Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

99f2db0db2...6f.exe

windows7-x64

7

99f2db0db2...6f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/04/2024, 04:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe

  • Size

    573KB

  • MD5

    e1eae81482621cdac8824ba25efae29d

  • SHA1

    52689e758a44b270421e4cc4b2793828a1780fb7

  • SHA256

    99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f

  • SHA512

    fe747b72628a8e13914b96b4bc2cba608c16661ec71e23b06d18b48af438872e5753f9fce65113d4da7cb73beabb86ce0aa0cf28472d151365b1cbd20aacd789

  • SSDEEP

    6144:ruJpE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQfu:t7a3iwbihym2g7XO3LWUQfh4Co

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3428
      • C:\Users\Admin\AppData\Local\Temp\99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe
        "C:\Users\Admin\AppData\Local\Temp\99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1300
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2D59.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1904
          • C:\Users\Admin\AppData\Local\Temp\99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe
            "C:\Users\Admin\AppData\Local\Temp\99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe"
            4⤵
            • Executes dropped EXE
            PID:3456
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2388
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1876
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1940

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        a036bc46b8f17b2af3637b788423d6b3

        SHA1

        f1ffdfb2ecf8ef1bfddcf0a2a42ac62c234bbf87

        SHA256

        bc659808d3143ea5818d3939662cc861ebc1b7d58c3dc08705017af49a700b1e

        SHA512

        b72703148c657255dc4f10b8b101f19385f0b487a503408b79d91bd1ace979e8374c938bf7d5bd590b1ef277b02837701252792b8b92917640591f27199aefe6

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        573KB

        MD5

        e1eae81482621cdac8824ba25efae29d

        SHA1

        52689e758a44b270421e4cc4b2793828a1780fb7

        SHA256

        99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f

        SHA512

        fe747b72628a8e13914b96b4bc2cba608c16661ec71e23b06d18b48af438872e5753f9fce65113d4da7cb73beabb86ce0aa0cf28472d151365b1cbd20aacd789

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        639KB

        MD5

        ad5a7e5eb1a1cdd791957e07c93748ae

        SHA1

        6e4f8c5f4d791327e11d0d68ca6f514554af8481

        SHA256

        cfee92d916fbbb95d8282c3264d3708ad1ddfdd9db4daaf00e0c96a22854c4dc

        SHA512

        a8acd191aec48dac8d5808a93ee973ea52793140e318b4d870fb10e4e8ba0756fe95654134dd1c175168375a0f7caebfd8a7d46a9b3dc71006f830b53dd9fefe

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a2D59.bat
        Filesize

        722B

        MD5

        ca4d3243f8b2861d6e8d4c0de9dc37be

        SHA1

        3a92ac1bf94581a341f266ed4a05eaa15744e07f

        SHA256

        77bf93705cc00ca770d62b53870012bda94dedab6357a98f2f14e67e3207fac3

        SHA512

        b74c1fce2ba32520251fa9d7faccbd6d4983f7b652e7485e70f091834767f7b8667d1b1a47ea49cbc0ee7d9266617355a23e4db0894ba0be152b7820ca9b5405

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe.exe
        Filesize

        544KB

        MD5

        9a1dd1d96481d61934dcc2d568971d06

        SHA1

        f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

        SHA256

        8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

        SHA512

        7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        3779b7c17bd509ec3a5074fe2d4b29d1

        SHA1

        03ad48fea32d38ae5b61e125aece75b5eb4e564d

        SHA256

        6e33fc0dcbafb1c8b0f74ba3d95f64c1240c4a6ebb3e93888c6324b81a722453

        SHA512

        28a8fa23da21f7a77aaecb5dcb1ad0cce08d1118ef8644276ff258c583d0ab102ec861f1fe623b856e36e65d04db3dfb7db3973b2e1b56eff136b965da26aead

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2177723727-746291240-1644359950-1000\_desktop.ini
        Filesize

        9B

        MD5

        02ced53ce3f5b175c3bbec378047e7a7

        SHA1

        dafdf07efa697ec99b3d7b9f7512439a52ea618d

        SHA256

        485bb2341321a2837fd015a36963ea549c7c6f40985e165fd56c8a1e89b3f331

        SHA512

        669dde3ea8628704d40681a7f8974cf52985385c92a61a540c97c18c13eb4d451207ae171b2a56cd061cadbc90e672a84eb55111b1f5016846918d73fb075c99

        Download Submit

      • memory/1300-8-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1300-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2388-26-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2388-36-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2388-32-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2388-1226-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2388-19-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2388-4794-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2388-10-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2388-5233-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download