Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

59dc3375e8...5a.exe

windows7-x64

7

59dc3375e8...5a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    17/04/2024, 17:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59dc3375e8faaadb251aa057b9cd0e176f653cfef056e7bcf0f99a38b53bb35a.exe

  • Size

    334KB

  • MD5

    0de78b53c8101c926e301ec7a7282fe0

  • SHA1

    e9aecd85f616cbd6885ca4c76fcef178a8de02e6

  • SHA256

    59dc3375e8faaadb251aa057b9cd0e176f653cfef056e7bcf0f99a38b53bb35a

  • SHA512

    83b0129f8378dbceeb0318eff404279ac2ed49eaaa4c89215aabf27c6632460ecf26f28fe77373782334ec62de6afe2f407455044a52ec0a1f416bc8474803cc

  • SSDEEP

    6144:YVfjmNN0VQZgSLCVLiuLDG0JNSKeTM601jlvLlXsyizqbM4mF5sAOj/dxC0WKEyg:C7+uV5SLDuLDG0JNSKeTM601jlDlXC/N

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1376
      • C:\Users\Admin\AppData\Local\Temp\59dc3375e8faaadb251aa057b9cd0e176f653cfef056e7bcf0f99a38b53bb35a.exe
        "C:\Users\Admin\AppData\Local\Temp\59dc3375e8faaadb251aa057b9cd0e176f653cfef056e7bcf0f99a38b53bb35a.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1108
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD1B.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:632
          • C:\Users\Admin\AppData\Local\Temp\59dc3375e8faaadb251aa057b9cd0e176f653cfef056e7bcf0f99a38b53bb35a.exe
            "C:\Users\Admin\AppData\Local\Temp\59dc3375e8faaadb251aa057b9cd0e176f653cfef056e7bcf0f99a38b53bb35a.exe"
            4⤵
            • Executes dropped EXE
            PID:2868
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1940
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1464
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2652

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        2c368c4079cec9a57fee722e7925399c

        SHA1

        ced4580a1bca5b5ca94dd72691ee8a812f300553

        SHA256

        0b7b6e95fb066be8fb5c68ad7e5513bd9a6e5de9b6493a7824f558e0b6271a63

        SHA512

        88678c361f1a9351d543324c8ad96fda1199f78fba987463d7bf790bf738d608b1f865aa8f356cc6b340a2213a6b16a688991cba2444f9e187a6feab2efe7152

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aD1B.bat
        Filesize

        721B

        MD5

        495c2ce3705bd9973a74c84d591c82e9

        SHA1

        b25fade4690e5b448d02edecf26ee7cb72dd6d70

        SHA256

        48b162d73838b809b909bf5d7c15716c74c022ad83fcf713a5c8f393bc9bb24a

        SHA512

        972a6dd4d3b7841afd4fe360a528fdb10923fb8885843a8de6b916fc188b3bcd2f3106ef460d02cc8a1153f70f4469defafb5613acea261def832f3bef61250a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\59dc3375e8faaadb251aa057b9cd0e176f653cfef056e7bcf0f99a38b53bb35a.exe.exe
        Filesize

        307KB

        MD5

        cb1d6cc739e1d861031b30ae195dc7c4

        SHA1

        97dccecb4b898e6a608aee72ff78286fc2109d6a

        SHA256

        a5df985020e668abe1c528e9545435f71076926b9a682019ed9e76f59d52c925

        SHA512

        d0d9303fd7aa57dd4581564cd108b11af24e47e2c2012d2498337c25e06ea4c97b708c42e705be8c74785c528fb16f734c5abfb6227fbc87b8c383b6963a4738

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        487da9891a1e7032841518d66e9f99f4

        SHA1

        af90ab8039b6920e1ac83191780b324b3605a26f

        SHA256

        f2acf2477402b55c9f408c6fbde18ad3d2d5b1ea94a504dc60d651813349001c

        SHA512

        99d74cc9a5bd8141cf1e81a4e0474d178fe7812163620450bc1ce3fb5d5d494a5c91c6de55e315675d615a98ebfa43854267c57e4d02603d3b322b20dbe2ffaa

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini
        Filesize

        9B

        MD5

        2be02af4dacf3254e321ffba77f0b1c6

        SHA1

        d8349307ec08d45f2db9c9735bde8f13e27a551d

        SHA256

        766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

        SHA512

        57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

        Download Submit

      • memory/1108-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1108-16-0x00000000002C0000-0x00000000002F4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1108-15-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1376-29-0x0000000002960000-0x0000000002961000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1940-38-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1940-44-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1940-90-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1940-96-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1940-755-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1940-1849-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1940-31-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1940-2399-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1940-3309-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1940-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download