45503f138788a2fbff13aa4b0dac123

        SHA1

        980166d3ef51cae11933cb398312686272dd8a18

        SHA256

        280e0d1d20a57f099994b228ea013e6e65d5534210d658aa154a90199ab17a72

        SHA512

        2287e99d8fd91c53694348cb75e8aa3f5dc82412061b3cf6c95e28863efce23613b17a0bddeb5309ec29b0c14385e5925b05910b2c143182f23b7975aa867c08

        Download Submit

      • memory/844-66-0x0000000075D01000-0x0000000075D03000-memory.dmp

        Filesize

        8KB

        Download

      • memory/960-57-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1492-67-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1492-70-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download