Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

d8d68a4cd2...d1.exe

windows7-x64

7

d8d68a4cd2...d1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    108s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/04/2024, 02:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe

  • Size

    66KB

  • MD5

    8e7d06f73c3b09ef05898f8c4f25a12d

  • SHA1

    beb6e663072fc2cb0b9058a2dc0a862c4e847dab

  • SHA256

    d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1

  • SHA512

    74ccd60b44ca1c1200534b3ee5aa2aaee1c7f281db3d6d88eccb199f5088f84686554c6e8f0aff0f4f62fe5a25fb94b3797c23193b8740c26449ed1537b011e3

  • SSDEEP

    1536:p3C3SHuJV9NBriw+d9bHrkT5gUHz7FxtJ:pSkuJVLBrBkfkT5xHzD

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3300
      • C:\Users\Admin\AppData\Local\Temp\d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe
        "C:\Users\Admin\AppData\Local\Temp\d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2252
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB17.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2240
          • C:\Users\Admin\AppData\Local\Temp\d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe
            "C:\Users\Admin\AppData\Local\Temp\d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe"
            4⤵
            • Executes dropped EXE
            PID:2900
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4732
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:820
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1456
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4396 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4672

        Network

        • flag-us
          DNS
          241.150.49.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          241.150.49.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          249.197.17.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          249.197.17.2.in-addr.arpa
          IN PTR
          Response
          249.197.17.2.in-addr.arpa
          IN PTR
          a2-17-197-249deploystaticakamaitechnologiescom
        • flag-us
          DNS
          14.160.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          14.160.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          95.221.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          95.221.229.192.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          95.221.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          95.221.229.192.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          13.86.106.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          13.86.106.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          149.220.183.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          149.220.183.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          50.23.12.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          50.23.12.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          18.31.95.13.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          18.31.95.13.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          17.143.109.104.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          17.143.109.104.in-addr.arpa
          IN PTR
          Response
          17.143.109.104.in-addr.arpa
          IN PTR
          a104-109-143-17deploystaticakamaitechnologiescom
        • flag-us
          DNS
          96.136.73.23.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          96.136.73.23.in-addr.arpa
          IN PTR
          Response
          96.136.73.23.in-addr.arpa
          IN PTR
          a23-73-136-96deploystaticakamaitechnologiescom
        • flag-us
          DNS
          23.236.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          23.236.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          218.110.86.104.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          218.110.86.104.in-addr.arpa
          IN PTR
          Response
          218.110.86.104.in-addr.arpa
          IN PTR
          a104-86-110-218deploystaticakamaitechnologiescom
        • 142.250.187.234:443
          46 B
           40 B
           1
          1
        • 13.107.253.64:443
          46 B
           40 B
           1
          1
        • 8.8.8.8:53
          241.150.49.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          241.150.49.20.in-addr.arpa

        • 8.8.8.8:53
          249.197.17.2.in-addr.arpa
          dns
          71 B
           135 B
           1
          1

          DNS Request

          249.197.17.2.in-addr.arpa

        • 8.8.8.8:53
          14.160.190.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          14.160.190.20.in-addr.arpa

        • 8.8.8.8:53
          95.221.229.192.in-addr.arpa
          dns
          146 B
           144 B
           2
          1

          DNS Request

          95.221.229.192.in-addr.arpa

          DNS Request

          95.221.229.192.in-addr.arpa

        • 8.8.8.8:53
          13.86.106.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          13.86.106.20.in-addr.arpa

        • 8.8.8.8:53
          149.220.183.52.in-addr.arpa
          dns
          73 B
           147 B
           1
          1

          DNS Request

          149.220.183.52.in-addr.arpa

        • 8.8.8.8:53
          50.23.12.20.in-addr.arpa
          dns
          70 B
           156 B
           1
          1

          DNS Request

          50.23.12.20.in-addr.arpa

        • 8.8.8.8:53
          18.31.95.13.in-addr.arpa
          dns
          70 B
           144 B
           1
          1

          DNS Request

          18.31.95.13.in-addr.arpa

        • 8.8.8.8:53
          17.143.109.104.in-addr.arpa
          dns
          73 B
           139 B
           1
          1

          DNS Request

          17.143.109.104.in-addr.arpa

        • 8.8.8.8:53
          96.136.73.23.in-addr.arpa
          dns
          71 B
           135 B
           1
          1

          DNS Request

          96.136.73.23.in-addr.arpa

        • 8.8.8.8:53
          23.236.111.52.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          23.236.111.52.in-addr.arpa

        • 8.8.8.8:53
          218.110.86.104.in-addr.arpa
          dns
          73 B
           139 B
           1
          1

          DNS Request

          218.110.86.104.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          41KB

          MD5

          b9f374aaadad9fcad59af55d73719649

          SHA1

          33712387e466d06f5e4b26c54e8298c9861042af

          SHA256

          807d72b8f6ebdaacc86660f06f404d54e00eaba546c54258d3e105a835eafeb5

          SHA512

          9547abe2214af1f9fdc6558a613e1890f28d9dead4c131b56aa3ab1cbbf0b154719c4ebc46939717932afabaff42c2d7c345ccbaaa253a2749aae89d32757f9a

          Download Submit

        • C:\Program Files\ExportAdd.exe
          Filesize

          396KB

          MD5

          aadfa2155c6085c8ceee53471b7d6333

          SHA1

          8e595cef42bc3bda65af8ebe89f5ec437f7d499b

          SHA256

          f2628936221d41606b949c19a3ef2390f1b86c531fa90857c5e66b10b475d105

          SHA512

          dafeb74cf7ec6296bfbe7b9948388c67b97080d30f6f10b7aa96a5e26ec60ea4003c28b3870be59055bc8f0065517353d351af02e659dfd90a434a4d7de7d8cd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\$$aB17.bat
          Filesize

          721B

          MD5

          b65b21e0db39fa82b4681d4c19ce62b7

          SHA1

          7e007641060c984a10b8b3bb869a1f2d150d6003

          SHA256

          e50f58d633e1c9e9e3995f3dab8b59328b7abf7abb3101f3b5065184dfd94629

          SHA512

          001d7680084b4c37a3b73be9c715579101e3015d1a934f77f246de8e81af2119e11c96b426d72098f1ca73d981ff6c4985f0da4bbc70aa6c3388a90597fa0543

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe.exe
          Filesize

          36KB

          MD5

          9f498971cbe636662f3d210747d619e1

          SHA1

          44b8e2732fa1e2f204fc70eaa1cb406616250085

          SHA256

          8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

          SHA512

          b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

          Download Submit

        • C:\Windows\Logo1_.exe
          Filesize

          29KB

          MD5

          25953e4f0f0e4091d08c35a393bd1085

          SHA1

          ae497a759bf8fa1223e3afa4b54819b173d4be19

          SHA256

          809b14b494567b982e5c4b70c57c78362ea5eafaf81ade1e1a156cda75f70846

          SHA512

          3a25d7816bcf28fbb267e5fcc1f39e820c5b732cfced164e7110184d704e49b05b3cd298b7fc3108b59b9b403a32e8b24344cfd2d72dbe616837157ba3b03a6a

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini
          Filesize

          9B

          MD5

          7ef570b2b21e58fd906ef1a980d64425

          SHA1

          18502489f652e74f8972bbfa100d5c163d719ab7

          SHA256

          c3ce1b9216b58ac7d9ed3b93e5e3a1d6a2473b53b5bc1f008a621def49517055

          SHA512

          e1175d861a79d62b85cd18661375f1c956dcc97e958765dc225f3aa4b0f0100ca9e17b9c61f5e18fc2a96e5167c0563f60645033aff1be1ec2f372c1b9a8b35f

          Download Submit

        • memory/2252-0-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2252-12-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4732-37-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4732-33-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4732-26-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4732-42-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4732-9-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4732-172-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4732-1182-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4732-1975-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4732-19-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4732-4911-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.