Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

c35935bc66...e8.exe

windows7-x64

7

c35935bc66...e8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    154s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2024, 23:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe

  • Size

    182KB

  • MD5

    6bc1a74ad2949cd87554036930689aca

  • SHA1

    da2878bb7b13df1abc4564598a868a347b8b6fa6

  • SHA256

    c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8

  • SHA512

    e734b3ec73c7b3c5a1ab26f4a988f68c2147c95220d5a0c7efbd2884062d0cb8e808953daa7e461decbf12e0949094465a98f97951666bf19ae36ac18fd9ab70

  • SSDEEP

    3072:xftffepVPhsJCQIZHJTpprL8FZjuAZcU6xeZ/swaOL+2aDOI+MzGVNgZb+9EeMK:5VfgPK4QIZHJTAuAZVmeZ/6OLX+vXZC3

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe
        "C:\Users\Admin\AppData\Local\Temp\c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1324
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC40A.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2452
          • C:\Users\Admin\AppData\Local\Temp\c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe
            "C:\Users\Admin\AppData\Local\Temp\c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe"
            4⤵
            • Executes dropped EXE
            PID:2620
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2896
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2560
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2612

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        770e80db366145f997b81f8040496869

        SHA1

        4d924c50b0c714b97047df34a0bd4adaf2de6a83

        SHA256

        dccf1246394aab3657a9ebd19ebd4150b9420f438bd50e40aafbc8ac8d51ebdb

        SHA512

        754b5ee9fdcc4614ad626ece4d684fdc2f4b20d5c20042dba268f4c7b1c913b2b707ac1903bfb85a79598975e4b6ab4eb508660a242cb9feb2196d6368a6ff8d

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        1a0dbecba0dbb963c2f3b0448796d47a

        SHA1

        5c0b5d378d3614fe984ce2915b5720886992da0c

        SHA256

        1ea2fb84177a921bc3df4763c3da53a970e192f93f6175d09696ded019e50cf8

        SHA512

        8e25dc08fa6f280a6bc1ccacb1ce665ab055b5d539f8915915fc7536c90185a221cb0c50a02d34b521b871b8487a155b9c40a5f25df87306e1df24ca7e96da25

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aC40A.bat
        Filesize

        722B

        MD5

        9598b277ceab2830b02cbe5610746b1f

        SHA1

        4d5f983ed2f42670e9acf3bcc7dfd3836f0741bf

        SHA256

        1a0c55d35e8c784e38ab8b709af3ed1593634f9ca31b7a304032c3cd9ecf7f40

        SHA512

        90d57ca9b6fd494549e4a55622700f271f219ef5b32ef0ca7c33a860ebf93c24d4c1b0eb9a598bef4be4271c8468504a6929ffa2ed94cfc992e8a9fea5097410

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe.exe
        Filesize

        156KB

        MD5

        39e25fdcbc0fe52d96da002d453561fd

        SHA1

        45ff4ac06ed22d72700b17463c798b7a7133d048

        SHA256

        e77946b429093c874157b1dbc11cc69a137747ef1eab9bd3c2fb3d8e991934c3

        SHA512

        48add6448f3da3336fbf0efeee7b199f6d9508da31911df82f22ef0f6b8408e3100d4c21390cb420e45ee7eb037231e6e5a2c84b8a4022239053521c92bf0d30

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        8758044db9fce67ea2ad542f86e69e57

        SHA1

        60cc4d25ea4e17f676e8ac8be10b9dfe2f7ed67d

        SHA256

        0c91b552dc6db19b6711e32cb8c9c604b60dc9d674be06cccb6adf08b4dbd82d

        SHA512

        411737be53feaef0829190b6610c729b925949bcc0b4a65063ab393acb1a92c577093e6377a373704ce54d27a593f2faddc23c80c660638f7c304a93f1972c93

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3787592910-3720486031-2929222812-1000\_desktop.ini
        Filesize

        9B

        MD5

        6304f6cd23949a0e203abd81fc93bcfd

        SHA1

        260299dcdd7b9af6298e036322e7493d3598ab44

        SHA256

        6e249dd60655637cf4a7f940b41cfc3b70dc36b986a37babad9180d29d22adb8

        SHA512

        ce9d77f19554bdfdf7bc99adc9a9cdbc79c3d30f901b9f47ffb8e2d737c7a3fceb059de56993f9092c4ba0276b9d6ebc035fd48298dc62e11a9ef05bb9e00ab5

        Download Submit

      • memory/1192-28-0x0000000002A30000-0x0000000002A31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1324-15-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1324-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2896-20-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2896-43-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2896-89-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2896-95-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2896-228-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2896-1848-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2896-37-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2896-3308-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2896-30-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download