Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

952d326522...fa.exe

windows7-x64

7

952d326522...fa.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/04/2024, 23:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    952d326522fbaf4156a086a00448d98f5b40473d5d80c63bdb70eae915be1cfa.exe

  • Size

    1.2MB

  • MD5

    34ebee5b72631999ef9871c4b1c84c1a

  • SHA1

    861646e8d7d5b109ba0db2081c34a2bbc217e702

  • SHA256

    952d326522fbaf4156a086a00448d98f5b40473d5d80c63bdb70eae915be1cfa

  • SHA512

    f7f02c03b82e7bc7fbaf0461ca65c874c25a5a8e52acd83b111947f6b6f142c4aac829c0b46fe7ccefe956a7710127636c3e5d69e26686dcc52866b5603b9bb1

  • SSDEEP

    24576:r73CxCOhCN6w0fMuIO0ikei95gbJngYP+B/:r7yx4QApihi9TE+B/

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3372
      • C:\Users\Admin\AppData\Local\Temp\952d326522fbaf4156a086a00448d98f5b40473d5d80c63bdb70eae915be1cfa.exe
        "C:\Users\Admin\AppData\Local\Temp\952d326522fbaf4156a086a00448d98f5b40473d5d80c63bdb70eae915be1cfa.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2256
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFDB9.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3368
          • C:\Users\Admin\AppData\Local\Temp\952d326522fbaf4156a086a00448d98f5b40473d5d80c63bdb70eae915be1cfa.exe
            "C:\Users\Admin\AppData\Local\Temp\952d326522fbaf4156a086a00448d98f5b40473d5d80c63bdb70eae915be1cfa.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of FindShellTrayWindow
            PID:3924
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:448
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3672
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1592

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        5ee2cdec1926e512b07298828e6a16e9

        SHA1

        9055e19fa36d3819be08f664bd455e09daa96976

        SHA256

        204db46c64897889be1fe55c7dcae811d25ea9329f1bc914f6d125c0c049cd4f

        SHA512

        b4943d5ee694306386fd12d0cfda6b1626a62fb46fb02373ebccdac4228340c8bf1b01938fdc510da0028671241da63aaf31237bccd50b03b59c415508a53ecd

        Download Submit

      • C:\Program Files\UseEnable.exe
        Filesize

        415KB

        MD5

        34f2f4ece0c3154c4537cdf7560cacd2

        SHA1

        f170143e897dcb61c640a1c22fb6574946a162d2

        SHA256

        378148a3af2602660679231fd2730a93d1e76754e27ff67f7680084e3ac65456

        SHA512

        7b8c309b6801fcbcb121221db91e6400aa49d140dce61ae167ce3c0e203ad770dec37a2c7f5ea3c92486eba1cf946a575ef656299093de963e02f5e290c7f908

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        636KB

        MD5

        2500f702e2b9632127c14e4eaae5d424

        SHA1

        8726fef12958265214eeb58001c995629834b13a

        SHA256

        82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

        SHA512

        f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aFDB9.bat
        Filesize

        722B

        MD5

        5345529cbad97a9b9161ff66197356ec

        SHA1

        7557ab53b54d96d6aa99d0b92ca8efb1bfb9e3fe

        SHA256

        8e9424d24f80400ff11a3c0bbaf3f73957146e8a367980999b0b454d46e17c8f

        SHA512

        dde94024d3d4c143080d08ca83edf6a2661bb0bb02c2b5bb0ca0b2bc63dadf90edd98c7b0a2c498ef0549bd3d9ab38347d41f4aeebf71b5eb65b7c4248b0217f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\952d326522fbaf4156a086a00448d98f5b40473d5d80c63bdb70eae915be1cfa.exe.exe
        Filesize

        1.2MB

        MD5

        45252d9887c2fd2911d10ddfad8e89cf

        SHA1

        d3fdda55e532e14b8dd52fb9a9e133fe8ee45859

        SHA256

        8c80453f9e038b38a4c35ff5031c7ac6e6c1443455673ed89dde82375d19d11d

        SHA512

        5f42552cfe7192ce6a5ecf95a9acd6f3d9893e044e0b4d751a4b18a1ccab7aa9c4ad81076290ac560daca029a5b51887b20561088c40e9452d36673bb9e36e4b

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        2fc0271f4ad46eb9004c1bcc871507f9

        SHA1

        c19eec1855b06a258d6ad36b918acb9195d8726d

        SHA256

        2ef31759ef6142ad4fb90fb9ddba92d5dcc523de99302a4d6e8283344212de28

        SHA512

        d556c83033d22f99a8057188a1a9bf83ee71a17deef3bd594a2c383e7466a44999dc528d63542b9e4d5bd1f7e4713e4619def0fe66edadc50eb8e0b6cb9f0c96

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-355664440-2199602304-1223909400-1000\_desktop.ini
        Filesize

        9B

        MD5

        f29b71f66ac42a28a8d1e12a13d61861

        SHA1

        bd61fbc8b6eed4cae3fa29d7b950784258be10cd

        SHA256

        9a5e4ff44f8f5bb21798074ea03e493911b59680e37191522562dece826da1cf

        SHA512

        90c31cda60a9a63e3fa78e99f1104d1a9c9f811e11b62f75063b6007ae284c8c233b5d1235defab7ae0deec3b7892c85af9319219405c44d16fa29a3215f50e0

        Download Submit

      • memory/448-26-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/448-32-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/448-36-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/448-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/448-1227-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/448-10-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/448-4793-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/448-5232-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2256-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2256-8-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download