Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

d1dac160c0...fe.exe

windows7-x64

6

d1dac160c0...fe.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2024, 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d1dac160c031e0cc6a9503e1e0b4a36571e0293ba050f5a9c859ece04896dffe.exe

  • Size

    29KB

  • MD5

    5e89dcb94742ed6215c602c94b743e50

  • SHA1

    0699c02b02d583ae5292a68e0ade2ca27992e1f1

  • SHA256

    d1dac160c031e0cc6a9503e1e0b4a36571e0293ba050f5a9c859ece04896dffe

  • SHA512

    84e8e5645828712fe3e372e1bcdb9453133873b487cc2088d3b8562f948061a041bbe22f93361b62d30ae55cbaf955cef7dc36978eb59c7cbdde2f86f8ce31ad

  • SSDEEP

    384:NbbT2wuPW1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzGOnJh:pAPW16GVRu1yK9fMnJG2V9dHS8

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3432
      • C:\Users\Admin\AppData\Local\Temp\d1dac160c031e0cc6a9503e1e0b4a36571e0293ba050f5a9c859ece04896dffe.exe
        "C:\Users\Admin\AppData\Local\Temp\d1dac160c031e0cc6a9503e1e0b4a36571e0293ba050f5a9c859ece04896dffe.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1212
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3648
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4916

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        d20a8f02fb08eecf5f0eb07335b3422d

        SHA1

        dcdd5d2f82c7870591425528b78634e08eb34ca9

        SHA256

        c33037d6b0e39147d1383fd9a5c2763c6dadaf47f90bc325736f9f382b408d2f

        SHA512

        602c3c440e594e8893c94e55c4975a1287d48ebe08e22cbf8483d23de7c83b6c3908fae7214f7b42e32354d24aaffb9311804bfb792e0d8d706b10973ecbd534

        Download Submit

      • C:\Program Files\dotnet\dotnet.exe
        Filesize

        168KB

        MD5

        899bcb3ed62e158144c97e6370699e6d

        SHA1

        80c35a34acc45d110839ce480ed466259b50f67e

        SHA256

        c7d868d441b98cbacd1fd6eba3a56c76e2d3cbfd7139f6fb11564ad6b6c441d1

        SHA512

        511b2479914ffe487ea34d2b39552c5d87be78f7c31a7ab638de9e886135e1f04b6b2da13db4c0faa655383756254a12d066c62ccc4d41506c32e61d845a1578

        Download Submit

      • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
        Filesize

        484KB

        MD5

        a18a138107cc6dfd869fb58fad8b080d

        SHA1

        e9153e35ed7ff73a9450775f93cbc5b69d17f129

        SHA256

        907520b96672f6bc5f1dff8b7b0bf8efc7f5c439dfbf0ed4d3f85b1e7d15ceb3

        SHA512

        016adf8fcd24de11c7f1e4516feccaf05fa6f283607e36727327f74183660aa35afab558d155e045b41ca8eabbd18ac98355e59ef0b14420eac78941841b7503

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1497073144-2389943819-3385106915-1000\_desktop.ini
        Filesize

        9B

        MD5

        9d515d16952bdb1cf51672ad091046bc

        SHA1

        5fe954c6d41499122182eb48cf6f9d203b9eae7c

        SHA256

        12ddf5d72be26a3f4fb46d905661e24bf30948454c9701f20e50436a238a25db

        SHA512

        d0f7522406355a837e55f5a99b6969ed4b0ccbc2e427b83a917eedffc37899b139c2b33ea73a90469a6045b3b71848bf97641528644a4a3f55d666223fa31d4b

        Download Submit

      • memory/1212-28-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1212-23-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1212-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1212-19-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1212-988-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1212-1151-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1212-2213-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1212-12-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1212-4702-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1212-5-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download