Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

78619af783...ca.exe

windows7-x64

7

78619af783...ca.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    19/12/2023, 22:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe

  • Size

    227KB

  • MD5

    7a539b03e779c57a06383779a014825d

  • SHA1

    87483db2f259d80df45272195436ef6dcbc1eb6d

  • SHA256

    78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca

  • SHA512

    a1099082ce9c4b9ce8ef2f7c1ef4d6a95f68b9ff48df1b6c1d92df8cdbe4f0d7829d557f19994728f2e8639b00ca8a5786828e2d344cf5a8484fff517a9613d8

  • SSDEEP

    3072:isftffjmNrHrfzY6c6X/YoW4l/DReos0gXf+EvC6C36eCWdMuIB+NSzx602h9dX+:bVfjmNHAel/DRfkTC3dMnB++Cs

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe
    "C:\Users\Admin\AppData\Local\Temp\78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1777.bat
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Users\Admin\AppData\Local\Temp\78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe
        "C:\Users\Admin\AppData\Local\Temp\78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe"
        3⤵
        • Executes dropped EXE
        PID:2660
    • C:\Windows\Logo1_.exe
      C:\Windows\Logo1_.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\SysWOW64\net.exe
        net stop "Kingsoft AntiVirus Service"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
          4⤵
            PID:2632
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1372

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a1777.bat
        Filesize

        722B

        MD5

        9e86b3778c8efbbd353f70cbd9dcb918

        SHA1

        0ceb144e856d6e5bfdf49b51cc5129c689dc95d3

        SHA256

        b83b01915b636deb3e0e48d88254b1dbf04302fc9f84889f9cdaea28ae634ba9

        SHA512

        9e1c0c872b5447bd58edaaedfe3e7549d90345b5ec6b664bb90c980be0a3ee59a8d3b545d1167c3f236fa7ec5392aa59099629b318d1c15d2a0700866eb10712

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe.exe
        Filesize

        201KB

        MD5

        11fe091ace9d03b9ada6d5a22d12c0d0

        SHA1

        5379ebe84500d425586904e7f9ac0393ab2a9d24

        SHA256

        50f4ed60a507ce9dd1f3f4e7d53053d923cb71594374a25251746a9b2271e4ee

        SHA512

        0f39af99697332c697ca62e2708e0a9200552a55f2d3057b64e9b18df2fe2828be750b14b5336ac9518b4c1282e82cd170b64587cf56b45b840ca231108b7fdf

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        6a2fe8366e8c4e599cf0f58addd6dbfb

        SHA1

        42d87d444f62be53bf6e092aadb030b7f14a8a9b

        SHA256

        275f0e70263a79d5e1dd80f8aa774b43597bfc3d951ff2785a3b55c38325a340

        SHA512

        2d2caa6ac1e694a18d02726e4d6a4e9f2179fa5a056c081029d0a6bc5cd2d971eeb17b528edd92a5bfafe3ef8598eaead539d9226e502f984d8be62c5ee94e6e

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini
        Filesize

        10B

        MD5

        b8fe24fdb9877e9096606f3ec04e8aee

        SHA1

        195fca588a722e6802e655b3f8a838bf4cbc18a3

        SHA256

        c73bcb74435008f4d7f5d19e221dfb777624db21cc98dcbf6969e313783b0525

        SHA512

        bfb98ccb3dc3106bb839319e5f7b3c1b7c67a5f97160ac967b944472eff9da64819daf40809b335bfe08a1610ea9f2ea0fb0bfde86b85a5ba6239b1201615295

        Download Submit

      • memory/1372-29-0x0000000002A20000-0x0000000002A21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1576-12-0x0000000000220000-0x0000000000254000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1576-16-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1576-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2156-31-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2156-38-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2156-44-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2156-90-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2156-96-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2156-778-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2156-1849-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2156-2674-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2156-3309-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2156-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download