Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

311d4debff...97.exe

windows7-x64

6

311d4debff...97.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2023, 07:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    311d4debffce8604501fbc5f49c9816a09005a228111e8fb2d32c40a57446b97.exe

  • Size

    29KB

  • MD5

    d63b0a38dd57c953778fc6996dced7b8

  • SHA1

    4c03454a4597f218de1a9c531fe68de370f211c6

  • SHA256

    311d4debffce8604501fbc5f49c9816a09005a228111e8fb2d32c40a57446b97

  • SHA512

    c4d6bf7eb7123d3f0ea709cc992814016cd13e50b4b3534518d6d66893b37067d76aaa6cd62dc9b646ce684a6da1a4d3900ed12f3e21fb03ec56a6cef4c4a0f0

  • SSDEEP

    384:NbbbKDvJ3IS01Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzGOj:pGJYS016GVRu1yK9fMnJG2V9dHS8

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3196
      • C:\Users\Admin\AppData\Local\Temp\311d4debffce8604501fbc5f49c9816a09005a228111e8fb2d32c40a57446b97.exe
        "C:\Users\Admin\AppData\Local\Temp\311d4debffce8604501fbc5f49c9816a09005a228111e8fb2d32c40a57446b97.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4808
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2132

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Google\Chrome\Application\chrome.exe
        Filesize

        2.8MB

        MD5

        9c4394c2f68bf5ea9d8b771a1db879de

        SHA1

        72161ebb916656f721d2598c53ffdb8e5c26318d

        SHA256

        04657e60b91c633b3ec4c4678539ee0573f3e744d5f3fb040ec5dbfb74a51105

        SHA512

        507769da00e1f04172e1a78cca06d8ff702484ded2b98acdf28023cb37351c656fd20d0ab8b6d20c4ec7f972e77e77594dd10192a5622ebde08ba6bdcad27976

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1114462139-3090196418-29517368-1000\_desktop.ini
        Filesize

        10B

        MD5

        b37b393b54a7359a4db72d7ede7217d8

        SHA1

        f72b757d8b265002cdbb349b309817684b06c790

        SHA256

        b2a681fd703549670a45f0f394a78843add6199a491ec7194d74454e7fa717a7

        SHA512

        7da2eacf26b7627db3ae5f29780bb8750b618f4e56b5b6576cae090c49b417c74d0df7402c6d07d9356004a70f5e9b968c14847d652df627d6a00227966f1772

        Download Submit

      • memory/4808-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4808-5-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4808-12-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4808-19-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4808-23-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4808-28-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4808-283-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4808-1070-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4808-2163-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download