Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

a9bb2f6d8d...1d.exe

windows7-x64

6

a9bb2f6d8d...1d.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16/03/2024, 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9bb2f6d8d93e8d59a51dd8b80eb1aded5775602bef2155d6df7f9349854f81d.exe

  • Size

    29KB

  • MD5

    3860023d0534f7b5e84b77da9a7eaca7

  • SHA1

    9072ddac934b457ea37c14d1080479cd81b3fc83

  • SHA256

    a9bb2f6d8d93e8d59a51dd8b80eb1aded5775602bef2155d6df7f9349854f81d

  • SHA512

    f3a34f0edafe327a3cb7b2f6288687aeb038f3f505c660819e34e1442b54ab83db9d16f4bd145982b427d13ee5b500d92a1108b74296f30067df2cc17e4a4599

  • SSDEEP

    384:NbbCI8WU7tx1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzGOnj:p2ssf16GVRu1yK9fMnJG2V9dHS8

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1396
      • C:\Users\Admin\AppData\Local\Temp\a9bb2f6d8d93e8d59a51dd8b80eb1aded5775602bef2155d6df7f9349854f81d.exe
        "C:\Users\Admin\AppData\Local\Temp\a9bb2f6d8d93e8d59a51dd8b80eb1aded5775602bef2155d6df7f9349854f81d.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2036
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1216

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        451cb4702f081d1bcf30db8f8e1f6374

        SHA1

        a40966c01860952bf0ba04d6fa17325afbc00d2e

        SHA256

        5bb371d428a456d57417a247b5a324629bfac538dcf583aadf2cc1e7ba7af33a

        SHA512

        33119d0b56c58bbb1347654c7424a059a08ed28c6d943755e41e2e5480c1df15f2085a913ff6affc31a9e4e1e922f68dd33b7a61186d282a4ca16db948e7cc49

        Download Submit

      • C:\Program Files\7-Zip\7zFM.exe
        Filesize

        959KB

        MD5

        07247467c35ceaca9bc0acbd349797b5

        SHA1

        1bd8374208b9c7cd332d1bba6771b1f94a028544

        SHA256

        e415b5c121c67ef0dc961b3418b044219be48beaf84aa1367b0009c6c1c4ad83

        SHA512

        52903b5506ac0172a6ff004df29783c0f02dc5520286164dcd540df9795a459d0ca967071691c940e7b47eebcee2240ebd9e2b969bf9b40444a8bea0b7fb5342

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        474KB

        MD5

        b8bebb43c19eb2fd80dd7e89c855b564

        SHA1

        8cfe1e082e035c32f8875995b007b5ab56b2ee0e

        SHA256

        6f4198f11d1902681e0af068a18a2d13fcf8211c35cd91c082777e912865e15b

        SHA512

        7995e79ecf24f803a407f2121c90b16e7d9ab94daa451a0e571cc8d7258287c21bd12ef65faa6b407a0583e04b08d2f2956c0dbf6000941ee44b655b4c147fac

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini
        Filesize

        9B

        MD5

        cbff752523567179ac32a14f905e1944

        SHA1

        446aa136e2ec27c083df7dd49d0252f1c0243bde

        SHA256

        eb7756d2a0d4fe754f1fe3d1d30c92a3f7ac52252b13cd171fd7ce553d760371

        SHA512

        9131c53463d7ce35aa85fbd70b312fdbc04c7c649fae0f6a762758e8e39ee863bdf84a6d23d1879814f69a6d4c4fe38501235c2e557b68309d560f06c18e9eff

        Download Submit

      • memory/1396-5-0x0000000002A50000-0x0000000002A51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2756-66-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2756-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2756-72-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2756-20-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2756-192-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2756-1825-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2756-14-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2756-3285-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2756-7-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2756-3629-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download