Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

ea5263d89b...a5.exe

windows7-x64

7

ea5263d89b...a5.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 14:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea5263d89b8b9492c89bfd163417001f5237576e2ec7c5bead195a396a0184a5.exe

  • Size

    573KB

  • MD5

    89e33c39bc576ce1475c2b77dfbd26ab

  • SHA1

    141426cc4624a52ab9903dd59c964d9e2b96f591

  • SHA256

    ea5263d89b8b9492c89bfd163417001f5237576e2ec7c5bead195a396a0184a5

  • SHA512

    873cf261ef4ece65c1f8f2084d6a9571f736d39e0f63de64beaeb8a3f1c583308872dbad450e3ca404416f882c8b8a705bb89194eba9a2c157f7bdf97fb7e138

  • SSDEEP

    6144:OuJpE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQfu:G7a3iwbihym2g7XO3LWUQfh4Co

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3440
      • C:\Users\Admin\AppData\Local\Temp\ea5263d89b8b9492c89bfd163417001f5237576e2ec7c5bead195a396a0184a5.exe
        "C:\Users\Admin\AppData\Local\Temp\ea5263d89b8b9492c89bfd163417001f5237576e2ec7c5bead195a396a0184a5.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2396
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a39EC.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4252
          • C:\Users\Admin\AppData\Local\Temp\ea5263d89b8b9492c89bfd163417001f5237576e2ec7c5bead195a396a0184a5.exe
            "C:\Users\Admin\AppData\Local\Temp\ea5263d89b8b9492c89bfd163417001f5237576e2ec7c5bead195a396a0184a5.exe"
            4⤵
            • Executes dropped EXE
            PID:1352
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3988
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3640
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:4364

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        6dbfa871d18aa4c685e00f03cc40e191

        SHA1

        ef9dba44feb63da5dcc1859ea9705622b2cee7bc

        SHA256

        33d8e5692cce3bda96d8788ed5fb77cec05be84e18c511df639e13cd6062d6a8

        SHA512

        cacf2c539ef66fa01408d568a35c9b556e2e4fc7687e0e8371d5a3906722603f2853792cf3468e4fca1432e809569dfd80b21edb54ac2c747a78e454c67e45c1

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        573KB

        MD5

        89e33c39bc576ce1475c2b77dfbd26ab

        SHA1

        141426cc4624a52ab9903dd59c964d9e2b96f591

        SHA256

        ea5263d89b8b9492c89bfd163417001f5237576e2ec7c5bead195a396a0184a5

        SHA512

        873cf261ef4ece65c1f8f2084d6a9571f736d39e0f63de64beaeb8a3f1c583308872dbad450e3ca404416f882c8b8a705bb89194eba9a2c157f7bdf97fb7e138

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        639KB

        MD5

        9fdceacc59188df6bcccdf4c6987820a

        SHA1

        f492a0cb2db22317746eb136e56621e5801c97ab

        SHA256

        a3752dc6d1984857f3fa949c4ce20b2847d009f865216f4c7e31d3f01183938c

        SHA512

        3c81e2d7915868a2e88a97fbdf67d5fae8924f52ae497598333607367e642630c3b4c6085a3b8110814d997a9a13c341b2c5c5d336951484b3cbaa68479ad5c9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a39EC.bat
        Filesize

        722B

        MD5

        8644cf1c9f3e4c7fb6bf4f95223ce896

        SHA1

        1ee807f255298c3de1e4cef3c8202bc65dddf975

        SHA256

        b4852ea91cefa485fb5b1a5a64aad07dfba6851e8ad5a4822e3f43f94df0c4e5

        SHA512

        2a3ae4b8875f0f73fd7b769f12f03d84429b7b9d77281a3fd68c15f9a63248ba0bf636e1b4b1fb928ed36de370da84f6de0f23576f9dc04d4cb13f9ec31be748

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ea5263d89b8b9492c89bfd163417001f5237576e2ec7c5bead195a396a0184a5.exe.exe
        Filesize

        544KB

        MD5

        9a1dd1d96481d61934dcc2d568971d06

        SHA1

        f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

        SHA256

        8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

        SHA512

        7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        693e6f028a3f9f068a0b5e7250537d55

        SHA1

        2c79b8c2a6f4ebac7bf248a36d561fdc2b3532ff

        SHA256

        862b4192b217938a0a759e4ff19510ba65521b62927794e45a13b666ac90be72

        SHA512

        3645bc60a4185bc11f698608b757bd8d1181c7bba3b0ff801df0c40b9c721acab28352c947a4f93647fec238616af0b43f1f1d7a066617ddbe1c1eed858d5d4a

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\_desktop.ini
        Filesize

        8B

        MD5

        d970a2bfcaa076939c06270d1a48dec8

        SHA1

        7a558f4d64c3e98bcfd2af83f28e6fbd207a39e1

        SHA256

        bdc6872f9a0a011a670907f0fedad9b88e283c5af545cf9f6bd73c3709967d44

        SHA512

        ea4c16930628455852ce343f8ae248b6df869b8da10b10928ebb802129f73d9761971811de317c7d3121b815340027782ec15d385d1d2d7df8fd0a46b62974c2

        Download Submit

      • memory/2396-10-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2396-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3988-27-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3988-37-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3988-33-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3988-1231-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3988-20-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3988-4787-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3988-11-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3988-5226-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download