Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

9ad0994e12...ca.exe

windows7-x64

7

9ad0994e12...ca.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    49s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/04/2024, 10:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ad0994e12c7eaa1ea87b669c193e66e6afdc36935829e61216894dd2dc1baca.exe

  • Size

    1.3MB

  • MD5

    cc7aaca312222c595d5f4a3a9b6f192d

  • SHA1

    cb0d26b9fd1ba13a77313298cff08fa737a1b094

  • SHA256

    9ad0994e12c7eaa1ea87b669c193e66e6afdc36935829e61216894dd2dc1baca

  • SHA512

    07f4af9958ec0dc880829b758b8e168ddf4e4921c4fdb100137652d1f879b9a8a15c43417d4a301f738d7b08bb238b5d24166bbd40283d55e32af002060cd2fc

  • SSDEEP

    24576:efkcVkJdyWm5QlmxR++iN95RoayqVSF1M+VHQE7Zrbe:efkcVkJdyrAL5RojIw1M+Rj

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3412
      • C:\Users\Admin\AppData\Local\Temp\9ad0994e12c7eaa1ea87b669c193e66e6afdc36935829e61216894dd2dc1baca.exe
        "C:\Users\Admin\AppData\Local\Temp\9ad0994e12c7eaa1ea87b669c193e66e6afdc36935829e61216894dd2dc1baca.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2180
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a44E8.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4324
          • C:\Users\Admin\AppData\Local\Temp\9ad0994e12c7eaa1ea87b669c193e66e6afdc36935829e61216894dd2dc1baca.exe
            "C:\Users\Admin\AppData\Local\Temp\9ad0994e12c7eaa1ea87b669c193e66e6afdc36935829e61216894dd2dc1baca.exe"
            4⤵
            • Executes dropped EXE
            PID:644
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3384
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2980
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2820

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
        Filesize

        247KB

        MD5

        e6b371e15c02fa6ccb842de8c90c676b

        SHA1

        988c37ffd9f6ae9dd5a43ec75b7a4edccba65b09

        SHA256

        71b8974c5064541565bbbf3f77d07475ef90084fd02f2bf7ea42fe50a8169e93

        SHA512

        21eff79a35e439eda87aeafa4d48af524f89fb7febb8d00b3b72389297e12aef92000be601435297af8d1b247816b0ce19585ecf4d4648f3e568fdf3aebdcb3d

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        573KB

        MD5

        d4f52b5e548600d6f77ec2fc4377e071

        SHA1

        543a1052f2432ecf61c949dd9526a5fb949571a0

        SHA256

        24b3cce6cc9446ec53bb225b2ea7dce5feee9393c55e72ceed0eab00fe1ebcd0

        SHA512

        941da9fe7d625e0bcf6e35022cf66ac7b8a4db61feff9f311c02fe2284ec4a3eb50f5d342799e164a90112f3d2fad494ef108d70e9be3c136bf4549f2cf9a482

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        639KB

        MD5

        f2ad2f9e953da4b8ce5c6c5466404e8e

        SHA1

        4199d48621b97b02da68707263885e7e6bb0c426

        SHA256

        3d7634c6358258ce94ba5792ba4846f4688f6c62c04e24a884a30cd5590baf7b

        SHA512

        74cbd31460102e8734877520b3dc85778476b17b0fa2777c4320a3af50d50d3b39356cd73d5425b4ac57f51ed54442eb7605413e1e2ce0d58d371f28fb301faf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a44E8.bat
        Filesize

        722B

        MD5

        0b4be9ec2d9f182c83b74c83ebe74683

        SHA1

        8463c1b8eccd20e6bf7f932054543398704a9266

        SHA256

        2693e6624c4549991145519d85bdc48dd1117dba48cfe2febd61de5b502273a9

        SHA512

        e66c473a7c9dabb67690481f5323379d999920f8d7fab7904c81e9ad66fd681f6ed2f3e4a52ce51a913c8ddc27f9b8139180050de257dbb45fa4c721c3b92707

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\9ad0994e12c7eaa1ea87b669c193e66e6afdc36935829e61216894dd2dc1baca.exe.exe
        Filesize

        1.3MB

        MD5

        32a8874646fd9ff308cd7d550c9b8c3a

        SHA1

        bb94615961d98df10f17eb0e69edbd6c860def80

        SHA256

        018b89a03419e447793f0858244b7f8133ef16b13b224018166ffb0e3433eb95

        SHA512

        d47e9dfe3b233e4a8e24ffb4dd9f1b7c2649cf597ff7981b7fd488d62a20debac320093829624758294697ba509923ae79b8d79e54d3acf67d1e3a5a554bad6f

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        613ebc2c6b3cd0a071abf2ce8f025c87

        SHA1

        466db64217d98d6a149f2538bb7d6f569ce18cd7

        SHA256

        c7120fe704982e0bf67d30a32e48ccb5f84d4d9702c193599b397eda84cd849e

        SHA512

        3328a8ef51ae65a1ded3ad33b862c479919f30915d5f47f722622a390eb2486bb1a821c841381d1f39b09c6f06388114add299a4a280d1ed0ccdeefb5a31a530

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3726321484-1950364574-433157660-1000\_desktop.ini
        Filesize

        9B

        MD5

        73b8aef84e892e3f77d41747dce253db

        SHA1

        d642a92c96e4ed570d998a73e42fc24fafe8caf9

        SHA256

        a81f7465f537233bbd4b8fa9034e52a8ceffcdf97bf36244c4d404ebec14eb24

        SHA512

        9b0690efee220355932375db333b5487c369ca9fdcf8497bcb5283d78d21fb4fefb7c06bbe533fb1f18fd3b32256a013090af6dd957b9d09cc373d0d5b89cf6d

        Download Submit

      • memory/2180-8-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2180-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3384-26-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3384-36-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3384-33-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3384-1236-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3384-19-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3384-4800-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3384-9-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3384-5263-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download