Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

e0b7ab3127...71.exe

windows7-x64

7

e0b7ab3127...71.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    181s
  • max time network
    196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2024, 04:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e0b7ab3127f73fc44af1af4362511e71.exe

  • Size

    166KB

  • MD5

    e0b7ab3127f73fc44af1af4362511e71

  • SHA1

    ce8ecbb24762f4c03b79a8020ccce06dc25414e4

  • SHA256

    47e3e5fbba12babd157f4fb1a8388088384f070847f5e86836898f52c8fc2afc

  • SHA512

    4b74979c59a50935f036e1852b7f6fe48e8159d0a45db202f5a356ca306c3ddebfd02de868583602667aecefd0042f3621dd38d332f5dcf0281d9ea852dc99bc

  • SSDEEP

    3072:ILe+aX3zvUzAMe5CZbJ/uKtGvF13q/POIekjNbf6JclSN2uAhRG9C+:3+aX3L2ARGFPR+kxmiWAI

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3548
      • C:\Users\Admin\AppData\Local\Temp\e0b7ab3127f73fc44af1af4362511e71.exe
        "C:\Users\Admin\AppData\Local\Temp\e0b7ab3127f73fc44af1af4362511e71.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:644
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1964
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4624
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a466A.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2504
            • C:\Users\Admin\AppData\Local\Temp\e0b7ab3127f73fc44af1af4362511e71.exe
              "C:\Users\Admin\AppData\Local\Temp\e0b7ab3127f73fc44af1af4362511e71.exe"
              4⤵
              • Executes dropped EXE
              PID:3052
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2952
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4752
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1524
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3864
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:668

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            7bf500941b5c6b7af0458bc6fd7649ff

            SHA1

            7f8188f459d1f94cfdcf13dfc3775fe73df97f6c

            SHA256

            320fe62fe1b452c6562da3473118ee796e0f8af3ef53d4e5d9ace935015530a9

            SHA512

            5f62fee80c99ce2d4f5cf752db2bd73b1b5a2495cf85fb6c0ae703e3ce8a5860dd7ef27792c7e8a728920f39bd8b53d71b968160e070dd7603b09229e9b004b8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a466A.bat
            Filesize

            530B

            MD5

            0abf569cee883d52333481bc9f88f27f

            SHA1

            6d749e890aa08d0ddcd6cbb22374c12f49f11139

            SHA256

            dc2e73c9a6ed9aee6f3a6f2c0e0dc619cff72d4210bc53384f2b584108852af6

            SHA512

            079e9406097873216ede6e644fc08269d27ae945ffc0df92544aab0b7622969f3ece44be9eb1c6842ac047faa6dbc7a329d7c8f1037f4c345bb7795b28a558e6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\e0b7ab3127f73fc44af1af4362511e71.exe.exe
            Filesize

            133KB

            MD5

            199f5eceb89ea8d47752c7d93282aaca

            SHA1

            89bc3c28445228994d2fe2927ed7a58e90d88f6a

            SHA256

            857fdaa2bd8d84efe9ebeda9b8577c30da8cff4e2f7db80b06a07c89c22e6da7

            SHA512

            ae21d78626787f6c07e20473b157548e705d39c05e2167647506c81ca3857c1fda53e959956dec30d61eade5a26b09cad03b2ffa3615ce982fe1412c1d416949

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            882fb7fca0106ebde62148a324a99e18

            SHA1

            22c2ed58751ee35ca2b96342c5c42894501e3ec5

            SHA256

            d36e1c820e2e2390f17125140b2d19e092b2a75ba12d7816ec4acec15c3a2dcf

            SHA512

            e92448eb03243d31f04daff133b1db922bfe1ee9a1721bb5afd8c67a426617865e51daa7378ae883598084bf286472cce5288e9ed3210169a01497c1c0064c27

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-609813121-2907144057-1731107329-1000\_desktop.ini
            Filesize

            9B

            MD5

            f290d5b34b77b963189d043630703b29

            SHA1

            f3dbfaa00f863d39575c7adf50bddbf02900d6b3

            SHA256

            4c76a275d94e486451f7797077242c8636df44e88643a2208b0a876c4ad5433b

            SHA512

            b4ffa173d60592b9219d188bd7eb4d96e0543e4c5350b903d96e0afea437f71753a520ac4397df2a39df8b84a9230f51c959995f8e436bcac4ff3567e9b35ef9

            Download Submit

          • memory/644-1-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/644-11-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/644-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2952-37-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2952-19-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2952-9-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2952-783-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2952-791-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2952-814-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2952-1174-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2952-1605-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2952-1614-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2952-1617-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2952-1620-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2952-1624-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/3052-18-0x0000000000400000-0x0000000000425000-memory.dmp

            Filesize

            148KB

            Download