Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 23:08

General

  • Target

    1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe

  • Size

    957KB

  • MD5

    39c429cd98ca9863321e64fb61feaa3f

  • SHA1

    6d4d409f5426da36b1a4f9c47352939c782e16e7

  • SHA256

    1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e

  • SHA512

    e91b49e26c9cd52fc6ef277358480c280ce28b1ca5e3f5a111b70c179043a4a2565f8f85c87357867b4ca7ace32cc9ebb53218209e7130112357176c78a34e33

  • SSDEEP

    12288:Bp7RKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:BpEBpDRmi78gkPXlyo0G/jr

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1072
      • C:\Users\Admin\AppData\Local\Temp\1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe
        "C:\Users\Admin\AppData\Local\Temp\1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1728
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a15E1.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2960
          • C:\Users\Admin\AppData\Local\Temp\1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe
            "C:\Users\Admin\AppData\Local\Temp\1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1040
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:888
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2588
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2676

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

        Filesize

        252KB

        MD5

        884491f20ab9c19ff6a85edc42b37fdd

        SHA1

        7da4e52b211caa947498bdfc2fcfe7b56ad7940f

        SHA256

        efc0f29730656326febece0fefe652573822eea84510d777fa8b83fc94b68e5b

        SHA512

        a985f98008efaa59e861e8f23d19720ebbff976b58be58f6b7276c3c2deba58d544a8517fd7601cb30ed8064006e1c6ae8e832171515db6cba9687af2437b474

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

        Filesize

        472KB

        MD5

        88eb1bca8c399bc3f46e99cdde2f047e

        SHA1

        55fafbceb011e1af2edced978686a90971bd95f2

        SHA256

        42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

        SHA512

        149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

      • C:\Users\Admin\AppData\Local\Temp\$$a15E1.bat

        Filesize

        722B

        MD5

        3a9ed24cdba3ab19a28a172740d78dc3

        SHA1

        f738cbd23693222943332f961a062661741c1de2

        SHA256

        5318abc15349393375778274ac9271a14c3e6b4a5626c8e3074cce72b529020f

        SHA512

        dc332a514f1bebfa993bbbd94377d267704457addbefb1e05c88bffb9b37959899c033e0a838fe07d8dcc0d293df1d0f8b313d06350d173b44cab613ecd3db4b

      • C:\Users\Admin\AppData\Local\Temp\1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe.exe

        Filesize

        930KB

        MD5

        30ac0b832d75598fb3ec37b6f2a8c86a

        SHA1

        6f47dbfd6ff36df7ba581a4cef024da527dc3046

        SHA256

        1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

        SHA512

        505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

      • C:\Windows\rundl132.exe

        Filesize

        27KB

        MD5

        a11c098e88fbd8e1071d87ba5b252080

        SHA1

        b9731f888d390d7e53a4e36ca91de322c74a624a

        SHA256

        ab5a703ea2abedf0285e3945bfb2d152daf3830070bcf23c6c8b0f76b7993e0f

        SHA512

        91903cdef6d361f7ee3015f82ab32798b080e0d418fba35f439ff9d3a245ce333953c1891c7cf0eb6172e62f503a5a54027802d40e943e6dc06ab310d44fc0ec

      • F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

        Filesize

        9B

        MD5

        95b3e5fe04e8423c49a7f69a5d13771f

        SHA1

        615b63fb8bf07dbb0565ffd492067309645064c9

        SHA256

        1663db9b496c87701f6c8f6721e92994ffdd747f949ab1070fd844c4d63fb916

        SHA512

        d9a0d342e84c32d4c0aee97be7b9a102963d1aeab7edd87b080548f7dd144d851c558e6706bec441534d8e188938655c2b551e358d342309677511404a34ce81

      • memory/888-1851-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/888-98-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/888-32-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/888-21-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/888-39-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/888-45-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/888-92-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/888-3311-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/888-855-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/888-2868-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/1072-30-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

        Filesize

        4KB

      • memory/1728-16-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/1728-0-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/1728-12-0x0000000000220000-0x0000000000255000-memory.dmp

        Filesize

        212KB