Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

1b68180571...9d.exe

windows7-x64

7

1b68180571...9d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18/04/2024, 06:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b681805714dca807e4c4e5d625cfdd18a9cc60f26ed3f105cb8db996bca999d.exe

  • Size

    387KB

  • MD5

    0abbe3bd344e67b0bc54b886949d17de

  • SHA1

    c9640320888b79b7fd998137a2518ecc33974899

  • SHA256

    1b681805714dca807e4c4e5d625cfdd18a9cc60f26ed3f105cb8db996bca999d

  • SHA512

    9c785be0601fbd5a255b17a3bc9a3e50c54d0092a141ce580ec7178efdc0e3a18a875aebf1d8dc378c8d270d67e2400f87da22b428ce2b8bb9db456363e71208

  • SSDEEP

    6144:wVfjmNaYVGfI8iej2CSwBmsYJ66UGLilZIN107HFxHG7:a7+aYVGPic2CA6w4xx

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1232
      • C:\Users\Admin\AppData\Local\Temp\1b681805714dca807e4c4e5d625cfdd18a9cc60f26ed3f105cb8db996bca999d.exe
        "C:\Users\Admin\AppData\Local\Temp\1b681805714dca807e4c4e5d625cfdd18a9cc60f26ed3f105cb8db996bca999d.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2324
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a148A.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:3004
          • C:\Users\Admin\AppData\Local\Temp\1b681805714dca807e4c4e5d625cfdd18a9cc60f26ed3f105cb8db996bca999d.exe
            "C:\Users\Admin\AppData\Local\Temp\1b681805714dca807e4c4e5d625cfdd18a9cc60f26ed3f105cb8db996bca999d.exe"
            4⤵
            • Executes dropped EXE
            PID:2692
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2660
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2676

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        bcc29caaca6b900200dd926488279eb6

        SHA1

        66d3dd19be102552937338febde08b8c6e336cd1

        SHA256

        aecc8287bb11d89180558523fa5bb81fb9d31d011fb3ba1b40dc1208d7b7b6ab

        SHA512

        a82a6db08fdcd58fd96ed1aabc8c9e14c09a674152bdfb0e77e500afbac214c7ac8f36df9d7af975e28a39ccdef7b273357ce540d0d7880a71f10163bd54a68e

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a148A.bat
        Filesize

        722B

        MD5

        af6f4d312af16483ea4fde947d0cde27

        SHA1

        1f7005ea06c390ff2d545bbfd31ee3087e54bf5c

        SHA256

        08aad965538171161991d9680236f7b4cf1d1c2d75e38a7852d05b16b6de3af5

        SHA512

        299dc606026ca77f2d8ca7d6797ae494900af8b0e62517794729fa2cb4d80ce8609213ee1c43ec7e5e991571d114dd7b40b71f01b0f17fa09449746578f8f517

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\1b681805714dca807e4c4e5d625cfdd18a9cc60f26ed3f105cb8db996bca999d.exe.exe
        Filesize

        361KB

        MD5

        f3f201bf438a3b9f6d240484c584de12

        SHA1

        b24df00861f9dafcb54e4e138d4f4b28b940ebc0

        SHA256

        9e513852ac3d838316360702c7926a6ad4b8e150085480177b9236a5de3d2686

        SHA512

        b05a45143131a31703602cb63ae8fa7a73ab0e8f047095f281cee881387bd05a9026abbee5f563e69140d8e2e843a0edfc8d9d02f946e89ceb7b5a004d2472a0

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        94182ab36b79f1cbcebd672d69be79b1

        SHA1

        b72fe3968d5003790213f4e0b4d3eed51665d26d

        SHA256

        844863241e5cbcbc20f4006b2dbcbc1412cd27bdd57f087add2757e509df59ce

        SHA512

        1a6ccdc1f0ee5fa8a4cba7c16bbfc0d399d9b43379267ac57748f2bc9170b0b17bf464686bac4f4dee1d6fafe1b3aee709b05bff4dd2fdd520bcdf4a5b9b238c

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini
        Filesize

        9B

        MD5

        72b7e38c6ba037d117f32b55c07b1a9c

        SHA1

        35e2435e512e17ca2be885e17d75913f06b90361

        SHA256

        e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

        SHA512

        2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

        Download Submit

      • memory/1232-28-0x00000000025D0000-0x00000000025D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2324-15-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2324-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2552-17-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2552-43-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2552-89-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2552-95-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2552-644-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2552-1848-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2552-2294-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2552-37-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2552-3308-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2552-30-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download