Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

7fbae18fef...87.exe

windows7-x64

6

7fbae18fef...87.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30/04/2024, 23:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7fbae18fef5a61c7a2baaef16525a2e0e585018b92802ef0fcd0a23720009087.exe

  • Size

    26KB

  • MD5

    3d153dcacff504f7b5e164da6832ddf9

  • SHA1

    c404f0efda88c7591ede4c2d70fd148cc331a5b1

  • SHA256

    7fbae18fef5a61c7a2baaef16525a2e0e585018b92802ef0fcd0a23720009087

  • SHA512

    1fdcae0ad2560165b38623c5f22ec3d1d4754506f3f41f2017bbdc1e93180abc30e52e18e559e4963442655ad39981f64efee64e81dc5dc392cc69087a212068

  • SSDEEP

    768:1b7oa1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:JFfgLdQAQfcfymN

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\7fbae18fef5a61c7a2baaef16525a2e0e585018b92802ef0fcd0a23720009087.exe
        "C:\Users\Admin\AppData\Local\Temp\7fbae18fef5a61c7a2baaef16525a2e0e585018b92802ef0fcd0a23720009087.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2980
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2652

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        d8cb7b3c27b3b340bc1a0d9391017245

        SHA1

        36edcfc65a850f79fd76fecb3b7b03279282476a

        SHA256

        0203708ac7539e40ba4f1c3bbfeea05d2c100a50b2a897dec1fa4e9b94e5ce22

        SHA512

        9fb05290233faebb8b6d107eac654b4c64a6f34cb7fe82a3c9184894b19a540588d246556cb00c6bf2e61b6b54f0483eca23326894a992bd56097ccc17efe597

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        570KB

        MD5

        a417b7615f06f1bb8bbcec88fe7e7302

        SHA1

        6cdda59bf3179f13c7a5323567f844453e36a249

        SHA256

        b45e725cd67149546a774f6cb02d3026144bfc515c6e83a59423672176e38ee5

        SHA512

        b3389fee4043f373cf7223227cee4137191c2f6b305df0866fef48d3cc4c4d7aded8d930831ca6cdbfd34268007010f64c694dc38617f2c9a2fe9732a5f42e1d

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini
        Filesize

        9B

        MD5

        3441ca64b7a268fd1abb0c149aa9e827

        SHA1

        977a6be7624a5ff4ea1de4f422b44b4974c17827

        SHA256

        fafa54a384b4b9bfe970b0e803afe0c0284021acca503892961170d49985dd99

        SHA512

        84d8adce555267049d33544c4402eaa9bb3ff2022fd76cd619e4cb1fd544c5825cd7769065dd525b58e3befd579d3dd11ec2e0032907ff7dd36f83975b5b5848

        Download Submit

      • memory/1216-5-0x0000000002E10000-0x0000000002E11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2904-66-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2904-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2904-72-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2904-20-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2904-642-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2904-1825-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2904-2311-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2904-14-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2904-3285-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2904-7-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.