Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

02a8766485...65.exe

windows7-x64

7

02a8766485...65.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/04/2024, 06:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02a87664855f08c28fb3fa4600f576e17802f17e955dd4216fd2fb33ec44dd65.exe

  • Size

    1.1MB

  • MD5

    e0fc3ce37373fb2921c678f48039dcac

  • SHA1

    b7bb47d28579422c11dad710994dde7c3dc724d8

  • SHA256

    02a87664855f08c28fb3fa4600f576e17802f17e955dd4216fd2fb33ec44dd65

  • SHA512

    d688c1fcb277f1ceaf7467a8e7ee9f6f16593575ba26870838fae520f2598efb779aa3b67b719b155dc9407b9c63dd8a86e5fb157f03842937cc814bf9b56a7b

  • SSDEEP

    12288:17+Cxdvr88vCmgFXD4LDKLuxke/jHjQjd92qsrIWOywbk:175dv4J3xD4DS2ke7D6dgxrzZ

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3440
      • C:\Users\Admin\AppData\Local\Temp\02a87664855f08c28fb3fa4600f576e17802f17e955dd4216fd2fb33ec44dd65.exe
        "C:\Users\Admin\AppData\Local\Temp\02a87664855f08c28fb3fa4600f576e17802f17e955dd4216fd2fb33ec44dd65.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3904
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD002.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3476
          • C:\Users\Admin\AppData\Local\Temp\02a87664855f08c28fb3fa4600f576e17802f17e955dd4216fd2fb33ec44dd65.exe
            "C:\Users\Admin\AppData\Local\Temp\02a87664855f08c28fb3fa4600f576e17802f17e955dd4216fd2fb33ec44dd65.exe"
            4⤵
            • Executes dropped EXE
            PID:2312
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3640
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4332
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2812

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        e9325483409732a224d105e072546fa8

        SHA1

        d23d39592deace449a7bf98427525d34b106b444

        SHA256

        116a778a061a28cd9dd0d3c028fb8982daa3e3ca84e6f33b56f13bc4fa3c1a78

        SHA512

        836d9b24a28b54f734c6d7e9bbb56f301db8a991a53310f9dffd620f76bf798ef1aa8f362b6cd330ec9c146095b6410f9cb174ff54f7b58322f1abd82818db59

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        570KB

        MD5

        ab82688ea655f5ece5d0f9dbfe58beb8

        SHA1

        0b92ab0f65c5eed6cafebd38f2252ea7f1195a92

        SHA256

        b3b01e5a94dd580aa81e36bf2d222c4ab0737ff31f566277c644e6a2e72359f8

        SHA512

        4ad9799a914ba635c2d7d632745e03f6f1118f9c12e7504ad7566a0fce3cc5cd670b371fedbba6039918d6cb1d3fae1bfa78cec9b2e33fe6536af1a9ffb41078

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        636KB

        MD5

        2500f702e2b9632127c14e4eaae5d424

        SHA1

        8726fef12958265214eeb58001c995629834b13a

        SHA256

        82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

        SHA512

        f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aD002.bat
        Filesize

        722B

        MD5

        f2346ea34722dcba882931bca21cb25c

        SHA1

        4ee64d563f508a69e629138d5e5b956de1d67fc5

        SHA256

        2a2ee596019fda92f9d7fb5a09a7e8251b349fb006d180019ef19d171b11e73f

        SHA512

        1760eb621da1e22d29c824f0d7a8f1ef3f98c0d290492ac397ad51b340906bf528d30fc2950d80445c7aa86a0dff658a3df099e008658502903e447e864d2655

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\02a87664855f08c28fb3fa4600f576e17802f17e955dd4216fd2fb33ec44dd65.exe.exe
        Filesize

        1.0MB

        MD5

        f98dde375e9e4c61b54f48893aaeb07b

        SHA1

        f8fff1dd387401c4f4946aca7c524cd210b5f144

        SHA256

        6a1de5fe8f94bc3d7ebdbf8f82a8fedb03d9f9ed16ebfa5883b4e418ce902dc2

        SHA512

        d3dfce3b9bdf553bc043d585c53acbbac69adcce490b48c39408a067512479f52db3916ea9a4b08cbb02df49135b1480416707977f5631fb2a1d21b4c26e7df5

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        8922a4ac9c38bcb52124f9efe7e77593

        SHA1

        d3ed9dd3a8326e982d90926ced067b1a4bb5a663

        SHA256

        fece29ead615f8a7a4a13a36b8415c0fa517cc62954b77ca0c7dedb13a20a0d6

        SHA512

        2e17a7c3247b5c38f89b8cb9b502bd92bbb50966662479e9fd476c207e2e1678d394fc3bb9fd3e06e2b83e9b05a83def8a0539fedeb1842f38f0cdcd01363c5c

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-4084619521-2220719027-1909462854-1000\_desktop.ini
        Filesize

        9B

        MD5

        72b7e38c6ba037d117f32b55c07b1a9c

        SHA1

        35e2435e512e17ca2be885e17d75913f06b90361

        SHA256

        e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

        SHA512

        2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

        Download Submit

      • memory/3640-26-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3640-32-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3640-36-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3640-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3640-1060-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3640-1227-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3640-2275-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3640-9-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3640-4792-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3640-5231-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3904-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3904-8-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download