Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

547cd2b960...7b.exe

windows7-x64

7

547cd2b960...7b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 12:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    547cd2b9601840e97d1e8cf92bba29c7f1e05d2c6f1e13aea355fc889af4137b.exe

  • Size

    1.2MB

  • MD5

    f6f46ba550bec2ae79bdbfbe15abc332

  • SHA1

    28c84ed9deb3a90dc5ec75c58aab33371cfd7c22

  • SHA256

    547cd2b9601840e97d1e8cf92bba29c7f1e05d2c6f1e13aea355fc889af4137b

  • SHA512

    265ceb854a1591479062cbd178efa7bc857bdb6201d6415608cba5f14f6639caf3e1cce226bbf8de8c8f099c080ce19c54c540f29f7403665a87b1be3ca121bb

  • SSDEEP

    24576:upm0H9nQ79hBfO31W/5uuSR3WD2CA1ETobIqbtTA+5i:qQsYhuuSR3WDE1Ec5T5I

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3472
      • C:\Users\Admin\AppData\Local\Temp\547cd2b9601840e97d1e8cf92bba29c7f1e05d2c6f1e13aea355fc889af4137b.exe
        "C:\Users\Admin\AppData\Local\Temp\547cd2b9601840e97d1e8cf92bba29c7f1e05d2c6f1e13aea355fc889af4137b.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a783D.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2268
          • C:\Users\Admin\AppData\Local\Temp\547cd2b9601840e97d1e8cf92bba29c7f1e05d2c6f1e13aea355fc889af4137b.exe
            "C:\Users\Admin\AppData\Local\Temp\547cd2b9601840e97d1e8cf92bba29c7f1e05d2c6f1e13aea355fc889af4137b.exe"
            4⤵
            • Executes dropped EXE
            PID:4416
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1524
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4716
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:3176

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        252KB

        MD5

        ee177f5357587da410f12e4e626dece9

        SHA1

        ac89e4feee579025fdcb287108ced259b22ead22

        SHA256

        4745e0688e594cac13b5785a7f206fc22c310797772c565693f25dfbb7f7f548

        SHA512

        afd7b8d29540ce3ed7cd5662b2807e1ff12cf94f9fbfc8e268cdf092ff1a0bf94ba37c95f28baaa7281ae029453e48073c1fda8297624353a6da1a68d562c2fb

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        571KB

        MD5

        5bd678a025fc0b51792fc5b83164aeca

        SHA1

        0c1638ebbb4b9afdd8ecd0fdf8b64d3f2604b038

        SHA256

        a38422921441b1f54002ee28cf8dc8f86c6a4c19a75d86a4b564cfe5061792ce

        SHA512

        57cc498391c0c8f1e72fc4593d53c0e52334336a298ac575b9e561c8a8f9e96fbd7887395e056c7c58d71f3d495432d515c2e1d16deb579aac789cf500169e0d

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        637KB

        MD5

        9cba1e86016b20490fff38fb45ff4963

        SHA1

        378720d36869d50d06e9ffeef87488fbc2a8c8f7

        SHA256

        a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19

        SHA512

        2f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a783D.bat
        Filesize

        722B

        MD5

        a5197ee3a21f6f81a0bf96325dc87fdb

        SHA1

        3b48173567e62b483acfb8f3128ae17389e38b3a

        SHA256

        ec50933e6e5589958a691c3e12ec6881978409267d00ec61dca6c6457a63feab

        SHA512

        18012db2a47e64553946c589336ac6c7036d639bc21e16c9ea8bb3d62fc789663a2ef196c63a6f9398b846fd2f73835bb595e77d81c5d7f290cf3a7096f52b7a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\547cd2b9601840e97d1e8cf92bba29c7f1e05d2c6f1e13aea355fc889af4137b.exe.exe
        Filesize

        1.2MB

        MD5

        f855372e102937242692dd95d862a0a7

        SHA1

        ce3a8398485ea1467ab5bc389f09b9120ad8e5e4

        SHA256

        e3ed541c35fed452270fce3bc9868c7adf3dba6e51b83cdf546766af832863ab

        SHA512

        7e3f16b92e490a6276e27d02b1c420a1a8198cc11bf73848dc0644095c85862b9ff8bf63b95c0657cbfc713fbe53ceb5e12767466c205724e659f6694c8f771e

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        27KB

        MD5

        591d5f504128496faf3fa7cade4a47c7

        SHA1

        c07d118849c76ace4dcc3ce2e0f6941a4c1bc899

        SHA256

        65842e84b61d8caaab9568bea23ed448d7374e72b0c9f09dc36191e3328a456c

        SHA512

        7d0a7f38895098b7e31f9bb3be6668871a9c5ef2a912359a20f145c8e905c0751bfd5e50f5ba203b5b463981c9fd3b3962f683872495430179b2e17b8d652057

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1162180587-977231257-2194346871-1000\_desktop.ini
        Filesize

        9B

        MD5

        4d28283e4d415600ffc2f8fda6d8c91e

        SHA1

        053dcb8d5d84b75459bc82d8740ee4684d680016

        SHA256

        b855effeaf01610130d3f38de35bc7f98bfc6643d98d4198af18534f048e8df7

        SHA512

        73a758cd5e5ac48d62dd89719be604214895e0cc9a10ff7464a6cf9161a37fd27d15dd2d2565f18198b381ac6442bcb36f38614df7b1176061a83616517a7edb

        Download Submit

      • memory/1524-27-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1524-33-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1524-37-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1524-20-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1524-75-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1524-1232-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1524-13-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1524-4797-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1524-5236-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2996-0-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2996-10-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download