Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

50a9ef582d...97.exe

windows7-x64

7

50a9ef582d...97.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/03/2024, 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe

  • Size

    522KB

  • MD5

    e17b6b6f7937580c8dc8d090142ef388

  • SHA1

    73af51ecb513bf54607fac2f52c00977e8644744

  • SHA256

    50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97

  • SHA512

    a7a28596f253662dc52ac95ec961c05dee398832896707d5d177093bd61cb38d432aa2c005221c0edde4074d3b57160f82a206b6d1544c4c67374a1b4fc51120

  • SSDEEP

    12288:GIpa5aalihAQVTZmMFvH/K1J7iaVe9891odTJv0Oi/IqpDLQ9D7310iPfhj6B/7Y:GIzxmJaTJM/Ikc10iHhj6BdAGbk

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3444
      • C:\Users\Admin\AppData\Local\Temp\50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe
        "C:\Users\Admin\AppData\Local\Temp\50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a449A.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1792
          • C:\Users\Admin\AppData\Local\Temp\50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe
            "C:\Users\Admin\AppData\Local\Temp\50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe"
            4⤵
            • Executes dropped EXE
            PID:3012
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3292
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1808
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2004

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        0ade624ff15070cf156e6ed6f017c8c8

        SHA1

        34bc8312a862e5712d2882174857cd7bf6cdaa27

        SHA256

        4a24bde816eee011a6ac9f397a89300b161eb1bce1905fb14128731d096ee8e0

        SHA512

        13c6afbc73b1f436bca8e15bf8c77fc26ef2df79b01f8c6937b6da7639d368f34064057a88d3261866eb06a7514412322fd093620c5931641ca3376cf0e9e02e

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        573KB

        MD5

        2b6d385d709ec59144a9469864eaf043

        SHA1

        e7c26a6e98078fabc6fdd9cc2ce266d09abd231d

        SHA256

        fca73fe5fecacf0c901994d36eab0abc4be509d8562002fe8bb429f04559121e

        SHA512

        67cd79856a07f983ab44ca2fc884889dbf8ebdc67de60afa15c1e4987dc46e5c4d249c529d100c93a80ecff5017c9ec3073559c9169d748a4fb885119d3e11cf

        Download Submit

      • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
        Filesize

        484KB

        MD5

        796e608e7d76ebea1efdb17e6b2c929c

        SHA1

        4053d83155f3eed6c3091e36457ae092f7db9261

        SHA256

        6e6da29ddc014c849a964eae72e70e7e7fdae41cde783f1655e5d7251efe56ef

        SHA512

        a0bc2809b0942009cffa2f40fa246ae4ba1ae093dc6e362506743982559bc70a98ffc409cdb5d7087aef411096588cab4a28503e23c95472f996058cad7b4b99

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a449A.bat
        Filesize

        722B

        MD5

        f88b76b38cd2ac28497412a3b91b1a11

        SHA1

        074951e3d7a28a56cd68db17fd9848898af6ed42

        SHA256

        15f9ff0d36c03563293dc85b9e07e50eb40c04a8cd8b116df085315fb3646966

        SHA512

        fc5dac2b912c7e7e7e882f09880a4302a123b95eeb784cdf27b877029141930aa4935fe4786ea0777fb1613385a7a44218f0a700a46fb2673e5dc0cc590147f0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe.exe
        Filesize

        492KB

        MD5

        d7d385f74966bfd5ee2214243aaa5b93

        SHA1

        67ff52e9e7b4e5c63c724a8a44c147fe27142a8e

        SHA256

        90a891221dfc24ca4531976b0454889d11f37480c52f279df3c9b58494eb7f3d

        SHA512

        6a29f29c28ff63f947a8ed30b2faa89cdb61662feac0138a411b2ad9184efef6091570146f0773ff23df671001d72665379871de1d102392537225b1800ce792

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        29KB

        MD5

        473711bbfb07bfa8d48f90ce5cd98722

        SHA1

        078cf218ab0c51df8df4bd794960076984f99a55

        SHA256

        b84f8bd547c5b90053c1f19ab8e22891910c386a8289b558e1a60690c3a09aa9

        SHA512

        d84f7bc7f264baa68751752f2f10ea3f15d9118e81b5035a346b23419e46287641f9bd026087181235be03314850d85aeb04a6106df8e02ddf2ada36644b5935

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\_desktop.ini
        Filesize

        9B

        MD5

        b2c5a70d0c0f7486eb7bcd691664669b

        SHA1

        0be0eb4afb44c300b16181ffb981db5d2e6563e8

        SHA256

        3369ac2d9926df9466c914d7bafae58764696319b1584f9f83202267db0f8799

        SHA512

        5d9ec62e9872989b928f4372fe35a4fec4ab6ae308a2d0191b487cfa1bdca276bb5ac54c7d3ba59d081128dcfb40252e40089e03ca4600ee428714a322628d14

        Download Submit

      • memory/2044-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2044-9-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3292-37-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3292-32-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3292-39-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3292-12-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3292-1008-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3292-1175-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3292-26-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3292-4740-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3292-19-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download