Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

12127e1a50...80.exe

windows7-x64

7

12127e1a50...80.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    28/02/2024, 19:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe

  • Size

    140KB

  • MD5

    0a7a4f6fc64026bdf28b41d4d033a0cc

  • SHA1

    1e8c8ab26094e3fa220a2706f3cdba4488149d5f

  • SHA256

    12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980

  • SHA512

    2af6f32505d705ab9bdd9f78c68c74a73589e9912515612c15b94c3447cab444c780871e5714a806670ddd1036f1ac55af555a925ab620bf45b6d7b80006d80c

  • SSDEEP

    3072:SftffjmNusOfCOv//kxBsg87j914yBHlMKTaEUk:iVfjmNvOzvkxOg87gyBHldU

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1188
      • C:\Users\Admin\AppData\Local\Temp\12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe
        "C:\Users\Admin\AppData\Local\Temp\12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2004
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a83B.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2368
          • C:\Users\Admin\AppData\Local\Temp\12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe
            "C:\Users\Admin\AppData\Local\Temp\12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe"
            4⤵
            • Executes dropped EXE
            PID:2696
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1720
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2640
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2364

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        511a2d5905efad810a21feada48ceb39

        SHA1

        6a4cf6d0a4bb651ea17966e3accbea68d62b9c3e

        SHA256

        e4286846db738761d9e779ad53e9ba92d875f9acc03f8086307e6f1f1173ebaf

        SHA512

        56e2dda4271555861074bca1121e1b512c64aacc991bc089ef546f11e619359d5b338762d76bf67c8a069293a542ef1f59715f19efceac2ead1fe5eafacc8d3c

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a83B.bat
        Filesize

        721B

        MD5

        7a587ef0e5c580ffcbaec771f6fa08fc

        SHA1

        de22f50ee1f58c2c20349e32324ea594a3e1553d

        SHA256

        92a53e33d6141930dcd5ca3c9a036c0f84bdd30d1f78ae0c0dec89d99a14d9d8

        SHA512

        2e66bf2676fb4433f63bf8a62d3c3d2f5a5619344411a712f6a46e9e2c02824b60d99541d87d3b7054c60add980d8cd6f0335a02950c798fabf28d95152465c2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe.exe
        Filesize

        114KB

        MD5

        6c80c1bf7daa513dd0620bd7b4df1d46

        SHA1

        dfa6ed503b0e3f5b803f525eb6d8073847c437c9

        SHA256

        b489419bb8438de7196b180da1923b98c912ab7db96e0ad63c2b3b5ee2b2808f

        SHA512

        fa238af9c2bce8f5bed9939264daff575002d9698c3206457fa716713c35a3660dbf06a851a1e43d9d5600ceae20816acf2b188d5f40ae478aa0e2d23cc5e733

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        247aafc1af131a360429f437cdedad82

        SHA1

        02ab749c7aa28ae7beb232991754aecbc3e596ba

        SHA256

        318e25db58c0812b719310265b3dc04aa4e1fa756cef4e26b57162ab54fc0ad1

        SHA512

        2486fe7c037e6d57936521ea35098df0955a16438979d1335d48f7c912d0ee21b37225c14fb6a2ad62c268b84132883650684664c4370e7188105cd070bddf78

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini
        Filesize

        9B

        MD5

        20579de1c6702ea14f25df921a00274b

        SHA1

        fc7299007b5fb0580c7a3ef6ae0efd8aaf80a35f

        SHA256

        3eb24c26a19e67d7f499ccb30f78fc29bee126bafd13f41470223c1b8f2e1e4e

        SHA512

        e9a21ede4321b86e5d215d41321741f8db22b9eb92c1325026182c688311d5134041102a194d670abcbd182d2c91d5180ac9b7c9daaf9e41109a3b3d8e3c3d81

        Download Submit

      • memory/1188-29-0x0000000002480000-0x0000000002481000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1720-1849-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1720-31-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1720-38-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1720-44-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1720-90-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1720-96-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1720-666-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1720-2253-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1720-3309-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1720-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2004-12-0x0000000000220000-0x0000000000254000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2004-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2004-16-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download