Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

ef3fbd14f9...7e.exe

windows7-x64

6

ef3fbd14f9...7e.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    29/09/2023, 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef3fbd14f96ca42f09af1107b97465aec898db5c16b1d568bd4f60d713642f7e.exe

  • Size

    26KB

  • MD5

    cab628bceb8b3c9bb2b79a71a0d68319

  • SHA1

    a20587dd81165b8e1e22b056c40677d94bece6cb

  • SHA256

    ef3fbd14f96ca42f09af1107b97465aec898db5c16b1d568bd4f60d713642f7e

  • SHA512

    d71b4eea641bec4c2d86d55702f6d96eca1af92ca4ab87b24fc3eeab2b705134629ef80b9f5d1cb29c5212b0866d39963708851bd39e1f6774198a6e7df2af78

  • SSDEEP

    768:1Z1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoGwXnKx:tfgLdQAQfcfymNG+Kx

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1272
      • C:\Users\Admin\AppData\Local\Temp\ef3fbd14f96ca42f09af1107b97465aec898db5c16b1d568bd4f60d713642f7e.exe
        "C:\Users\Admin\AppData\Local\Temp\ef3fbd14f96ca42f09af1107b97465aec898db5c16b1d568bd4f60d713642f7e.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2092
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1660
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2820

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        14433b5cd9967ad2af0248435b745083

        SHA1

        9325d22da7bb0c54f34f3bd0a491c4ed8b940d16

        SHA256

        7d7045224e82e103031144a7fd09be97d57255e4bbf3c385b41f1393b0ac6cd6

        SHA512

        e6351392cddfcf4f07be1b0e6abfb015281632c12c01a406d1d8dcb104921c1cc34e53dfbe103e94ad4c1a2f9c1e3e1f3044f7a33cfb2caef05bebb907c56236

        Download Submit

      • C:\Program Files\7-Zip\7zFM.exe
        Filesize

        873KB

        MD5

        946cb16d20f30faca80bbe2c44b92a1b

        SHA1

        b30560f3964d7b49041298022a00bf307e433bdb

        SHA256

        8e0485ee42aef6d5452ddc392665c0b6baf3f460beb652b8ad07474321876818

        SHA512

        36ec7d52b113fb59dcbca3a753c717d3f7684da7b7836533c269e633f9b0538d4459132915b0b096e88959c13d087ca19ca0eeee0f54b7972c923d14b910038e

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        c6c8fde27f649c91ddaab8cb9ca344a6

        SHA1

        5e4865aec432a18107182f47edda176e8c566152

        SHA256

        32c3fed53bfc1d890e9bd1d771fdc7e2c81480e03f1425bce07b4045a192d100

        SHA512

        a8df7d1e852d871d7f16bae10c4ff049359583da88cc85a039f0298525839040d5363ce5ef4cbdb92a12a25785f73df83cf0df07752b78e6e6444f32160a2155

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-686452656-3203474025-4140627569-1000\_desktop.ini
        Filesize

        9B

        MD5

        0d8cc6d8ad77008e4eea5193ba074b8b

        SHA1

        ed3ef3737662f0b0d7dabb8a681fdab8882322a1

        SHA256

        02cb6e1ee5bc2475b62b35df1ff95d9d38080ea818c3fea2c65ceb449c761999

        SHA512

        8cf0f361865203a0b8ea23fb3a33827b86958c4035294db074562956d6fe213d9069f3e5687ea66284e14f4406d74d348d98eec1af10b2538acd7a302752813f

        Download Submit

      • memory/1272-5-0x0000000002A80000-0x0000000002A81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-66-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2092-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2092-73-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2092-20-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2092-1825-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2092-14-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2092-3285-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2092-7-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download