Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

6ba3bf0cd9...90.exe

windows7-x64

7

6ba3bf0cd9...90.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    23/04/2024, 03:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90.exe

  • Size

    35KB

  • MD5

    071af383c1f1c766397df0706a29d96f

  • SHA1

    66a52e667d061ebf5c3be28a88028baedef19689

  • SHA256

    6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90

  • SHA512

    028ba8ea748f9acc53d947dc1c580dd383b5d5b1fbf60a85ac2c4776c497541094c28e10d47e0045f4fa4ffe86d6ce1c4965a2bcc5c737d2ca510e85cc953eab

  • SSDEEP

    768:K1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLLthSDKp:sfgLdQAQfcfymN/jSm

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90.exe
        "C:\Users\Admin\AppData\Local\Temp\6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a11CC.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1300
          • C:\Users\Admin\AppData\Local\Temp\6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90.exe
            "C:\Users\Admin\AppData\Local\Temp\6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90.exe"
            4⤵
            • Executes dropped EXE
            PID:2144
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2604
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2620

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        b93348abc6c61129b97eecbdcf3ed020

        SHA1

        ea8d2068526e45b72c4a34cb7e309131f28342b2

        SHA256

        e60bcc0acc3dd0f3d8afd33689673c95b89b934d7a1473576ea9383c1f005224

        SHA512

        1d62ce9fe61a8f5bfa42d25d8a7d645634bffbe9d693f8326276665a0c63ec254eb64b3ebc69b81af8c92291c2f0bd9d5c063591a5fbaa49845d14295f31cca6

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a11CC.bat
        Filesize

        722B

        MD5

        5b91e02777946bf6e96efd0bad645a80

        SHA1

        74ec9106309926ad88543a0d774fe12478bb7e6e

        SHA256

        923eceeadfd96a30efe0f02c82e42b66fc3a65bb06a44feb71553d9f76d0f01d

        SHA512

        3588187fa8b469e7bef1277b00eba00f77d7e83e4e51ca9cf8d1c65dd7b0c24ac14d54ccae364d97c4474eeb721dac25e21d8bbff9252394f628c3a7325cc547

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90.exe.exe
        Filesize

        9KB

        MD5

        4b2ea001d25b0b0f4b6290b529e4a1b4

        SHA1

        243231fe70e96c11b23f3ca2243ee585ce242171

        SHA256

        e98833799281ebc8ec332c79fab96c7b77d3e973b5cb1a4a572f184979a3f682

        SHA512

        5622025b3bf181f003ec52371e7aebf0cd467c01555b8bce5e94d83d6bd4d8aff500655b963bb592e54032e086c9840716153bb44fb4be675c9436e114eba74b

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        abea7d94fba32bba6c1988a9a88d9e8b

        SHA1

        03ac57dcd4e36268a47a0c9fc1fe85d019945e0f

        SHA256

        187686d6eb8c7e66585c6c05a9423d8864a5bda8075e8f62c5b2219337c9b225

        SHA512

        c096cd538b82ca2472ce6358f2ee4f05f938944e2435bcdcba734779fdc17e34efc5221d894ec0ee84df8cc4b96f57532589fdb0cb85bfee69e62a29ef05ebfc

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini
        Filesize

        9B

        MD5

        5e45e0c42537212b4bfef35112ec91ba

        SHA1

        10c59c091fd35facc82bbc96938f118ce5a60546

        SHA256

        9f6b7a83161db36757e96dc40936aec1e5a9a41f9fca089f9cf5a4d695dd5ed5

        SHA512

        ee964e08687daa53fdc8e063402791acb104bd59f5d0f8a6d11d3e889db476315641c38032ade4177cd794b060f9fc4e6fd161989e452aae828c875c747e4bfb

        Download Submit

      • memory/1212-30-0x00000000029E0000-0x00000000029E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2416-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2416-16-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2416-12-0x0000000000220000-0x0000000000254000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-39-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-45-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-91-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-97-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-772-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-1850-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-32-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-2458-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-3310-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2648-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download