Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

7ec9e2332a...e9.exe

windows7-x64

7

7ec9e2332a...e9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2024, 02:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ec9e2332a8da4f40d544c350ab0603e0833946bddcffd43caab19edaa3b6ce9.exe

  • Size

    203KB

  • MD5

    22367ee4b2c9954b7cd7e3415dcf894a

  • SHA1

    9f09bfa8f50559baadf83366725cdeec93f93f00

  • SHA256

    7ec9e2332a8da4f40d544c350ab0603e0833946bddcffd43caab19edaa3b6ce9

  • SHA512

    1b4537a3a002010077d78be40faedf7b1fad5ba6234597a5043da68b1753c490d646e7b886ec8ea2066175672141a8f6a5867b8a54caae4de73d944873d692b5

  • SSDEEP

    6144:pVfjmNt/zUPNXJnz1hfjnKgTAhduXIGp9Vxvb:/7+t/MXJnz1hfjnKg0uXIGLvb

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\7ec9e2332a8da4f40d544c350ab0603e0833946bddcffd43caab19edaa3b6ce9.exe
        "C:\Users\Admin\AppData\Local\Temp\7ec9e2332a8da4f40d544c350ab0603e0833946bddcffd43caab19edaa3b6ce9.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3028
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a77BF.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2248
          • C:\Users\Admin\AppData\Local\Temp\7ec9e2332a8da4f40d544c350ab0603e0833946bddcffd43caab19edaa3b6ce9.exe
            "C:\Users\Admin\AppData\Local\Temp\7ec9e2332a8da4f40d544c350ab0603e0833946bddcffd43caab19edaa3b6ce9.exe"
            4⤵
            • Executes dropped EXE
            PID:2088
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3016
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2628
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2532

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        2a5530283db2f46911717c22450410d5

        SHA1

        ab5099f2db80701ad31d150a51b46889d43128b9

        SHA256

        f4b5efa5a3d360fd64df39856649a30683711e4f22758660f2f7dd5c04e2bed0

        SHA512

        5f076f11e4c54ff29907e28e43275735cc82710c05202284422626b75374ed538dfb422ffcad505dccd255c84b5c9b66c34d650253a9d251d824f4e8765e95ca

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a77BF.bat
        Filesize

        722B

        MD5

        8b9f37127895f1db778eaf73d21ad0c5

        SHA1

        3dfbe51d90ed604492f50681cf3f0eac80294cdc

        SHA256

        ad1a291853e56dd2e40a95db48061dcf84ecae5b4fdeed0d2b0abb447ce969d9

        SHA512

        c7cbb400218a6d6a8d7d9352ec6cbeb7c17eeac2bfd4e0f4d06b47e5f22be5bea0fececd4ad3390b8c89a1eca018688ae505d854598a2cfecdcf7a4d93223673

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7ec9e2332a8da4f40d544c350ab0603e0833946bddcffd43caab19edaa3b6ce9.exe.exe
        Filesize

        176KB

        MD5

        35fdbc2ed8d67b594f71bfbbbd9d0211

        SHA1

        fa18f37bfeb2662ab8fd376408aae7eb0f001cdd

        SHA256

        b581b4039e0c030a1f7368ee247c3049d6487ead7a5eae10f05d05c6489185c5

        SHA512

        a99807bc1c2ace7db4fae560c1ed0e9c75541743369d75f09ed7b782a22e47fb5a909789c911df9418b8e0cb883fd1ac981fa63b63a8db0e3e4aa0241cb33919

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        9e0bc600a539724474d993ba6152bce2

        SHA1

        f5eb402e6aad061d3775e719455e2f96023a426a

        SHA256

        4b5c7d6d585dcdf378555aecad7ad0d4d609ae281d6bc628669478c13ed0b4e5

        SHA512

        f2a4a0325c54861556f006ea4843c9a8cda8c8f282e7f9e7dc9a3b60905d022e38f80121375ed5f0b00b451596fcf6c4baaad5f5e0ae3db8b6f2cc12c09001c4

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\_desktop.ini
        Filesize

        8B

        MD5

        eb3fe7085aac4986a5db69d6c382011f

        SHA1

        19c0d93bf576dc3bcf232628428d6218f91767a0

        SHA256

        41f6ad8112406e684ecf32a535c20fbac2db8d577e00b14197146b599a4b6ab2

        SHA512

        26ed6484407c76b27987c2ed0e5ec2522ea6053de299c486841195690c536d72d0569fb291a9b9a91ce74fa22f4c37c43b491f4d0ff00afb8771bd36a7dcf508

        Download Submit

      • memory/1196-30-0x0000000002950000-0x0000000002951000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3016-98-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3016-108-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3016-3312-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3016-32-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3016-1852-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3016-39-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3016-318-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3016-46-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3016-92-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3016-22-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3028-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3028-40-0x0000000000260000-0x0000000000294000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3028-16-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3028-11-0x0000000000260000-0x0000000000294000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3028-17-0x0000000000260000-0x0000000000294000-memory.dmp

        Filesize

        208KB

        Download