Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

50db4b6d47...fa.exe

windows7-x64

7

50db4b6d47...fa.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/04/2024, 03:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50db4b6d47d6ee250bdd29ded1494975ea7786c200375a588d537cec2470fdfa.exe

  • Size

    198KB

  • MD5

    99b47abf81854e17c735e3e31335a6d6

  • SHA1

    42edecb5b007ec65b57f7fb5de05bd591416183d

  • SHA256

    50db4b6d47d6ee250bdd29ded1494975ea7786c200375a588d537cec2470fdfa

  • SHA512

    a1e583b9ae3988429df71044a926970536ae1d6ebeb65d5352f8ac31e10c191cc13443a04d95e01f81c871d3b1e88d9805649c5ecf89e5c4cd359be3f84c62dc

  • SSDEEP

    3072:mftffjmNvV+jEciNTtJ4StA5UdkrNoMO7ibp/:eVfjmNvV+EcItvUrOMO7ibp

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1084
      • C:\Users\Admin\AppData\Local\Temp\50db4b6d47d6ee250bdd29ded1494975ea7786c200375a588d537cec2470fdfa.exe
        "C:\Users\Admin\AppData\Local\Temp\50db4b6d47d6ee250bdd29ded1494975ea7786c200375a588d537cec2470fdfa.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1712
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aFD9.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2932
          • C:\Users\Admin\AppData\Local\Temp\50db4b6d47d6ee250bdd29ded1494975ea7786c200375a588d537cec2470fdfa.exe
            "C:\Users\Admin\AppData\Local\Temp\50db4b6d47d6ee250bdd29ded1494975ea7786c200375a588d537cec2470fdfa.exe"
            4⤵
            • Executes dropped EXE
            PID:2624
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2584
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2548

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        88ba822de7a42e1f02244644aaff2acb

        SHA1

        abf7bfdb2dc02fafbcf3fb9f78ee37d6fece441b

        SHA256

        5d907f41150eba00c206a1c08a44df023db9697494d6b58e4f81de810982ab0e

        SHA512

        6c95d200afb3d0fd574407a77bf1b07de7cd18684598ff2b8face4ab4bd56f0212030dff0c2bb0813b6599ffebcbec2cdb39c7f9e70d2724babe0740bace3fd0

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aFD9.bat
        Filesize

        721B

        MD5

        fbf7f69ecc49832eb5a36acdd12fbc8e

        SHA1

        50239a8c76f106ec672a298e7cb94e65be4de5d8

        SHA256

        042cec5b6adf24476b7bfd791b01c2b29a8cb13309960f19e3848082873c9fc3

        SHA512

        8c2c794b9ff4e4b830d55ffa5e764437feef3445f24d460180c91599d12edf5628a1935b19f0f3f429417a7cdbc72459d66af072ae1d450a4bb6c3b5fe421d1d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\50db4b6d47d6ee250bdd29ded1494975ea7786c200375a588d537cec2470fdfa.exe.exe
        Filesize

        171KB

        MD5

        982d6239748d730c26bdd99cb3811b50

        SHA1

        ae930e0eda47bffa2cd55bcb701f47fd38b9f64d

        SHA256

        2d471ecc0a7f16be9f473aeb3c3b0453e381454460b24f9a03659f2077e648ab

        SHA512

        8ca0b20f8311b252391f52f325510b3d4ede6143359091c3e19753c8642022639dac023f31eb018da376f2f327cfd80ec5ed1e487c012838f864b786901c1ac6

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        b92134f69d03e7b0b2a302aa33e00411

        SHA1

        0df5f0345c347fcecae91e21f66ae9ca235d1e8d

        SHA256

        5bf27156970c49ad3c066689a9117b0ca2f4bb12187059e378e916a1b3cac930

        SHA512

        348c223e0159d783017d1f142de608df5997008c6c5665005fb4be8f20054b34bbe79736c05b12eeb303414c63ae10a198b8e91855c78a1a2d5fbf71c452d08e

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini
        Filesize

        9B

        MD5

        7ef570b2b21e58fd906ef1a980d64425

        SHA1

        18502489f652e74f8972bbfa100d5c163d719ab7

        SHA256

        c3ce1b9216b58ac7d9ed3b93e5e3a1d6a2473b53b5bc1f008a621def49517055

        SHA512

        e1175d861a79d62b85cd18661375f1c956dcc97e958765dc225f3aa4b0f0100ca9e17b9c61f5e18fc2a96e5167c0563f60645033aff1be1ec2f372c1b9a8b35f

        Download Submit

      • memory/1084-30-0x0000000002D70000-0x0000000002D71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1712-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1712-16-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1712-12-0x0000000000440000-0x0000000000474000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2968-39-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2968-45-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2968-91-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2968-97-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2968-852-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2968-1850-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2968-32-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2968-2536-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2968-3310-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2968-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download