Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

6f38f73d25...ea.exe

windows7-x64

7

6f38f73d25...ea.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/04/2024, 04:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe

  • Size

    315KB

  • MD5

    513a025c239038d94d50854d525d086c

  • SHA1

    c7a4589d37201e88b4aed295320ec3792c5c473d

  • SHA256

    6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea

  • SHA512

    21d53f9ca079055c2876247acb3d9ac1c359e5f01af6a6c69d84c6af75a82d46afe121b70c704ed2078509e8b2a164c76a0105408be5c0a61df1216709d739c0

  • SSDEEP

    6144:MVfgPddVk7HWWxfjAzodx1VY8zGb5lUFpohHF1Lncn:OYrVk7HWcfjAzodxPl6lUFpoF3nk

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3332
      • C:\Users\Admin\AppData\Local\Temp\6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe
        "C:\Users\Admin\AppData\Local\Temp\6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1640
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6D1.bat
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:3552
          • C:\Users\Admin\AppData\Local\Temp\6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe
            "C:\Users\Admin\AppData\Local\Temp\6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2432
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2504
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4164
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1980
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:1864

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7z.exe
          Filesize

          570KB

          MD5

          6ec041294cced7283ef4d328a6e8c434

          SHA1

          755bc554034bdf0a7acea22f8c9b1b4ecce6f74b

          SHA256

          6d77655323e3fee40eefb66527b47a0d1a651341214dc3fe062f7a8723cf2ae0

          SHA512

          6a309fb5b2f756c2e83980c3ab386b99edd5e1bd9870c864faa9b7c7a726b61180df5c8f496f05f6dbbceaa296d6fb63ade189123ebe9342fc6edbaaf1eb589f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\$$a6D1.bat
          Filesize

          721B

          MD5

          d2d6b3b87d939101f048f9c2ee8552f8

          SHA1

          3c1850c1ec2e34c20bcc6c4027d9534766659367

          SHA256

          a4d1b5c54ba0712494baa68a401e84005856022c3d43e46f52a22990119ff72a

          SHA512

          d17f75a50808fe78c6a62c7606f4334b2f26d9f73a9c9ddf479aa24d94bfa57997739be99c296020f244005e8f488860922bc69b9073f4af85c8a7522aa8aa6e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe.exe
          Filesize

          289KB

          MD5

          ac57e872037ded93a1cccfbc98d3356b

          SHA1

          0351eb8904007ffad1ca9b2f555ec651ca023e9d

          SHA256

          282f2d1c84ae87822883a091036b8816a4cfe2f993fbbaf6c20ff3d3ea5e18ea

          SHA512

          fa2a0581dec4af5f51b82b40f847a4b14149ba1e68a140783fb61377b7fd701cd788d6ecb4a232247dd346032fe92ee4ce0dcbfb5024c5e6128cc2e10ca34862

          Download Submit

        • C:\Windows\Logo1_.exe
          Filesize

          26KB

          MD5

          fb302bb3e9a63790b545fbae9cf76e95

          SHA1

          36a3ff29e20e8c6a98e0ed0b62facf588e0de5c1

          SHA256

          e431f29fd728f254e78f03cb50ddea4203ab6863abe479d5cd89127a2a2ef391

          SHA512

          3c7b9db7a7030479e800f51971a223773c249758f4e38cff51214034b207cdcf427005476b3177662060e1d049d23d67627baa0548c16cc4db4236d4126d79b4

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini
          Filesize

          9B

          MD5

          72b7e38c6ba037d117f32b55c07b1a9c

          SHA1

          35e2435e512e17ca2be885e17d75913f06b90361

          SHA256

          e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

          SHA512

          2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

          Download Submit

        • memory/1640-13-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1640-0-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2504-19-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2504-26-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2504-33-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2504-37-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2504-42-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2504-9-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2504-84-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2504-1181-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2504-1984-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2504-2135-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download