Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

7fbae18fef...87.exe

windows7-x64

6

7fbae18fef...87.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/04/2024, 23:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7fbae18fef5a61c7a2baaef16525a2e0e585018b92802ef0fcd0a23720009087.exe

  • Size

    26KB

  • MD5

    3d153dcacff504f7b5e164da6832ddf9

  • SHA1

    c404f0efda88c7591ede4c2d70fd148cc331a5b1

  • SHA256

    7fbae18fef5a61c7a2baaef16525a2e0e585018b92802ef0fcd0a23720009087

  • SHA512

    1fdcae0ad2560165b38623c5f22ec3d1d4754506f3f41f2017bbdc1e93180abc30e52e18e559e4963442655ad39981f64efee64e81dc5dc392cc69087a212068

  • SSDEEP

    768:1b7oa1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:JFfgLdQAQfcfymN

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3484
      • C:\Users\Admin\AppData\Local\Temp\7fbae18fef5a61c7a2baaef16525a2e0e585018b92802ef0fcd0a23720009087.exe
        "C:\Users\Admin\AppData\Local\Temp\7fbae18fef5a61c7a2baaef16525a2e0e585018b92802ef0fcd0a23720009087.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4388
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1616
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4852

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
        Filesize

        244KB

        MD5

        79cd7056da6e7321c681a1d9b9317ac3

        SHA1

        37fc38b9642cc7992df7a4e5cf84a28f98f1c834

        SHA256

        aabbf665f2f0796d26cfa422d948970b1a7447001df3688f0faa022330123ded

        SHA512

        b3c8fc79c7ae9f324339d34a354a4364bfad7b060d21e7f1c8205bd4af6bcea98fa27074719641e35c47d42b251055e996ba47018360c6d21e2e9eaebfa508ae

        Download Submit

      • C:\Program Files\dotnet\dotnet.exe
        Filesize

        170KB

        MD5

        6d48f0b001917db36c5a94900043a01f

        SHA1

        54a2cc4ffb10c1cdeac74f6bbaf7c56ba969a015

        SHA256

        8642ab4417607cb31d4588fcda4dc442bf4ba4d9a59265bbdc65eab47f6445c9

        SHA512

        b8caf44b3e9b343f3bfdea9ede06a93a9f926d5e4cf5c95a5580c14690a02f652cfe36e1e48c55e415f959e46b0eef861021a562f7c35e03ac98395ff0bd8de0

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        636KB

        MD5

        2500f702e2b9632127c14e4eaae5d424

        SHA1

        8726fef12958265214eeb58001c995629834b13a

        SHA256

        82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

        SHA512

        f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3726321484-1950364574-433157660-1000\_desktop.ini
        Filesize

        9B

        MD5

        3441ca64b7a268fd1abb0c149aa9e827

        SHA1

        977a6be7624a5ff4ea1de4f422b44b4974c17827

        SHA256

        fafa54a384b4b9bfe970b0e803afe0c0284021acca503892961170d49985dd99

        SHA512

        84d8adce555267049d33544c4402eaa9bb3ff2022fd76cd619e4cb1fd544c5825cd7769065dd525b58e3befd579d3dd11ec2e0032907ff7dd36f83975b5b5848

        Download Submit

      • memory/4388-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4388-5-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4388-12-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4388-18-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4388-22-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4388-1222-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4388-4786-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4388-5249-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download