Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

0b5f785a6d...af.exe

windows7-x64

7

0b5f785a6d...af.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2023, 15:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe

  • Size

    83KB

  • MD5

    9455b9f6832cdcbac081d594f3b0ffa8

  • SHA1

    de8849aee6c697801be70ee835a88fb0e8e71009

  • SHA256

    0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af

  • SHA512

    f6b6272af9be6c3eb31228046ae77c6a8efea9c35e4591ff5518c55f297bacf9d13b5179993f301503aa5d92254886f6e9de6a8cbbf9e173541724f36bfffbed

  • SSDEEP

    1536:2fgLdQAQfhJIJ0IO61oPeacurY7Rc/a/ysfq2hltssjWpVCVuM0nm:2ftffhJCuUorcUY7zvhfsGuKuMGm

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3156
      • C:\Users\Admin\AppData\Local\Temp\0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe
        "C:\Users\Admin\AppData\Local\Temp\0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4988
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a634E.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1268
          • C:\Users\Admin\AppData\Local\Temp\0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe
            "C:\Users\Admin\AppData\Local\Temp\0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe"
            4⤵
            • Executes dropped EXE
            PID:4548
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3948
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4856
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:4920

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        64.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        64.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        126.22.238.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        126.22.238.8.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        59.128.231.4.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        59.128.231.4.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        55.36.223.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        55.36.223.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        108.211.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        108.211.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        241.154.82.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.154.82.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        39.142.81.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        39.142.81.104.in-addr.arpa
        IN PTR
        Response
        39.142.81.104.in-addr.arpa
        IN PTR
        a104-81-142-39deploystaticakamaitechnologiescom
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        86.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        86.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        56.126.166.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        56.126.166.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        8.3.197.209.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.3.197.209.in-addr.arpa
        IN PTR
        Response
        8.3.197.209.in-addr.arpa
        IN PTR
        vip0x008map2sslhwcdnnet
      • flag-us
        DNS
        9.228.82.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        9.228.82.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        254.177.238.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        254.177.238.8.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        158.240.127.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        158.240.127.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        135.1.85.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        135.1.85.104.in-addr.arpa
        IN PTR
        Response
        135.1.85.104.in-addr.arpa
        IN PTR
        a104-85-1-135deploystaticakamaitechnologiescom
      • flag-us
        DNS
        119.110.54.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        119.110.54.20.in-addr.arpa
        IN PTR
        Response
      No results found
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
         90 B
         1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        64.159.190.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        64.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        126.22.238.8.in-addr.arpa
        dns
        71 B
         125 B
         1
        1

        DNS Request

        126.22.238.8.in-addr.arpa

      • 8.8.8.8:53
        59.128.231.4.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        59.128.231.4.in-addr.arpa

      • 8.8.8.8:53
        55.36.223.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        55.36.223.20.in-addr.arpa

      • 8.8.8.8:53
        108.211.229.192.in-addr.arpa
        dns
        74 B
         145 B
         1
        1

        DNS Request

        108.211.229.192.in-addr.arpa

      • 8.8.8.8:53
        241.154.82.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        241.154.82.20.in-addr.arpa

      • 8.8.8.8:53
        39.142.81.104.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        39.142.81.104.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        86.23.85.13.in-addr.arpa
        dns
        70 B
         144 B
         1
        1

        DNS Request

        86.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        56.126.166.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        56.126.166.20.in-addr.arpa

      • 8.8.8.8:53
        8.3.197.209.in-addr.arpa
        dns
        70 B
         111 B
         1
        1

        DNS Request

        8.3.197.209.in-addr.arpa

      • 8.8.8.8:53
        9.228.82.20.in-addr.arpa
        dns
        70 B
         156 B
         1
        1

        DNS Request

        9.228.82.20.in-addr.arpa

      • 8.8.8.8:53
        254.177.238.8.in-addr.arpa
        dns
        72 B
         126 B
         1
        1

        DNS Request

        254.177.238.8.in-addr.arpa

      • 8.8.8.8:53
        158.240.127.40.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        158.240.127.40.in-addr.arpa

      • 8.8.8.8:53
        135.1.85.104.in-addr.arpa
        dns
        71 B
         135 B
         1
        1

        DNS Request

        135.1.85.104.in-addr.arpa

      • 8.8.8.8:53
        119.110.54.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        119.110.54.20.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        484KB

        MD5

        21c3de0a87a08c7f79a79abdd775c7fa

        SHA1

        b9b8fa21b10199aa8d764a7990193df7823d1ea1

        SHA256

        12deecc2b56b7089af3ccea965a828b51d3e88a0556dca5411d4f14eb3cb9b09

        SHA512

        599860961b3eb4423e98be92100329670cddf87b80903a950c693c2c07e798bd642a94a64d1e0329040190ff9cc8f323547783e21f78a981f401cee37533d6f0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a634E.bat
        Filesize

        722B

        MD5

        d3a2a56880baea4b9cf468bf35784f18

        SHA1

        9ebc569dd2215e4e92ec0a12ab73dd05963d98df

        SHA256

        2133fc3f684585ead225140102a0dee153769c7edbc65bc29bc6fb8ecf101b8e

        SHA512

        d838e63ba8f8de0663e47cb5e233f87de949c940d0a4281c485e5a6efacfc9366aa724d3e5068452f92051dbe9448654697d1f1512f93d55a5e56f3dcce5bc7e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe
        Filesize

        57KB

        MD5

        f20120319812bf92cffc6a7f5f8134d0

        SHA1

        7d6b2b23d3e0791ce9f646e1b7c00a815e29ccdf

        SHA256

        ddc3bc440c3ab581e4968dad35e0f43b15be9c6690c701e702d9f615adf86606

        SHA512

        820137b5b94676bb1937f68b5947ed7ffbdc5bc15f6e21ccc1cc67c8c2226dd157469dd039a7bbaa04096f46f2c7919c0e5c7d9c53e7343568969ab02785cafa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe.exe
        Filesize

        57KB

        MD5

        f20120319812bf92cffc6a7f5f8134d0

        SHA1

        7d6b2b23d3e0791ce9f646e1b7c00a815e29ccdf

        SHA256

        ddc3bc440c3ab581e4968dad35e0f43b15be9c6690c701e702d9f615adf86606

        SHA512

        820137b5b94676bb1937f68b5947ed7ffbdc5bc15f6e21ccc1cc67c8c2226dd157469dd039a7bbaa04096f46f2c7919c0e5c7d9c53e7343568969ab02785cafa

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        8d52fa03a0b7e8a6766b2d769aacd7e6

        SHA1

        f2b8804c1efd0a2544a5c59dd1d2a0589a336761

        SHA256

        d3a5d60f78a59fcdfe9f0cc7fd087c0fbccb338a78a193f0da0fe0661cf5a8cd

        SHA512

        d0771b56e9c8b0a998a9730d68fe5c362512d5ffb8c0e06d4dee8bedd4f455e61ae08d346388ec9abd6350aa26d49298720aea3de112dfaa9687bc6d136a62a2

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        8d52fa03a0b7e8a6766b2d769aacd7e6

        SHA1

        f2b8804c1efd0a2544a5c59dd1d2a0589a336761

        SHA256

        d3a5d60f78a59fcdfe9f0cc7fd087c0fbccb338a78a193f0da0fe0661cf5a8cd

        SHA512

        d0771b56e9c8b0a998a9730d68fe5c362512d5ffb8c0e06d4dee8bedd4f455e61ae08d346388ec9abd6350aa26d49298720aea3de112dfaa9687bc6d136a62a2

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        8d52fa03a0b7e8a6766b2d769aacd7e6

        SHA1

        f2b8804c1efd0a2544a5c59dd1d2a0589a336761

        SHA256

        d3a5d60f78a59fcdfe9f0cc7fd087c0fbccb338a78a193f0da0fe0661cf5a8cd

        SHA512

        d0771b56e9c8b0a998a9730d68fe5c362512d5ffb8c0e06d4dee8bedd4f455e61ae08d346388ec9abd6350aa26d49298720aea3de112dfaa9687bc6d136a62a2

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2344688013-2965468717-2034126-1000\_desktop.ini
        Filesize

        10B

        MD5

        dbf19ca54500e964528b156763234c1d

        SHA1

        05376f86423aec8badf0adbc47887234ac83ef5a

        SHA256

        bfa0ad2e861e2369dc239edf8f62fbe1c4507d877ec2f76e46e48f1e68fdd5ae

        SHA512

        fb8ce1253ad6d3c1b7d970614dbc2d21574576336a490b54a8dc705a3d8637c0669747ba821fb2f4da14d7447dc24607aca988b0cd3bd9fc4d9d5988b4b631d0

        Download Submit

      • memory/3948-22-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3948-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3948-9-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3948-27-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3948-33-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3948-38-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3948-42-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3948-100-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3948-1117-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3948-1119-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4988-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4988-8-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.