Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

a9fd233dcd...8d.exe

windows7-x64

7

a9fd233dcd...8d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    155s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/03/2024, 02:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9fd233dcd73094286ea754ba0d55a2f29fb2c288c510dc431a3238cc98bf18d.exe

  • Size

    484KB

  • MD5

    5b4e257698613e17472208fc5cae740a

  • SHA1

    27c2da5f032cfd23af05041cb28e7952ba37b38a

  • SHA256

    a9fd233dcd73094286ea754ba0d55a2f29fb2c288c510dc431a3238cc98bf18d

  • SHA512

    e0729ac3f5a4d73699f2663f81022b8f7e6253ce6ef5179048730601936ef62d3dfae69c268af7c07b603c05dcd6faf4bf012075f7e710a2e0fe172930007d82

  • SSDEEP

    6144:HVfjmNzz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fay7:17+n1gL5pRTcAkS/3hzN8qE43fm78V

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3528
      • C:\Users\Admin\AppData\Local\Temp\a9fd233dcd73094286ea754ba0d55a2f29fb2c288c510dc431a3238cc98bf18d.exe
        "C:\Users\Admin\AppData\Local\Temp\a9fd233dcd73094286ea754ba0d55a2f29fb2c288c510dc431a3238cc98bf18d.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2364
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA642.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2008
          • C:\Users\Admin\AppData\Local\Temp\a9fd233dcd73094286ea754ba0d55a2f29fb2c288c510dc431a3238cc98bf18d.exe
            "C:\Users\Admin\AppData\Local\Temp\a9fd233dcd73094286ea754ba0d55a2f29fb2c288c510dc431a3238cc98bf18d.exe"
            4⤵
            • Executes dropped EXE
            PID:2684
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:688
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2880
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2572
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3792 --field-trial-handle=3044,i,17059189006398306756,4247826696353232857,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4080

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7z.exe
          Filesize

          570KB

          MD5

          b72918f60dcd76cbcf2c162836610600

          SHA1

          218f9db953eed51dcaf20479b9c2fc33faa3ba74

          SHA256

          fef9a32671bc8227b188c4ea624dedcfb028d0b7232752c4ab3c006f5b5ae5ef

          SHA512

          611aa5fc8ac80b3023890fcb9e9d0f4cb08dcaf412426c6a2d6f6917f25580054bbdb15c57394e4dc132de8518cea1d08b2485fa4d1b9ff14aa323864d661728

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\$$aA642.bat
          Filesize

          722B

          MD5

          1f8132a6dfd1087b0e046b97aa413186

          SHA1

          f685bca77afdeed0990c879239c79ab1bf2a8b71

          SHA256

          7f850fddc68ac7d564ab71edcf9ea61a0d67b8fcc295dbf73b153dba65de485c

          SHA512

          8ad7e640d18e4070cf59473a44cb37c471ce83bd0865db0f782a6f2edee9b3927bf610654f930687aefd9307eb6cbd6b50b734290a39f48f5e72efacd40a9176

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\a9fd233dcd73094286ea754ba0d55a2f29fb2c288c510dc431a3238cc98bf18d.exe.exe
          Filesize

          458KB

          MD5

          619f7135621b50fd1900ff24aade1524

          SHA1

          6c7ea8bbd435163ae3945cbef30ef6b9872a4591

          SHA256

          344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

          SHA512

          2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

          Download Submit

        • C:\Windows\Logo1_.exe
          Filesize

          26KB

          MD5

          ef3f8e388ba2c9c2c650029413ed7735

          SHA1

          c1a463b7c33c0de1dcb14bdbacf49fbd0a82b3a2

          SHA256

          1d987e0ab9167e7509e4af33e9e2f9c87871e2081f58efb1ed3f9a5f5fb466eb

          SHA512

          81cf123a5bfb905003df54d000cd000af5ed545d184a86a9eeb312044096949aafe73e942d4e07496a3f1f8a21b1270616ef1b963bd71dc767f95524f4ef4dbe

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-1904519900-954640453-4250331663-1000\_desktop.ini
          Filesize

          9B

          MD5

          6304f6cd23949a0e203abd81fc93bcfd

          SHA1

          260299dcdd7b9af6298e036322e7493d3598ab44

          SHA256

          6e249dd60655637cf4a7f940b41cfc3b70dc36b986a37babad9180d29d22adb8

          SHA512

          ce9d77f19554bdfdf7bc99adc9a9cdbc79c3d30f901b9f47ffb8e2d737c7a3fceb059de56993f9092c4ba0276b9d6ebc035fd48298dc62e11a9ef05bb9e00ab5

          Download Submit

        • memory/688-24-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/688-19-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/688-27-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/688-33-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/688-38-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/688-42-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/688-8-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/688-1015-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/688-1182-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/688-1797-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2364-9-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2364-0-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download