Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

c00cca3e27...79.exe

windows7-x64

6

c00cca3e27...79.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/04/2024, 22:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe

  • Size

    26KB

  • MD5

    d4c1c1e7a7bb540a3ccc24994940320e

  • SHA1

    e5212546a62657b13530aee8d8608ba68e630e08

  • SHA256

    c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79

  • SHA512

    5b5bfeb351d4d8250f81db1f720fa1fea7b17ef06074f870a86948107b37eca5e8111126c37d1efafcb21d40ac0beaeda25b43b21af869659a5914b55a675328

  • SSDEEP

    768:Yo1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoZw:vfgLdQAQfcfymN

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
        "C:\Users\Admin\AppData\Local\Temp\c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1260
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1748

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        9a0157099f583c025f870abcf927d8b9

        SHA1

        b81a4fce849acc1d5a410ab5a6d18b9360aa3b08

        SHA256

        0e8876d8c7bde1ad018d4e4cd0792ef1dc6748497a31bc7ca1c3b90eb86e02d8

        SHA512

        d18fbc97929575eebac14374dc5c886745cdb2de66d5d62a3145bf848aeb67f07a59fe80487945b376158cce2d53670e33c3dc61c17d8e475b148a975ef3343f

        Download Submit

      • C:\Program Files\7-Zip\7zFM.exe
        Filesize

        956KB

        MD5

        8523fd0788b5332ec47fa35e5b67ba17

        SHA1

        b81fa119719c3c6c8b8ca09b8d101bf250affb96

        SHA256

        813d9e066113bd91f2a9f82a34b34e2c121b59f5719bb20e60f2299c7f50a699

        SHA512

        e3fabf06891cfb81cb0da2a638bd64fc06c337b6feee1e30117114e9ad7162368eaf905ebdb0a7ff6ac16762f0b6b1002a79f99a63c299104bc1344c9325efa9

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        99ea9b604a7a734d3087fa6159684c42

        SHA1

        709fa1068ad4d560fe03e05b68056f1b0bedbfc8

        SHA256

        3f733f9e6fec7c4165ca8ba41eb23f604a248babe794c4ad2c6c3ce8032aab1c

        SHA512

        7af8008c7e187f925c62efc97e1891a7a38d089302dba39fbde137fb895e0592847ed0982c824c2075be8e6b95b6ce165ecb848ab85adf53779ebef613410fbb

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini
        Filesize

        9B

        MD5

        137c71ab33d39f41d1d0f506748620c6

        SHA1

        615708c800cedc2541589174e6e677e1563367b5

        SHA256

        f1a3a71540f6e454bf800af51e8e8085c233f7281852519bd8b0ae36071f13e0

        SHA512

        cb8e0ffac4c5606dec5cc9ccdb6ac981ed120efc64a4f4750ac59149280da5fb379c2af737bde3d9e23ca21c3ee3fa9e6c252dee9ef22102886e2390c9d504fc

        Download Submit

      • memory/1208-5-0x0000000002A90000-0x0000000002A91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2056-66-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2056-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2056-72-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2056-20-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2056-597-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2056-1825-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2056-2311-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2056-14-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2056-3285-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2056-7-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download