Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

50a9ef582d...97.exe

windows7-x64

7

50a9ef582d...97.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14/03/2024, 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe

  • Size

    522KB

  • MD5

    e17b6b6f7937580c8dc8d090142ef388

  • SHA1

    73af51ecb513bf54607fac2f52c00977e8644744

  • SHA256

    50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97

  • SHA512

    a7a28596f253662dc52ac95ec961c05dee398832896707d5d177093bd61cb38d432aa2c005221c0edde4074d3b57160f82a206b6d1544c4c67374a1b4fc51120

  • SSDEEP

    12288:GIpa5aalihAQVTZmMFvH/K1J7iaVe9891odTJv0Oi/IqpDLQ9D7310iPfhj6B/7Y:GIzxmJaTJM/Ikc10iHhj6BdAGbk

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe
        "C:\Users\Admin\AppData\Local\Temp\50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8B8D.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2932
          • C:\Users\Admin\AppData\Local\Temp\50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe
            "C:\Users\Admin\AppData\Local\Temp\50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe"
            4⤵
            • Executes dropped EXE
            PID:2512
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2924
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2664
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2552

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        0ade624ff15070cf156e6ed6f017c8c8

        SHA1

        34bc8312a862e5712d2882174857cd7bf6cdaa27

        SHA256

        4a24bde816eee011a6ac9f397a89300b161eb1bce1905fb14128731d096ee8e0

        SHA512

        13c6afbc73b1f436bca8e15bf8c77fc26ef2df79b01f8c6937b6da7639d368f34064057a88d3261866eb06a7514412322fd093620c5931641ca3376cf0e9e02e

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        474KB

        MD5

        b8bebb43c19eb2fd80dd7e89c855b564

        SHA1

        8cfe1e082e035c32f8875995b007b5ab56b2ee0e

        SHA256

        6f4198f11d1902681e0af068a18a2d13fcf8211c35cd91c082777e912865e15b

        SHA512

        7995e79ecf24f803a407f2121c90b16e7d9ab94daa451a0e571cc8d7258287c21bd12ef65faa6b407a0583e04b08d2f2956c0dbf6000941ee44b655b4c147fac

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a8B8D.bat
        Filesize

        722B

        MD5

        71fca96b912d942d5d45a52f79daf0c3

        SHA1

        959ee27345577d1a955307fa12db5debac71f88d

        SHA256

        4f11b1f6cb39d55a88d1cbecf6c0062d7a9074ca2bc6a9d501c7600e7001923c

        SHA512

        21200ab78d59d9d74c013341093f322be7ba38165399a535bec91841c5f6b8b5c5026ebfda051f020dd9b1923483a56b481db55231de3bc4077043fcdabd831c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe.exe
        Filesize

        492KB

        MD5

        d7d385f74966bfd5ee2214243aaa5b93

        SHA1

        67ff52e9e7b4e5c63c724a8a44c147fe27142a8e

        SHA256

        90a891221dfc24ca4531976b0454889d11f37480c52f279df3c9b58494eb7f3d

        SHA512

        6a29f29c28ff63f947a8ed30b2faa89cdb61662feac0138a411b2ad9184efef6091570146f0773ff23df671001d72665379871de1d102392537225b1800ce792

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        473711bbfb07bfa8d48f90ce5cd98722

        SHA1

        078cf218ab0c51df8df4bd794960076984f99a55

        SHA256

        b84f8bd547c5b90053c1f19ab8e22891910c386a8289b558e1a60690c3a09aa9

        SHA512

        d84f7bc7f264baa68751752f2f10ea3f15d9118e81b5035a346b23419e46287641f9bd026087181235be03314850d85aeb04a6106df8e02ddf2ada36644b5935

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini
        Filesize

        9B

        MD5

        b2c5a70d0c0f7486eb7bcd691664669b

        SHA1

        0be0eb4afb44c300b16181ffb981db5d2e6563e8

        SHA256

        3369ac2d9926df9466c914d7bafae58764696319b1584f9f83202267db0f8799

        SHA512

        5d9ec62e9872989b928f4372fe35a4fec4ab6ae308a2d0191b487cfa1bdca276bb5ac54c7d3ba59d081128dcfb40252e40089e03ca4600ee428714a322628d14

        Download Submit

      • memory/1200-29-0x0000000002B10000-0x0000000002B11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2268-15-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2268-16-0x0000000000440000-0x0000000000476000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2268-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2924-31-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2924-44-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2924-90-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2924-96-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2924-278-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2924-1849-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2924-38-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2924-3309-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2924-19-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download