Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

12127e1a50...80.exe

windows7-x64

7

12127e1a50...80.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/02/2024, 19:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe

  • Size

    140KB

  • MD5

    0a7a4f6fc64026bdf28b41d4d033a0cc

  • SHA1

    1e8c8ab26094e3fa220a2706f3cdba4488149d5f

  • SHA256

    12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980

  • SHA512

    2af6f32505d705ab9bdd9f78c68c74a73589e9912515612c15b94c3447cab444c780871e5714a806670ddd1036f1ac55af555a925ab620bf45b6d7b80006d80c

  • SSDEEP

    3072:SftffjmNusOfCOv//kxBsg87j914yBHlMKTaEUk:iVfjmNvOzvkxOg87gyBHldU

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3300
      • C:\Users\Admin\AppData\Local\Temp\12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe
        "C:\Users\Admin\AppData\Local\Temp\12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2576
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6B9B.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3124
          • C:\Users\Admin\AppData\Local\Temp\12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe
            "C:\Users\Admin\AppData\Local\Temp\12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe"
            4⤵
            • Executes dropped EXE
            PID:3336
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3320
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1128
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:3604

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        511a2d5905efad810a21feada48ceb39

        SHA1

        6a4cf6d0a4bb651ea17966e3accbea68d62b9c3e

        SHA256

        e4286846db738761d9e779ad53e9ba92d875f9acc03f8086307e6f1f1173ebaf

        SHA512

        56e2dda4271555861074bca1121e1b512c64aacc991bc089ef546f11e619359d5b338762d76bf67c8a069293a542ef1f59715f19efceac2ead1fe5eafacc8d3c

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        570KB

        MD5

        f3c335cf0cfac4740936df9f21f12af2

        SHA1

        51f516989f3992dc5c70474ed51765c743112df1

        SHA256

        743e2459a48b6f28539de9d760f44a5d67c4ebed8263ac243598186363321a7b

        SHA512

        78663ddd606657a46e01b14104ca416cc7b35b3d039544ec03c100fbc39f85dbb802f21ebc0e3042da1b4f472715e30d9be52251685dc5fb936874cb4c0c161c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a6B9B.bat
        Filesize

        722B

        MD5

        72058aa4b43827440f67b0d565cc711e

        SHA1

        e7475e6323b23b3e54f6b86f753c0f1c58ac893c

        SHA256

        1e02bcd93caf886d4053860a79476a085b83567d3f966a3b9cdb57e0f0e9d86a

        SHA512

        dffb49afb9aeab56e354288aa4960e7af155e316f1f02cba587bdf21fbcfe7086852a31ef0fcc4777b5bb09af3437e566930d58d004c2967be074eaa945e5042

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe.exe
        Filesize

        114KB

        MD5

        6c80c1bf7daa513dd0620bd7b4df1d46

        SHA1

        dfa6ed503b0e3f5b803f525eb6d8073847c437c9

        SHA256

        b489419bb8438de7196b180da1923b98c912ab7db96e0ad63c2b3b5ee2b2808f

        SHA512

        fa238af9c2bce8f5bed9939264daff575002d9698c3206457fa716713c35a3660dbf06a851a1e43d9d5600ceae20816acf2b188d5f40ae478aa0e2d23cc5e733

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        247aafc1af131a360429f437cdedad82

        SHA1

        02ab749c7aa28ae7beb232991754aecbc3e596ba

        SHA256

        318e25db58c0812b719310265b3dc04aa4e1fa756cef4e26b57162ab54fc0ad1

        SHA512

        2486fe7c037e6d57936521ea35098df0955a16438979d1335d48f7c912d0ee21b37225c14fb6a2ad62c268b84132883650684664c4370e7188105cd070bddf78

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2727153400-192325109-1870347593-1000\_desktop.ini
        Filesize

        9B

        MD5

        20579de1c6702ea14f25df921a00274b

        SHA1

        fc7299007b5fb0580c7a3ef6ae0efd8aaf80a35f

        SHA256

        3eb24c26a19e67d7f499ccb30f78fc29bee126bafd13f41470223c1b8f2e1e4e

        SHA512

        e9a21ede4321b86e5d215d41321741f8db22b9eb92c1325026182c688311d5134041102a194d670abcbd182d2c91d5180ac9b7c9daaf9e41109a3b3d8e3c3d81

        Download Submit

      • memory/2576-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2576-12-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3320-33-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3320-26-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3320-37-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3320-42-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3320-8-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3320-364-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3320-1175-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3320-2190-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3320-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3320-4741-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download