Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

bd1b165c16...9f.exe

windows7-x64

7

bd1b165c16...9f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/03/2024, 07:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe

  • Size

    46KB

  • MD5

    5abe06767d00207a0fc26f034a4b6b74

  • SHA1

    00daa2a8d778fef8a7442299489a077a9e998b19

  • SHA256

    bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f

  • SHA512

    9d257f85c47a36e48d83203acae9016e7dff1b11def8c5181dde3e5c38914273a6dd208bb31c14ef61b1eaa0f953ac31c602bc1dd4e0bef5fff045693765b5fd

  • SSDEEP

    768:n1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLwnV9P85GB2FlFfNDG7qHUf2h:1fgLdQAQfcfymNsV9kFfO2Uf

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3240
      • C:\Users\Admin\AppData\Local\Temp\bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe
        "C:\Users\Admin\AppData\Local\Temp\bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1620
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a141F.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3756
          • C:\Users\Admin\AppData\Local\Temp\bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe
            "C:\Users\Admin\AppData\Local\Temp\bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe"
            4⤵
            • Executes dropped EXE
            PID:4412
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1460
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1524
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2584
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:1036

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7z.exe
          Filesize

          570KB

          MD5

          88123c00c7cb2b0782b09805d65ab0e3

          SHA1

          62154151738b66ca06c73a27a25302d676218c2d

          SHA256

          255584efa79f855a1dd7e85748825bf09bc1e9050a19c9fa3fee31f1ddc6eb4d

          SHA512

          238d89a4220d754da809e937959695203753d3d7b42f73cee956c969a974b63948a43cbd0a16ef18547435e2059c5f6b01fdb1c852f4be62ec15d16d3a3b7b58

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\$$a141F.bat
          Filesize

          722B

          MD5

          caa2fbca88d3f4139cc5d30206c637e9

          SHA1

          a64ba824f7417a246bb658b5b02289f9e71ba428

          SHA256

          b61e6467f0f3a19521cc1b147523c569d53542be0e70dc1416d62f54c58b74bb

          SHA512

          6e801e36802f4b636935d3fd86b9b9a3d85102893c18357f9d874db4d4cb9e9011baaab116c84a0733474420cbee8f7acbacbd1631dadca1e7e63e23e9592c22

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe.exe
          Filesize

          20KB

          MD5

          041c541459d66173349737675707f8e8

          SHA1

          675368be6d2585d97c58d904981037a4dd255af7

          SHA256

          3e7712361e0ae26920b3b6caa299ef06a62fcc86301ec97c44df4981b3f2a446

          SHA512

          c876e48e386602fd7f7353a7e0d7126ff2b890ebce04ffe751cf898509198ae8264c448b02894309d24e4f1e5315aae2a08402583cab838439af501bcad5aead

          Download Submit

        • C:\Windows\Logo1_.exe
          Filesize

          26KB

          MD5

          11bac14958e375a9b26e1adae9f76043

          SHA1

          99f19224054d3dc26f20ace9c701e2c70d440d40

          SHA256

          eac627202d1b0142c98178cd516ac002c927846e714d0bd4fde46e62ef295a35

          SHA512

          a93847b47caf2ae4ae1cd27b1a8a3592f88d9d48d1bc0667e5b8d9a20ff8b6f3b80c42f11af5d77a53ae891327e1c55b88e5989565c4eb15dc39df6cb0932b67

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini
          Filesize

          8B

          MD5

          658d36413fa4de67d2edb254a0383bbf

          SHA1

          bd660e7319a5040c3af6edca0911a4ab4bdc33df

          SHA256

          0118c20e2d539544ae8e73767b080d41f4ff57be18407222143ebea26d6affa2

          SHA512

          f368a5a7d963fec63b9d599a1da34ae9eea37261f8c4d267d73624f5a36a0402f1f780317e094b240de3980a0a144929ea2076a23b134267cb0209b3172e1b7b

          Download Submit

        • memory/1460-37-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1460-19-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1460-8-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1460-33-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1460-26-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1460-41-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1460-176-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1460-1015-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1460-1182-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1460-1937-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1620-0-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1620-12-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download