Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

6ba3bf0cd9...90.exe

windows7-x64

7

6ba3bf0cd9...90.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/04/2024, 03:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90.exe

  • Size

    35KB

  • MD5

    071af383c1f1c766397df0706a29d96f

  • SHA1

    66a52e667d061ebf5c3be28a88028baedef19689

  • SHA256

    6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90

  • SHA512

    028ba8ea748f9acc53d947dc1c580dd383b5d5b1fbf60a85ac2c4776c497541094c28e10d47e0045f4fa4ffe86d6ce1c4965a2bcc5c737d2ca510e85cc953eab

  • SSDEEP

    768:K1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLLthSDKp:sfgLdQAQfcfymN/jSm

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3496
      • C:\Users\Admin\AppData\Local\Temp\6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90.exe
        "C:\Users\Admin\AppData\Local\Temp\6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2152
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a55E0.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3468
          • C:\Users\Admin\AppData\Local\Temp\6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90.exe
            "C:\Users\Admin\AppData\Local\Temp\6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90.exe"
            4⤵
            • Executes dropped EXE
            PID:2448
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3948
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4244
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:3192

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        b93348abc6c61129b97eecbdcf3ed020

        SHA1

        ea8d2068526e45b72c4a34cb7e309131f28342b2

        SHA256

        e60bcc0acc3dd0f3d8afd33689673c95b89b934d7a1473576ea9383c1f005224

        SHA512

        1d62ce9fe61a8f5bfa42d25d8a7d645634bffbe9d693f8326276665a0c63ec254eb64b3ebc69b81af8c92291c2f0bd9d5c063591a5fbaa49845d14295f31cca6

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        570KB

        MD5

        6b85e5871238b7708611be5715fd8fd9

        SHA1

        b966a72e4ba761930af119ba5ff94ea0849fc1b5

        SHA256

        3f8e72dc661c2c67d28ab1d2ebddd9e9c17bb2fa6f7afb0682736d6ec2c3574b

        SHA512

        d78cd75c2b76546a2c966e8688e0365b92d267889c9a23c9b86a2439548234e6fb5780588b0444554f2044333b8fb7a30bc9d32ab9f2bd3a58c610e588471616

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        636KB

        MD5

        2500f702e2b9632127c14e4eaae5d424

        SHA1

        8726fef12958265214eeb58001c995629834b13a

        SHA256

        82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

        SHA512

        f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a55E0.bat
        Filesize

        722B

        MD5

        f4b8989f21e1234350c6ece71a489f96

        SHA1

        a1c758197c82f947f93eeac2d73e697cbca43bef

        SHA256

        1d0f695fa1eab3f64b3d65d0ffb995686583cec0b26aa08d43743a7858bd2401

        SHA512

        3daa6fcfea37ac1c58170d6c5230e82bfc08a5361ca964a9041860b2bc5e03f5d47cd819bc4af474c8c7888105c8dc88614f4e114e17f63e21cccc886e1c5aa4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\6ba3bf0cd93e1aec91e757c8b39a2e32197975a3491ee80064a5046bcca42f90.exe.exe
        Filesize

        9KB

        MD5

        4b2ea001d25b0b0f4b6290b529e4a1b4

        SHA1

        243231fe70e96c11b23f3ca2243ee585ce242171

        SHA256

        e98833799281ebc8ec332c79fab96c7b77d3e973b5cb1a4a572f184979a3f682

        SHA512

        5622025b3bf181f003ec52371e7aebf0cd467c01555b8bce5e94d83d6bd4d8aff500655b963bb592e54032e086c9840716153bb44fb4be675c9436e114eba74b

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        abea7d94fba32bba6c1988a9a88d9e8b

        SHA1

        03ac57dcd4e36268a47a0c9fc1fe85d019945e0f

        SHA256

        187686d6eb8c7e66585c6c05a9423d8864a5bda8075e8f62c5b2219337c9b225

        SHA512

        c096cd538b82ca2472ce6358f2ee4f05f938944e2435bcdcba734779fdc17e34efc5221d894ec0ee84df8cc4b96f57532589fdb0cb85bfee69e62a29ef05ebfc

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-355664440-2199602304-1223909400-1000\_desktop.ini
        Filesize

        9B

        MD5

        5e45e0c42537212b4bfef35112ec91ba

        SHA1

        10c59c091fd35facc82bbc96938f118ce5a60546

        SHA256

        9f6b7a83161db36757e96dc40936aec1e5a9a41f9fca089f9cf5a4d695dd5ed5

        SHA512

        ee964e08687daa53fdc8e063402791acb104bd59f5d0f8a6d11d3e889db476315641c38032ade4177cd794b060f9fc4e6fd161989e452aae828c875c747e4bfb

        Download Submit

      • memory/2152-10-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2152-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3948-26-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3948-36-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3948-32-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3948-1226-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3948-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3948-4792-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3948-8-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3948-5231-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download