Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

fda8aed762...63.exe

windows7-x64

6

fda8aed762...63.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    01/05/2024, 06:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fda8aed7621f9b981120eb955108a4bcf3f71a8522ce67731047ea0c5bf0e663.exe

  • Size

    26KB

  • MD5

    53f6a9b44b3d144149d4cf94458629c1

  • SHA1

    b5b3a4ee1466cb9dffb334fd7c209981e05d2a92

  • SHA256

    fda8aed7621f9b981120eb955108a4bcf3f71a8522ce67731047ea0c5bf0e663

  • SHA512

    436ca1fb0d44a0de231bdcb6b9f508f424e1cec454c4bbe2949c6d255cd0cf264fbaa620322839bb3253a9130ddb78769ec54880282bc2479b196cb9625d1b81

  • SSDEEP

    768:+1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:YfgLdQAQfcfymN

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\fda8aed7621f9b981120eb955108a4bcf3f71a8522ce67731047ea0c5bf0e663.exe
        "C:\Users\Admin\AppData\Local\Temp\fda8aed7621f9b981120eb955108a4bcf3f71a8522ce67731047ea0c5bf0e663.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2464
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1648

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        ba55d6ba6a68791d94429483c57e588d

        SHA1

        30ef1d29307c594cb879b6effc80daab6c6e2b46

        SHA256

        03ea9761b0ddbf5d7389aaabfc63907cfca83f346effb0b92c67372a1f5ae81d

        SHA512

        373b8bbcd9a69c86571896989488fda9f2d24967e3cd988b43c6a0c69e363a4ffcb0fae81d58a938cc3fc594a9c4f4429d629ea4c6c13963788bc5d6b10d5fc1

        Download Submit

      • C:\Program Files\7-Zip\7zFM.exe
        Filesize

        956KB

        MD5

        11d867c02b4f5964c4540078819c80e8

        SHA1

        71fa60a537b2aea9c4d02c9361127c1d1dbda075

        SHA256

        937d48be7c8b694c5425cf88187c7f1dd4774e97396f11feb2abcba15247a90b

        SHA512

        819b94e3e60b6bfce054d3dd0c5da1a4defcdeac22fe7ab1e1dbd80d6d8b91f9b1e76b00639714e3e5369999f42387655ee7b0e2f328a077475f3bf71cf80995

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\_desktop.ini
        Filesize

        8B

        MD5

        35a8ee2041a708d5071bff39818311c3

        SHA1

        31114ee16a39b8ada4130a94c1c36ed74a563d2a

        SHA256

        b2405b086204a9155a2dabf58717e53695089ece5d0af208cb960473ba350f8b

        SHA512

        f17fa8c794a47b0134ac4d8e83010e8dce1a0f2ab74a400c571d6470737e386f4eb1351be6c5b153dc063c49d333b69ddf67871d2e0ffb3c02d243be0015f1f0

        Download Submit

      • memory/1192-5-0x0000000002550000-0x0000000002551000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2428-66-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2428-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2428-72-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2428-20-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2428-513-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2428-1849-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2428-1991-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2428-14-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2428-3309-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2428-7-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download