Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

eb1455ac4f...d2.exe

windows7-x64

6

eb1455ac4f...d2.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/04/2024, 02:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb1455ac4f56a967b88b511299b4e4b427b10357679358571f24d49fb1e01fd2.exe

  • Size

    26KB

  • MD5

    3f2d3014196588ffc6fc985863a505d5

  • SHA1

    cd523f7c44dc62e45c5df5c60f732b1c4ecb661e

  • SHA256

    eb1455ac4f56a967b88b511299b4e4b427b10357679358571f24d49fb1e01fd2

  • SHA512

    c22ec9c25a5ff334d53a725981466df13b82afd6a6d02b2eb3e84a07672ee5ccd461e2f8df8f3751fef7c8fcd0adb39b62f76b0f4730e0c143a3fcb0e5235887

  • SSDEEP

    768:yo1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoZw:ZfgLdQAQfcfymN

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\eb1455ac4f56a967b88b511299b4e4b427b10357679358571f24d49fb1e01fd2.exe
        "C:\Users\Admin\AppData\Local\Temp\eb1455ac4f56a967b88b511299b4e4b427b10357679358571f24d49fb1e01fd2.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1132
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1252
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2716

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        68deb4d631c6a05b27aa65c94161278e

        SHA1

        2a44c22aba6a43c80f634683e32cdbf74d052b06

        SHA256

        980448f135cd9735d7e80480222331c6b0f6cbf7482f4ad7dd29f314fbb3f60d

        SHA512

        c8e7f3b83eac9e8052652d78e262fe1376597a2d582bd43e3553432592e65458d72ff8e50dd6795971c2d0dbd5fd6d6575d266accf360b87f3945cb3a062f4c4

        Download Submit

      • C:\Program Files\7-Zip\7zFM.exe
        Filesize

        956KB

        MD5

        e233a156a52ae968f1c9242a8526d268

        SHA1

        6a9ea8c88dcbb95ab7d7ab38bda5da9eb843f9fc

        SHA256

        3d658b9684dca17c6756ae122295c6b5ef6f92bb405aa37c53511208ef2cf691

        SHA512

        5494b029903dbcd809f67f0259457973e3f1cb95c1f21ea86713e08c46099aa4cdeffddb67f8003cb8fde151b39b7dd281071d1e0f313a178310edefa8fd6a85

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        99ea9b604a7a734d3087fa6159684c42

        SHA1

        709fa1068ad4d560fe03e05b68056f1b0bedbfc8

        SHA256

        3f733f9e6fec7c4165ca8ba41eb23f604a248babe794c4ad2c6c3ce8032aab1c

        SHA512

        7af8008c7e187f925c62efc97e1891a7a38d089302dba39fbde137fb895e0592847ed0982c824c2075be8e6b95b6ce165ecb848ab85adf53779ebef613410fbb

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini
        Filesize

        9B

        MD5

        7ef570b2b21e58fd906ef1a980d64425

        SHA1

        18502489f652e74f8972bbfa100d5c163d719ab7

        SHA256

        c3ce1b9216b58ac7d9ed3b93e5e3a1d6a2473b53b5bc1f008a621def49517055

        SHA512

        e1175d861a79d62b85cd18661375f1c956dcc97e958765dc225f3aa4b0f0100ca9e17b9c61f5e18fc2a96e5167c0563f60645033aff1be1ec2f372c1b9a8b35f

        Download Submit

      • memory/1132-67-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1132-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1132-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1132-73-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1132-15-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1132-754-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1132-1826-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1132-8-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1132-3019-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1132-3286-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1208-5-0x0000000002510000-0x0000000002511000-memory.dmp

        Filesize

        4KB

        Download