Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

02463321e5...fa.exe

windows7-x64

7

02463321e5...fa.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    17/05/2024, 05:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02463321e53570dfce5840c2dd66efe7fbcaa99dcd8c373dd669a39a649dbcfa.exe

  • Size

    195KB

  • MD5

    3d877fea86d6eb8d49e77e4083f4e0da

  • SHA1

    39b6103d1bb8f5f97c3b748de06b45224a672b5d

  • SHA256

    02463321e53570dfce5840c2dd66efe7fbcaa99dcd8c373dd669a39a649dbcfa

  • SHA512

    866272c6dde51a46502fae2054f4d296c1246989edb76c238f32dd128c3fdad59b10fe53a2b88afc1b867aa67c597dc3e09fffa34db416e8322d0466edea8256

  • SSDEEP

    6144:iFpGhiTM8mP4PnQYg3kMKYMKxbxSELp8Hmr:EpRMuQ93vmq18q

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\02463321e53570dfce5840c2dd66efe7fbcaa99dcd8c373dd669a39a649dbcfa.exe
        "C:\Users\Admin\AppData\Local\Temp\02463321e53570dfce5840c2dd66efe7fbcaa99dcd8c373dd669a39a649dbcfa.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1424
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a166E.bat
          3⤵
          • Deletes itself
          PID:2976
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1300
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3052
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2636

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        252KB

        MD5

        857901248af73a1d46fb35128c9a14b9

        SHA1

        a28008bc04d56374013386bcf3d5c46b494f1212

        SHA256

        f78337f1a34a4acbc1558a09a2cb8219bf659f12713d81897fd35e978390d250

        SHA512

        0069f75aa493a0874c83cf5c7ad94899801119229e417b7b8df618c8498eb874a4967c17faaacfc88935a121e95699184992ea61323ab25cb7a80c9c52bbab87

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        472KB

        MD5

        88eb1bca8c399bc3f46e99cdde2f047e

        SHA1

        55fafbceb011e1af2edced978686a90971bd95f2

        SHA256

        42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

        SHA512

        149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a166E.bat
        Filesize

        722B

        MD5

        ac8d1c16d90dec1933309c087e854935

        SHA1

        80506b9675788f74cd8de878fe6175010c338034

        SHA256

        0d0381a3f7d51192c9fb6b72920b29ab8520df0aedcab642444ba1cb6f3df189

        SHA512

        3c6a9a2cb03475b4effd7832081c6042fc74a01bfbd21d7e61bb63de46444112444f55342f9009ccdd7e21143a6c2f1e12a5219ed05d71e9c5bb4b48c1d8b039

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\02463321e53570dfce5840c2dd66efe7fbcaa99dcd8c373dd669a39a649dbcfa.exe.exe
        Filesize

        168KB

        MD5

        9865024404b5209cdf2522ceaccb87ef

        SHA1

        c2f2566380930cd5638b9692e9eb579c7e3e66fd

        SHA256

        72e7dcdd653c3171fbf3683aee7fbc91c61f71d62c9f43fe8b2f2e34e9861ee0

        SHA512

        12ed1095164b7dbdd271166a8229bddcabb1c6350678fff4d07c0c338fffd2261a7ae63083a69202b0bb3494139563a1a86e8a3a38efa20c34af50671241b283

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        27KB

        MD5

        55f44991f5344846e54369e4225e4c48

        SHA1

        95d8063218e7a19fa9777ec056fceeb7dbac553b

        SHA256

        cf83b86498be0258d86e0c1a130a28d7b106c43abcceebafac570fc51ae94f74

        SHA512

        a4e60c8378f333ec2e2b27a80ed436d921b3c7dff4ea1727afc79e680ddd9bbcca3de6de5fc1c4c83c5bc6b03c2db03fabcfd431fe9b6ca352d244757c0b4b91

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini
        Filesize

        9B

        MD5

        de299d58575b595bc358a5c5edd0767d

        SHA1

        0d30c906a5b5647289c7788d31dd3afd642350a4

        SHA256

        32ef1af1131d89e96d59ac0d3f8e232e839355587a679a2df2479b5277a704e3

        SHA512

        c8e20bb98c427a3a0eea8769df090d59353f0b484321e82b381cfca18b111bd1d782713f2f5bf815e5832a0e12ec909a0324fe9ba013c626327cabf27a464bbc

        Download Submit

      • memory/1208-64-0x0000000002D10000-0x0000000002D11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1300-1349-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1300-70-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1300-77-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1300-84-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1300-129-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1300-135-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1300-1912-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1300-22-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1300-3371-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1424-17-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1424-0-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1424-12-0x0000000000440000-0x0000000000475000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2976-58-0x00000000007D0000-0x00000000007D1000-memory.dmp

        Filesize

        4KB

        Download