Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

6ced9b3330...ae.exe

windows7-x64

7

6ced9b3330...ae.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18/04/2024, 02:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ced9b3330ad2c372902c1b38136fc3d0aeccdd1a916c8cfd0a809c1b06648ae.exe

  • Size

    563KB

  • MD5

    bf16e6d74a05f748114cb53b6f4e7ec4

  • SHA1

    ee9bf89b1864d581f9c7062931e26ab8466fcfdd

  • SHA256

    6ced9b3330ad2c372902c1b38136fc3d0aeccdd1a916c8cfd0a809c1b06648ae

  • SHA512

    e85b42a387dfbc384c768579ada7ad93059de89400cb77cd17fbd56a0cbbab321b9ee8e92dfeab5e3fcd62d873dfa19efb1590f1a20c659a4f398fb3600fc520

  • SSDEEP

    12288:Y7+gLc+Gl3DflwlLrfw+fZdI+eN9K61cNiSvSGtTnOmyMcp7YJhnRw:Y7Dc+qILkOdIdcN/vvtTObMceJhRw

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1360
      • C:\Users\Admin\AppData\Local\Temp\6ced9b3330ad2c372902c1b38136fc3d0aeccdd1a916c8cfd0a809c1b06648ae.exe
        "C:\Users\Admin\AppData\Local\Temp\6ced9b3330ad2c372902c1b38136fc3d0aeccdd1a916c8cfd0a809c1b06648ae.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4E10.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2248
          • C:\Users\Admin\AppData\Local\Temp\6ced9b3330ad2c372902c1b38136fc3d0aeccdd1a916c8cfd0a809c1b06648ae.exe
            "C:\Users\Admin\AppData\Local\Temp\6ced9b3330ad2c372902c1b38136fc3d0aeccdd1a916c8cfd0a809c1b06648ae.exe"
            4⤵
            • Executes dropped EXE
            PID:2612
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2516
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2620
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2548

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        02e8a9f4997a06d42734002578ac2add

        SHA1

        dadaaa1bcd850545f4f17a62afaff7aa6cfa3e2a

        SHA256

        1ccd4f031805035f1f8e1ca4ff38fa1b37a824f6e43a81337eef2f97ddc8b0f3

        SHA512

        1e1fde450effc10091ef5805d50dfbc63c15f49b9a3ddd1df1c97fdcedb1670ba03dc2c353f6efd81f5d3a4925dbbb107b34a5f1906943f66813c4d5b5fa53d5

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a4E10.bat
        Filesize

        722B

        MD5

        17256d06d2b87fdd3ba7c6645a26006a

        SHA1

        6691f3cbd38d8c63a7461b3e900923a26e065695

        SHA256

        16f20bf1e0d1402969500e505197654af4e83502e55512c06b5031436018ba37

        SHA512

        b7e00e2b0b2416e6c2f6c520e09192b7d140c1bb6ff4e5c398b21a1da1acfcbac54107dac926f63dd43511b47538033674c259100b692596a86d0bee4baac7d9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\6ced9b3330ad2c372902c1b38136fc3d0aeccdd1a916c8cfd0a809c1b06648ae.exe.exe
        Filesize

        537KB

        MD5

        eee6800b67e4ce6b023081d9dba3bf63

        SHA1

        5d72812c2bece8c43ecdcb84fb34f3d7c838eb0e

        SHA256

        8999f0f948e48667ebd2db8a65bea0dc30f459da5f76f91843675ec083eef7e1

        SHA512

        7c55f5aa17d25189d1c149e5afe00752787f516ebd52a858c6d12c9973e58be2d5db093b64b34a10147fa74df0afe6ddb2fd86a495739fb3ab51c77c8d5f8240

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        41a1fee41a294452d15bcbdfb5a84c35

        SHA1

        1b0fadfceb4b51453cd1884d5f859a6cdd68e892

        SHA256

        446a10f3f850f5c88c16d02ac8bbd8d39e126439836d30740c0e81c8959963e8

        SHA512

        e6a656cd615bf4fc2c601a6e66c1d04c9f0f56a777569434279e8d539c0ed24e6a6811352f3bcb8cbb35685275e4dd02433ab1082e296391f024f937eed3cc1f

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\_desktop.ini
        Filesize

        9B

        MD5

        72b7e38c6ba037d117f32b55c07b1a9c

        SHA1

        35e2435e512e17ca2be885e17d75913f06b90361

        SHA256

        e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

        SHA512

        2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

        Download Submit

      • memory/1360-29-0x00000000025A0000-0x00000000025A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2000-15-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2000-16-0x00000000003C0000-0x00000000003F4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2000-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2516-31-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2516-44-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2516-90-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2516-96-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2516-98-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2516-1849-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2516-38-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2516-3309-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2516-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download