Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

ea5263d89b...a5.exe

windows7-x64

7

ea5263d89b...a5.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/05/2024, 14:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea5263d89b8b9492c89bfd163417001f5237576e2ec7c5bead195a396a0184a5.exe

  • Size

    573KB

  • MD5

    89e33c39bc576ce1475c2b77dfbd26ab

  • SHA1

    141426cc4624a52ab9903dd59c964d9e2b96f591

  • SHA256

    ea5263d89b8b9492c89bfd163417001f5237576e2ec7c5bead195a396a0184a5

  • SHA512

    873cf261ef4ece65c1f8f2084d6a9571f736d39e0f63de64beaeb8a3f1c583308872dbad450e3ca404416f882c8b8a705bb89194eba9a2c157f7bdf97fb7e138

  • SSDEEP

    6144:OuJpE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQfu:G7a3iwbihym2g7XO3LWUQfh4Co

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1284
      • C:\Users\Admin\AppData\Local\Temp\ea5263d89b8b9492c89bfd163417001f5237576e2ec7c5bead195a396a0184a5.exe
        "C:\Users\Admin\AppData\Local\Temp\ea5263d89b8b9492c89bfd163417001f5237576e2ec7c5bead195a396a0184a5.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a231A.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\Users\Admin\AppData\Local\Temp\ea5263d89b8b9492c89bfd163417001f5237576e2ec7c5bead195a396a0184a5.exe
            "C:\Users\Admin\AppData\Local\Temp\ea5263d89b8b9492c89bfd163417001f5237576e2ec7c5bead195a396a0184a5.exe"
            4⤵
            • Executes dropped EXE
            PID:2684
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2080
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2248
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2568

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        6dbfa871d18aa4c685e00f03cc40e191

        SHA1

        ef9dba44feb63da5dcc1859ea9705622b2cee7bc

        SHA256

        33d8e5692cce3bda96d8788ed5fb77cec05be84e18c511df639e13cd6062d6a8

        SHA512

        cacf2c539ef66fa01408d568a35c9b556e2e4fc7687e0e8371d5a3906722603f2853792cf3468e4fca1432e809569dfd80b21edb54ac2c747a78e454c67e45c1

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        474KB

        MD5

        ba4aad1c708a17aec1e5e73cfb94e6b0

        SHA1

        494510ded064f7ac8ce261301b64dce9c0e23dd7

        SHA256

        5088353f6ff05c644d05f09e324a46f38a561c815f50eb7dc4a8378f49c7587e

        SHA512

        29b0603190eafba6a03c1dce970501dfe796e642e6d9d5cb9a2e7c9312cad74e5b1126c6bf9bcabfd740a760bef2ea28289d9b9b773ea3e84dc0af726656be5f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a231A.bat
        Filesize

        722B

        MD5

        49b2bdb771f918ae113eab5a4c5825e3

        SHA1

        f35ed88516be4bbadac12768b507585d9512b841

        SHA256

        03240d82ba136a3d92902d04c36bd6284ec2a5b2a23c003843add3218c508cbe

        SHA512

        675e4dc55ff518cb9c8b68be6319ed296205aee8e4dbe0bfc9f21193602dffedc044f5ff470103b1e9ac79430f3ecc3c60250ba6ae8e77f4232dd2a8848d6d4c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ea5263d89b8b9492c89bfd163417001f5237576e2ec7c5bead195a396a0184a5.exe.exe
        Filesize

        544KB

        MD5

        9a1dd1d96481d61934dcc2d568971d06

        SHA1

        f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

        SHA256

        8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

        SHA512

        7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        29KB

        MD5

        693e6f028a3f9f068a0b5e7250537d55

        SHA1

        2c79b8c2a6f4ebac7bf248a36d561fdc2b3532ff

        SHA256

        862b4192b217938a0a759e4ff19510ba65521b62927794e45a13b666ac90be72

        SHA512

        3645bc60a4185bc11f698608b757bd8d1181c7bba3b0ff801df0c40b9c721acab28352c947a4f93647fec238616af0b43f1f1d7a066617ddbe1c1eed858d5d4a

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini
        Filesize

        8B

        MD5

        d970a2bfcaa076939c06270d1a48dec8

        SHA1

        7a558f4d64c3e98bcfd2af83f28e6fbd207a39e1

        SHA256

        bdc6872f9a0a011a670907f0fedad9b88e283c5af545cf9f6bd73c3709967d44

        SHA512

        ea4c16930628455852ce343f8ae248b6df869b8da10b10928ebb802129f73d9761971811de317c7d3121b815340027782ec15d385d1d2d7df8fd0a46b62974c2

        Download Submit

      • memory/1284-29-0x0000000002E80000-0x0000000002E81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2080-21-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2080-31-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2080-38-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2080-44-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2080-90-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2080-96-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2080-826-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2080-1850-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2080-2929-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2080-3310-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2128-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2128-16-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download