Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/04/2024, 00:18 UTC

General

  • Target

    b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0.exe

  • Size

    26KB

  • MD5

    7cbf4232c6051cd8df6c85c2778bbd09

  • SHA1

    c395b7742e98a95e1f868f53f5c5f9e135b0d06d

  • SHA256

    b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0

  • SHA512

    3e27bfd80c314d90eda5c395904bbe9a03a8ed374b995c6433ef8ea7b0d2762f98171f531b95f1152646f05beebfcb972e014c6d5f2b07015887e8da3c360894

  • SSDEEP

    768:Sa1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLC:VfgLdQAQfcfymNu

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3592
      • C:\Users\Admin\AppData\Local\Temp\b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0.exe
        "C:\Users\Admin\AppData\Local\Temp\b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3400
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a33A3.bat
          3⤵
            PID:1684
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3156
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3576
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3432

        Network

        • flag-us
          DNS
          0.159.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          0.159.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          144.107.17.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          144.107.17.2.in-addr.arpa
          IN PTR
          Response
          144.107.17.2.in-addr.arpa
          IN PTR
          a2-17-107-144deploystaticakamaitechnologiescom
        • flag-us
          DNS
          g.bing.com
          Remote address:
          8.8.8.8:53
          Request
          g.bing.com
          IN A
          Response
          g.bing.com
          IN CNAME
          g-bing-com.dual-a-0034.a-msedge.net
          g-bing-com.dual-a-0034.a-msedge.net
          IN CNAME
          dual-a-0034.a-msedge.net
          dual-a-0034.a-msedge.net
          IN A
          204.79.197.237
          dual-a-0034.a-msedge.net
          IN A
          13.107.21.237
        • flag-us
          GET
          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid= HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          set-cookie: MUID=2D52EF8EEA9A64D10AA2FBE8EB7A65F9; domain=.bing.com; expires=Wed, 14-May-2025 00:18:18 GMT; path=/; SameSite=None; Secure; Priority=High;
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: C8031F320C494D5FB8ED6E5F49AD0DA6 Ref B: LON04EDGE1214 Ref C: 2024-04-19T00:18:18Z
          date: Fri, 19 Apr 2024 00:18:18 GMT
        • flag-us
          GET
          https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid= HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          cookie: MUID=2D52EF8EEA9A64D10AA2FBE8EB7A65F9
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          set-cookie: MSPTC=jJv5OHFqzTp1YLdSINK5Ww06qZCUfpvbrZRSJtbm9F8; domain=.bing.com; expires=Wed, 14-May-2025 00:18:18 GMT; path=/; Partitioned; secure; SameSite=None
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: C85F39AC65974BB5B6BE549AC1921177 Ref B: LON04EDGE1214 Ref C: 2024-04-19T00:18:18Z
          date: Fri, 19 Apr 2024 00:18:18 GMT
        • flag-us
          GET
          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid= HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          cookie: MUID=2D52EF8EEA9A64D10AA2FBE8EB7A65F9; MSPTC=jJv5OHFqzTp1YLdSINK5Ww06qZCUfpvbrZRSJtbm9F8
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: FBD356777DF74B9D87E9CFE26E2B7A84 Ref B: LON04EDGE1214 Ref C: 2024-04-19T00:18:18Z
          date: Fri, 19 Apr 2024 00:18:18 GMT
        • flag-us
          DNS
          156.33.209.4.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          156.33.209.4.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          237.197.79.204.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          237.197.79.204.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          9.228.82.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          9.228.82.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          132.250.30.184.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          132.250.30.184.in-addr.arpa
          IN PTR
          Response
          132.250.30.184.in-addr.arpa
          IN PTR
          a184-30-250-132deploystaticakamaitechnologiescom
        • flag-us
          DNS
          88.156.103.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          88.156.103.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          50.23.12.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          50.23.12.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          198.187.3.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          198.187.3.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          130.118.77.104.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          130.118.77.104.in-addr.arpa
          IN PTR
          Response
          130.118.77.104.in-addr.arpa
          IN PTR
          a104-77-118-130deploystaticakamaitechnologiescom
        • flag-us
          DNS
          38.117.19.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          38.117.19.2.in-addr.arpa
          IN PTR
          Response
          38.117.19.2.in-addr.arpa
          IN PTR
          a2-19-117-38deploystaticakamaitechnologiescom
        • 204.79.197.237:443
          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=
          tls, http2
          2.0kB
          9.2kB
          22
          19

          HTTP Request

          GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=

          HTTP Response

          204

          HTTP Request

          GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=

          HTTP Response

          204

          HTTP Request

          GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0e6559435ad34aa9996e41f3e665d3ae&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=

          HTTP Response

          204
        • 8.8.8.8:53
          0.159.190.20.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          0.159.190.20.in-addr.arpa

        • 8.8.8.8:53
          144.107.17.2.in-addr.arpa
          dns
          71 B
          135 B
          1
          1

          DNS Request

          144.107.17.2.in-addr.arpa

        • 8.8.8.8:53
          g.bing.com
          dns
          56 B
          151 B
          1
          1

          DNS Request

          g.bing.com

          DNS Response

          204.79.197.237
          13.107.21.237

        • 8.8.8.8:53
          156.33.209.4.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          156.33.209.4.in-addr.arpa

        • 8.8.8.8:53
          237.197.79.204.in-addr.arpa
          dns
          73 B
          143 B
          1
          1

          DNS Request

          237.197.79.204.in-addr.arpa

        • 8.8.8.8:53
          9.228.82.20.in-addr.arpa
          dns
          70 B
          156 B
          1
          1

          DNS Request

          9.228.82.20.in-addr.arpa

        • 8.8.8.8:53
          132.250.30.184.in-addr.arpa
          dns
          73 B
          139 B
          1
          1

          DNS Request

          132.250.30.184.in-addr.arpa

        • 8.8.8.8:53
          88.156.103.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          88.156.103.20.in-addr.arpa

        • 8.8.8.8:53
          50.23.12.20.in-addr.arpa
          dns
          70 B
          156 B
          1
          1

          DNS Request

          50.23.12.20.in-addr.arpa

        • 8.8.8.8:53
          198.187.3.20.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          198.187.3.20.in-addr.arpa

        • 8.8.8.8:53
          130.118.77.104.in-addr.arpa
          dns
          73 B
          139 B
          1
          1

          DNS Request

          130.118.77.104.in-addr.arpa

        • 8.8.8.8:53
          38.117.19.2.in-addr.arpa
          dns
          70 B
          133 B
          1
          1

          DNS Request

          38.117.19.2.in-addr.arpa

        • 8.8.8.8:53

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

          Filesize

          251KB

          MD5

          8763dd1e5a4d9a5e14aaac162f8010f2

          SHA1

          b3a1ef6416daeb9dadcf5dadd8fb541b724cbc71

          SHA256

          a12aa0944df5ca9d29f5af6c2a94b7923153e754ae714e3f6ab5776de277ade6

          SHA512

          6fc613191309cfff8eef7db9bf990ed7d28f160384a0629b519a326a650f6f16dbb5a49705931b5ed7ebc719044f6360d4efa2dd5f4b69eec6d01386c5b3c167

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          570KB

          MD5

          f9cc9ae17d368f8d0e728a90ada03a0c

          SHA1

          60d6d21dca7fe3e657bad276ad951d3dcccd68b5

          SHA256

          601f6a14f956580a3c59ad6cd2537995fcd89a9920f4bc02c9a5d3cd41b25930

          SHA512

          9abd366ce5faad5c3a289f646fe02432ad5d3cf763ca50eee2517e0c4bb76e6198db9633eaedd8bfa944384bd95fb1c758684587a2f1b6801acc8d2607987ccf

        • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

          Filesize

          636KB

          MD5

          2500f702e2b9632127c14e4eaae5d424

          SHA1

          8726fef12958265214eeb58001c995629834b13a

          SHA256

          82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

          SHA512

          f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

        • C:\Users\Admin\AppData\Local\Temp\$$a33A3.bat

          Filesize

          722B

          MD5

          4ddff8bc9eafaade64680ddab72d8e2a

          SHA1

          4d4d627b48da81889326a590836c54580fd1e894

          SHA256

          09cbba1aaa7d71a9a67885b28519d5f07bab6502910595cdb4362b975b4bd49d

          SHA512

          3195665163f284f0ba930b14d6ad517579d6d81ea21edd42667911f7da03297c127569c9f2d1a2c93645f8a676e1eae5d898fdf1f2381ec70d83e3be206aadd3

        • C:\Users\Admin\AppData\Local\Temp\b7f591fb291274d83fb3934deb64d441a98f338098a89b739dcdb61c65bd60b0.exe.exe

          Filesize

          162B

          MD5

          380bbf4d7bdac05d2248b49c4188cd92

          SHA1

          ae83ef83ebe684eab30ab3ca431e4f84994fd60f

          SHA256

          b97278e320af9d3d990703fd1af322e7c4b568a92f6a736149c1648b2f07a7c2

          SHA512

          06fe7a78b558b7581b52f8d65a6a8a62338a429e550c91ad4ba5cc3f445da83ee86b99e5c7dfbd9bbfcc12895215d2a329756dc6b24ef8313f70658abc08db15

        • C:\Windows\Logo1_.exe

          Filesize

          26KB

          MD5

          d46a2a6f2a522cb6c3bde1532d2cd3fb

          SHA1

          e36c018fe56222afda400c8848306dea3f8f0019

          SHA256

          874f065e5732aece11a9bb35e2bb35016d90ff1f51fefbd776c5d156250389d4

          SHA512

          a2c74399ddb660b3a9e166b9ac546987506ea260089f530e83380ca6dd3bf63aff15aca581e56627cb6e67fc8780b2abcc70913518a6650926fe664774016f57

        • F:\$RECYCLE.BIN\S-1-5-21-259785868-298165991-4178590326-1000\_desktop.ini

          Filesize

          9B

          MD5

          c59aab012a570d8b20f60efcafb272be

          SHA1

          709df64d9a23340c6bc42f2bf8dfdca512bff2e0

          SHA256

          8a349242c7461f8fccc029421cd051ef8f140a8e3738d348a2354a3d5b9de220

          SHA512

          8c3f67dc02beaca59f0deaa4d8e33bc385b19df02d2a8b905b47148e21919f7d059f3883f02dad25a0d11dc807343390114753a7918171720d8cd72e84239e17

        • memory/3156-25-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/3156-31-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/3156-35-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/3156-18-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/3156-1225-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/3156-12-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/3156-4791-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/3156-5230-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/3400-0-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/3400-8-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.