Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

e1608cad6a...a9.exe

windows7-x64

7

e1608cad6a...a9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2024, 23:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe

  • Size

    1.6MB

  • MD5

    00299d55cfd77172abf8cc55a13ae031

  • SHA1

    5bc6cac294012f318d5aec6ed9165b758413b540

  • SHA256

    e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9

  • SHA512

    3146d9bbce99233824bd9e9d7b32ae56f9af3bedf9a5a7abc73facf39a67789fbc35464a74e44a5b04b057132f152437be8776bdd7695bec3d05767f18781bc1

  • SSDEEP

    49152:69VTJHyRQCRsuk/JISsG0VJKSmvhQtNwnZHJgXyGOdg:6URQ7DBISsG0VMSmpQTwtaL7

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3512
      • C:\Users\Admin\AppData\Local\Temp\e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe
        "C:\Users\Admin\AppData\Local\Temp\e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2232
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE61A.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:544
          • C:\Users\Admin\AppData\Local\Temp\e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe
            "C:\Users\Admin\AppData\Local\Temp\e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:3268
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1440
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1868
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:3204
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:8
        1⤵
          PID:1580

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          254KB

          MD5

          c2313644c3961c77fb35668603775f6b

          SHA1

          34857a41ad8b6ce8f1458615465a73c8ef5b5e49

          SHA256

          fd99eadf4c8d7924770f0969d9f847d74e965cac870b846ed737eff514b7fd64

          SHA512

          272443283ed7073bf9ce4fac0b94ff80fdbe92cd70c310904b81306d555abb0c71f712488fa49c58a0c95f7510ede226c4f40f7a7214d4c99e37fdd8a4bc0f9d

          Download Submit

        • C:\Program Files\7-Zip\7z.exe
          Filesize

          573KB

          MD5

          a06069cc78a8a8c6746ca51d2afeb512

          SHA1

          84302e33fd58fb81f0d7c6d81e7112261ff93e31

          SHA256

          25103245c72961f72cfa496ee1ca7c5d42a01d72ff1b3a28cb5f6a8a514794b7

          SHA512

          a9e49319491c76b024830ec324811e799c2e569a5a9fd65ffb425d5289b94ecee09640c77671eef1efc46c80a8442dc5bd6031ef88f97909a2637aa1f8770732

          Download Submit

        • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
          Filesize

          639KB

          MD5

          c8d281da4c32df16eef470c27c8cb459

          SHA1

          00efc9f6844bfaa37c264b6452c6a7356638ab10

          SHA256

          058c81e5a07f2c6c33cf28dff71d07ad8f179046108d945159957e891bfd9c62

          SHA512

          e3c79e19f620068f668d4ebaa5097f1a95a30dabb8dce75f3787171dddbea9f684fc7ce8d1011a398f38084d7af96dd1ff9a02d25906aab9b13861b8363d24bb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\$$aE61A.bat
          Filesize

          722B

          MD5

          646fc5c00fe428efef66815d1bc2feed

          SHA1

          c07a112d0631bef29431f250509c5ec8f937fb68

          SHA256

          5e47e84dbdf4bdd3a0bda51c8f1928f659fc2c1448bc67f69c1cc82fe3617b5f

          SHA512

          2d44fe75fc68ff8aee5375889423248c314bab8b779dca91d800b6dcebffa94acf6205b39ee7ea68134ba0b2b816ad096e7270ac221b820c90c211320ff28b0f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe.exe
          Filesize

          1.6MB

          MD5

          ada617b0cdf2bcd08558a99814d465c4

          SHA1

          cc098290554d4e9bd1bd1009f2474cc06866cff6

          SHA256

          5f2b689531b9eda96489442b000cf3203af38838c71fc10229db9b375e3c1055

          SHA512

          b5b49f41258e5e6c8254bd4204a550a26b447de15d1ba78b7fd24f99938e3b4778037264ac6e2e5c0c45c59efa5b87ccfc68f05f70ec6ad0e329d5bede8bbcdf

          Download Submit

        • C:\Windows\Logo1_.exe
          Filesize

          29KB

          MD5

          599a7881ecc7bdb52e885c2f88f39623

          SHA1

          f1e4628628939c353e3f51e46dd638c844db0588

          SHA256

          e54026cfa7a56a1cdbe7c78228b9d123e8e7f8f1044609385e1990bc4091872d

          SHA512

          68542351fa49e3ace39596d63e89b24ae31f3cb6a27f315bd7922aa8ff17601da5663e3c25e802154d5e97bcfdb569365372ad32cb2459485373d574fe1809ba

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-1181767204-2009306918-3718769404-1000\_desktop.ini
          Filesize

          9B

          MD5

          626b7ac8db42922bd5ad061459a997cd

          SHA1

          1d94c0679bc448cde1fc2da8cea39b910af74f3b

          SHA256

          ec459940188be916789d5d79bd7826fecb6ad8f47d606e862d95946998d36208

          SHA512

          cff25aa56e8d7d33dddf326fe1fdc1fc11e4269e0b03caa2f8baa637a549b1e0878ea933333cc82c03fb3930d0ae1b8735bfdbf1337e696b5bd062b693847f20

          Download Submit

        • memory/1440-27-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1440-33-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1440-37-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1440-20-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1440-1237-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1440-4875-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1440-13-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1440-5320-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2232-0-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2232-12-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download