Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

a3589409a5...9a.exe

windows7-x64

7

a3589409a5...9a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17/04/2024, 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a3589409a51aba3d3f9889277827d64ed78133c3614290a3e149aeb0fd3fe29a.exe

  • Size

    78KB

  • MD5

    82ef23839c1e50f54ea6175c80d7527f

  • SHA1

    bb12096f20f524f2b320eb799e2b6f71012c1391

  • SHA256

    a3589409a51aba3d3f9889277827d64ed78133c3614290a3e149aeb0fd3fe29a

  • SHA512

    8c80e20a02ee89c81a7012240dde68beca268a1b0a65a705ccd5cc275c37ab1bc5365ef3c1f35043c0c505087f7b8f97b79fca2b297dcbc87956e797c4c670bc

  • SSDEEP

    1536:8fgLdQAQfcfymNpQKt8fjqXnviYhb8x//LenDkBT/ri:8ftffjmNWUXnviYhb8t/LenDkBTDi

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1224
      • C:\Users\Admin\AppData\Local\Temp\a3589409a51aba3d3f9889277827d64ed78133c3614290a3e149aeb0fd3fe29a.exe
        "C:\Users\Admin\AppData\Local\Temp\a3589409a51aba3d3f9889277827d64ed78133c3614290a3e149aeb0fd3fe29a.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2224
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a29AF.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1704
          • C:\Users\Admin\AppData\Local\Temp\a3589409a51aba3d3f9889277827d64ed78133c3614290a3e149aeb0fd3fe29a.exe
            "C:\Users\Admin\AppData\Local\Temp\a3589409a51aba3d3f9889277827d64ed78133c3614290a3e149aeb0fd3fe29a.exe"
            4⤵
            • Executes dropped EXE
            PID:2784
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:636
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2512
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2624

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        f90c055be55cedb3415ecffcc9b6c9a0

        SHA1

        8ff0ec8f5f9b3d3f1d4e9bb22510f5812fd9953b

        SHA256

        e04b452d7a31aac63fb50805269cbc8f9fa44cc398a73c67d372f63909665ace

        SHA512

        46e5a16253511f7ce9694dcf23e756307d21f2fa02ac54d4d916d75b36933578ab7daf8cf09840a50858907532130c6fd033c9fd0c4646e717b4cd0aead23da0

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a29AF.bat
        Filesize

        722B

        MD5

        49fe2c4caea690c961fcdc754dc15cf4

        SHA1

        abacd2049400a34f33eda1985d19e196b1bc4c13

        SHA256

        d85c2ec01c8c9651e31020d9d1bdc765b8eb0228cc7e00ac72d3ffc1d4cb5150

        SHA512

        2e4fd0b56f93376a21f19970ff90305ab30833d25a3ba5f3910d43ad6565800e2f92009aecdaf6a59a7f2af7aea1d18d1f6bda914c1bedd4b90e8ddeb09f803b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\a3589409a51aba3d3f9889277827d64ed78133c3614290a3e149aeb0fd3fe29a.exe.exe
        Filesize

        52KB

        MD5

        ea602cfb7b4eb2f4192a192d97a71e28

        SHA1

        bd82fd34c60ca4a70f1153d0888c83207fd12403

        SHA256

        99a66e369f0cbebc727d38fc85c9e6ca39efad8b0c4983a7689118973a2ddcde

        SHA512

        e3609d2b07839f8f197933645cac5dd86363363a86a0af8107c0841298c3fb73d9dd6cac899c430b14e9e1b31e96d70b4c6d5a27be20e112ec06628862c8d3a6

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        5f2668d184a93234aa6ac83304ff60c9

        SHA1

        162dcb8f0533b7554ded2962fd0ee692ec30c50e

        SHA256

        297f8e9faf06f4dee70a3028c66040674c64969385f15f1dea7d77dc7b5d4763

        SHA512

        0321e5d63f516c6c99c85225d0a8d7906c5b99324e4245b86f605ab48aa79dff5cf8c25ab4d5f6cd02426a5f1beea789a32fd1372001da72d7f0cc94ea36ad43

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini
        Filesize

        9B

        MD5

        2be02af4dacf3254e321ffba77f0b1c6

        SHA1

        d8349307ec08d45f2db9c9735bde8f13e27a551d

        SHA256

        766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

        SHA512

        57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

        Download Submit

      • memory/636-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/636-1851-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/636-3311-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/636-33-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/636-541-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/636-40-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/636-47-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/636-92-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/636-98-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1224-30-0x0000000002990000-0x0000000002991000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2224-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2224-15-0x00000000003B0000-0x00000000003E4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2224-16-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2784-32-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download