Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

fda8aed762...63.exe

windows7-x64

6

fda8aed762...63.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    53s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/05/2024, 06:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fda8aed7621f9b981120eb955108a4bcf3f71a8522ce67731047ea0c5bf0e663.exe

  • Size

    26KB

  • MD5

    53f6a9b44b3d144149d4cf94458629c1

  • SHA1

    b5b3a4ee1466cb9dffb334fd7c209981e05d2a92

  • SHA256

    fda8aed7621f9b981120eb955108a4bcf3f71a8522ce67731047ea0c5bf0e663

  • SHA512

    436ca1fb0d44a0de231bdcb6b9f508f424e1cec454c4bbe2949c6d255cd0cf264fbaa620322839bb3253a9130ddb78769ec54880282bc2479b196cb9625d1b81

  • SSDEEP

    768:+1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:YfgLdQAQfcfymN

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3468
      • C:\Users\Admin\AppData\Local\Temp\fda8aed7621f9b981120eb955108a4bcf3f71a8522ce67731047ea0c5bf0e663.exe
        "C:\Users\Admin\AppData\Local\Temp\fda8aed7621f9b981120eb955108a4bcf3f71a8522ce67731047ea0c5bf0e663.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2508
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4852
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3392

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
        Filesize

        244KB

        MD5

        2ebc7b8b3ad04929dbee5950e0ad8064

        SHA1

        02223b9f7827d99173a2106b5291055dec4ef5c3

        SHA256

        8ec4c55074feacf094a18ae5140be8469a9bad8fc72b02b8c96ef0d5a430bd19

        SHA512

        21faf153e113b576f2577554105ad3d1610fa5062130563cf314eef1b706f4fb6c3bc74748344192abb602f8cf6c4f2c421e5bb151d07991aeb30b460e47b818

        Download Submit

      • C:\Program Files\dotnet\dotnet.exe
        Filesize

        170KB

        MD5

        e96134a85ae17c9799f9e9791f7d7cf0

        SHA1

        58a444ac1773b2bb268152ea0f8191db4564ae63

        SHA256

        e2b5f6d690079e9cd910805c08f7c816bdab5a5d8da8c51b949aa4961e6670b5

        SHA512

        2aa54c29ac798a45cd77ce9d1f09449291388b557c8d5466daeebe5500ad251f91d1a41c8fdfb13121c912744eb4798dc77101101564ba8ad383796a3274c2ea

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        636KB

        MD5

        2500f702e2b9632127c14e4eaae5d424

        SHA1

        8726fef12958265214eeb58001c995629834b13a

        SHA256

        82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

        SHA512

        f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3726321484-1950364574-433157660-1000\_desktop.ini
        Filesize

        8B

        MD5

        35a8ee2041a708d5071bff39818311c3

        SHA1

        31114ee16a39b8ada4130a94c1c36ed74a563d2a

        SHA256

        b2405b086204a9155a2dabf58717e53695089ece5d0af208cb960473ba350f8b

        SHA512

        f17fa8c794a47b0134ac4d8e83010e8dce1a0f2ab74a400c571d6470737e386f4eb1351be6c5b153dc063c49d333b69ddf67871d2e0ffb3c02d243be0015f1f0

        Download Submit

      • memory/2508-12-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2508-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2508-22-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2508-14-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2508-1223-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2508-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2508-4786-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2508-5-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2508-5249-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download