Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

d47c8e17db...56.exe

windows7-x64

7

d47c8e17db...56.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/04/2024, 04:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d47c8e17dbda310c11b8f769b3421a7de3b48b5397706d0e45bd4fe569ee2856.exe

  • Size

    713KB

  • MD5

    685343f59bbf29ef174a21ceab8c49ce

  • SHA1

    6376efa7df6a519ac88388319213227409628881

  • SHA256

    d47c8e17dbda310c11b8f769b3421a7de3b48b5397706d0e45bd4fe569ee2856

  • SHA512

    c1d3f3ac571ccfaf0960458777ecdb9dd0cdbd645a555a870162f6539d5b9317047a3f08656b19a3f16b3298b874da551fb6d8c0a1f4e5efe687b0082e14ee80

  • SSDEEP

    12288:PfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:nLOS2opPIXV

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3464
      • C:\Users\Admin\AppData\Local\Temp\d47c8e17dbda310c11b8f769b3421a7de3b48b5397706d0e45bd4fe569ee2856.exe
        "C:\Users\Admin\AppData\Local\Temp\d47c8e17dbda310c11b8f769b3421a7de3b48b5397706d0e45bd4fe569ee2856.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4160
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5525.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3184
          • C:\Users\Admin\AppData\Local\Temp\d47c8e17dbda310c11b8f769b3421a7de3b48b5397706d0e45bd4fe569ee2856.exe
            "C:\Users\Admin\AppData\Local\Temp\d47c8e17dbda310c11b8f769b3421a7de3b48b5397706d0e45bd4fe569ee2856.exe"
            4⤵
            • Executes dropped EXE
            PID:2544
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3212
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:896
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1176

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        a036bc46b8f17b2af3637b788423d6b3

        SHA1

        f1ffdfb2ecf8ef1bfddcf0a2a42ac62c234bbf87

        SHA256

        bc659808d3143ea5818d3939662cc861ebc1b7d58c3dc08705017af49a700b1e

        SHA512

        b72703148c657255dc4f10b8b101f19385f0b487a503408b79d91bd1ace979e8374c938bf7d5bd590b1ef277b02837701252792b8b92917640591f27199aefe6

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        573KB

        MD5

        e1eae81482621cdac8824ba25efae29d

        SHA1

        52689e758a44b270421e4cc4b2793828a1780fb7

        SHA256

        99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f

        SHA512

        fe747b72628a8e13914b96b4bc2cba608c16661ec71e23b06d18b48af438872e5753f9fce65113d4da7cb73beabb86ce0aa0cf28472d151365b1cbd20aacd789

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        639KB

        MD5

        ad5a7e5eb1a1cdd791957e07c93748ae

        SHA1

        6e4f8c5f4d791327e11d0d68ca6f514554af8481

        SHA256

        cfee92d916fbbb95d8282c3264d3708ad1ddfdd9db4daaf00e0c96a22854c4dc

        SHA512

        a8acd191aec48dac8d5808a93ee973ea52793140e318b4d870fb10e4e8ba0756fe95654134dd1c175168375a0f7caebfd8a7d46a9b3dc71006f830b53dd9fefe

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a5525.bat
        Filesize

        722B

        MD5

        0625a08160c2b2f5182f0342024bf6bf

        SHA1

        74f7a36e82afc43efa74066f2d41886fda4657e2

        SHA256

        847ef5d4f90b5ffd196e9b559e68ba214df25d9d92be5b8710fe5cc9ac12929a

        SHA512

        dc9ad8972a1b026c32f811e862a3de30742aac512c14addf921979cdab49139b615ca51e77f706736ac7de7de770112ca412d7c21451bb5022ee83c698258035

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\d47c8e17dbda310c11b8f769b3421a7de3b48b5397706d0e45bd4fe569ee2856.exe.exe
        Filesize

        684KB

        MD5

        50f289df0c19484e970849aac4e6f977

        SHA1

        3dc77c8830836ab844975eb002149b66da2e10be

        SHA256

        b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

        SHA512

        877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        29KB

        MD5

        3779b7c17bd509ec3a5074fe2d4b29d1

        SHA1

        03ad48fea32d38ae5b61e125aece75b5eb4e564d

        SHA256

        6e33fc0dcbafb1c8b0f74ba3d95f64c1240c4a6ebb3e93888c6324b81a722453

        SHA512

        28a8fa23da21f7a77aaecb5dcb1ad0cce08d1118ef8644276ff258c583d0ab102ec861f1fe623b856e36e65d04db3dfb7db3973b2e1b56eff136b965da26aead

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3198953144-1466794930-246379610-1000\_desktop.ini
        Filesize

        9B

        MD5

        02ced53ce3f5b175c3bbec378047e7a7

        SHA1

        dafdf07efa697ec99b3d7b9f7512439a52ea618d

        SHA256

        485bb2341321a2837fd015a36963ea549c7c6f40985e165fd56c8a1e89b3f331

        SHA512

        669dde3ea8628704d40681a7f8974cf52985385c92a61a540c97c18c13eb4d451207ae171b2a56cd061cadbc90e672a84eb55111b1f5016846918d73fb075c99

        Download Submit

      • memory/3212-26-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3212-33-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3212-36-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3212-19-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3212-1227-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3212-3220-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3212-8-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3212-4793-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3212-5232-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4160-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4160-12-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download