Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

a3589409a5...9a.exe

windows7-x64

7

a3589409a5...9a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a3589409a51aba3d3f9889277827d64ed78133c3614290a3e149aeb0fd3fe29a.exe

  • Size

    78KB

  • MD5

    82ef23839c1e50f54ea6175c80d7527f

  • SHA1

    bb12096f20f524f2b320eb799e2b6f71012c1391

  • SHA256

    a3589409a51aba3d3f9889277827d64ed78133c3614290a3e149aeb0fd3fe29a

  • SHA512

    8c80e20a02ee89c81a7012240dde68beca268a1b0a65a705ccd5cc275c37ab1bc5365ef3c1f35043c0c505087f7b8f97b79fca2b297dcbc87956e797c4c670bc

  • SSDEEP

    1536:8fgLdQAQfcfymNpQKt8fjqXnviYhb8x//LenDkBT/ri:8ftffjmNWUXnviYhb8t/LenDkBTDi

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3532
      • C:\Users\Admin\AppData\Local\Temp\a3589409a51aba3d3f9889277827d64ed78133c3614290a3e149aeb0fd3fe29a.exe
        "C:\Users\Admin\AppData\Local\Temp\a3589409a51aba3d3f9889277827d64ed78133c3614290a3e149aeb0fd3fe29a.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4024
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2CDC.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:756
          • C:\Users\Admin\AppData\Local\Temp\a3589409a51aba3d3f9889277827d64ed78133c3614290a3e149aeb0fd3fe29a.exe
            "C:\Users\Admin\AppData\Local\Temp\a3589409a51aba3d3f9889277827d64ed78133c3614290a3e149aeb0fd3fe29a.exe"
            4⤵
            • Executes dropped EXE
            PID:2968
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4656
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1108
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:4852

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        f90c055be55cedb3415ecffcc9b6c9a0

        SHA1

        8ff0ec8f5f9b3d3f1d4e9bb22510f5812fd9953b

        SHA256

        e04b452d7a31aac63fb50805269cbc8f9fa44cc398a73c67d372f63909665ace

        SHA512

        46e5a16253511f7ce9694dcf23e756307d21f2fa02ac54d4d916d75b36933578ab7daf8cf09840a50858907532130c6fd033c9fd0c4646e717b4cd0aead23da0

        Download Submit

      • C:\Program Files\EnableUndo.exe
        Filesize

        449KB

        MD5

        50540caacd7e125f1be80867f1f0ddd7

        SHA1

        807f09ee0099f3524a1c4b27e684db7cff2d528b

        SHA256

        f66e3c61e8883143dc72f42d1f4f395c03fd2f0e169c1050a76340e7750f3d4f

        SHA512

        130bda53286dbf253f870b99bea149b9b68d73e457463ad36a3fbd50b71e6b3ceef44f4641ee642809dfceb3cc54fb4083f96e06638728806ca92d0ace90181b

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        636KB

        MD5

        2500f702e2b9632127c14e4eaae5d424

        SHA1

        8726fef12958265214eeb58001c995629834b13a

        SHA256

        82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

        SHA512

        f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a2CDC.bat
        Filesize

        722B

        MD5

        8e1a86b94d9ab5b9ee99345aded5e1e4

        SHA1

        f8b74ffb604fad724745a63f4e303a531b23b387

        SHA256

        bad44f7079fb220b0dd99f9fdddd8c11c0cfa62de29817fb2954ece37651ceb6

        SHA512

        70c061409f46d7f4ca76d1bed70e04e148ceb0966be476aeda30da583b15e8b94162247b8b6fcc7db373952aacfb5dd7119a8936e4f2f77cc74f05fcde083f2a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\a3589409a51aba3d3f9889277827d64ed78133c3614290a3e149aeb0fd3fe29a.exe.exe
        Filesize

        52KB

        MD5

        ea602cfb7b4eb2f4192a192d97a71e28

        SHA1

        bd82fd34c60ca4a70f1153d0888c83207fd12403

        SHA256

        99a66e369f0cbebc727d38fc85c9e6ca39efad8b0c4983a7689118973a2ddcde

        SHA512

        e3609d2b07839f8f197933645cac5dd86363363a86a0af8107c0841298c3fb73d9dd6cac899c430b14e9e1b31e96d70b4c6d5a27be20e112ec06628862c8d3a6

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        5f2668d184a93234aa6ac83304ff60c9

        SHA1

        162dcb8f0533b7554ded2962fd0ee692ec30c50e

        SHA256

        297f8e9faf06f4dee70a3028c66040674c64969385f15f1dea7d77dc7b5d4763

        SHA512

        0321e5d63f516c6c99c85225d0a8d7906c5b99324e4245b86f605ab48aa79dff5cf8c25ab4d5f6cd02426a5f1beea789a32fd1372001da72d7f0cc94ea36ad43

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-355664440-2199602304-1223909400-1000\_desktop.ini
        Filesize

        9B

        MD5

        2be02af4dacf3254e321ffba77f0b1c6

        SHA1

        d8349307ec08d45f2db9c9735bde8f13e27a551d

        SHA256

        766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

        SHA512

        57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

        Download Submit

      • memory/2968-19-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/4024-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4024-8-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4656-33-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4656-37-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4656-12-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4656-1228-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4656-27-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4656-4794-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4656-20-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4656-5233-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download