Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

a0a30b7768...e5.exe

windows7-x64

6

a0a30b7768...e5.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/03/2024, 02:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a0a30b77689b576933f180e999cf603a0b85e08fbb223e10804458b735d98be5.exe

  • Size

    26KB

  • MD5

    3b6a05b3634e7169fd0ad6deb0dbc644

  • SHA1

    4beb4f3237883a962da7c83f9c9fcb8e3924912c

  • SHA256

    a0a30b77689b576933f180e999cf603a0b85e08fbb223e10804458b735d98be5

  • SHA512

    c1cbe6bc734de171ecd9882899f03f82f28e82d99412bff8af5c22d18c4455dcdb3695ff38f3e720e74a3b9c373ee4191d21a92ecfdf952c15403e3bbb382af5

  • SSDEEP

    768:m1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:AfgLdQAQfcfymN

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3364
      • C:\Users\Admin\AppData\Local\Temp\a0a30b77689b576933f180e999cf603a0b85e08fbb223e10804458b735d98be5.exe
        "C:\Users\Admin\AppData\Local\Temp\a0a30b77689b576933f180e999cf603a0b85e08fbb223e10804458b735d98be5.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3868
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2484
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:1324

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\dotnet\dotnet.exe
          Filesize

          165KB

          MD5

          43077a8a7047fd604bdd5b9074e47612

          SHA1

          fd7c781c75bd0406957196ab863511c9cdcdeed7

          SHA256

          d6f313ec62045eaaba0c0c86fc2752452b7e381ab5b405432a7932858d123582

          SHA512

          d0bdd48d9c5858aecf33cb7803c5e6dedb47e9b95c8d89bc36121251a834496a66625ddb950f65244bc8407a1c3bb8245b5ca76582e8f91d1b5f372c825b505f

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini
          Filesize

          9B

          MD5

          cbff752523567179ac32a14f905e1944

          SHA1

          446aa136e2ec27c083df7dd49d0252f1c0243bde

          SHA256

          eb7756d2a0d4fe754f1fe3d1d30c92a3f7ac52252b13cd171fd7ce553d760371

          SHA512

          9131c53463d7ce35aa85fbd70b312fdbc04c7c649fae0f6a762758e8e39ee863bdf84a6d23d1879814f69a6d4c4fe38501235c2e557b68309d560f06c18e9eff

          Download Submit

        • memory/2916-0-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2916-5-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2916-13-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2916-19-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2916-24-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2916-28-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2916-363-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2916-1002-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2916-1003-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2916-1170-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download