Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

c383580391...7f.exe

windows7-x64

6

c383580391...7f.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    28/05/2024, 06:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe

  • Size

    29KB

  • MD5

    b5ca8bacca3ef773bdb62800d0598264

  • SHA1

    8288970776150108ce27ee6b8041d8597b636901

  • SHA256

    c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f

  • SHA512

    18e69a447cd15739cbbdf0afb14fc6c06729717890828be7a39a947d804f06d7df9aad11688594d474d80a6cf6b757691f22206022732fa78c7f776584f3fa20

  • SSDEEP

    384:NbbA+KIft1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzGOnJh:p6g16GVRu1yK9fMnJG2V9dHS8

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe
        "C:\Users\Admin\AppData\Local\Temp\c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2376
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2212

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        4358b42e9a78a50138303db5e5195b70

        SHA1

        f0e679f67f5d345a60f041afced3b7d66f99ccc5

        SHA256

        f65048220efb299ef26c562a13a956605d59848f3cceb00c7ced0ea9e447226c

        SHA512

        008b89656992b04ba27b365c42f3daa6b0b21b9804d53a6e4b41907a653f4093086c2c4a2088081e04ef4f9a29d64a4e5138aee23ae75a3e6458eba8819fdbf3

        Download Submit

      • C:\Program Files\7-Zip\7zFM.exe
        Filesize

        959KB

        MD5

        bab60e983c0205a3920df0a80f281263

        SHA1

        f04a0df0e2ced4b51d1281be2067e3f01e5c88c2

        SHA256

        1a370567f609e87c4f62d5b122efd065034d5e99f69a84c84ee0c90515c0f040

        SHA512

        46521335f471f91a1bfb1d828660ad2e5a4f7f66635c8c1397f2ee641d77ddfc5b05a9a823c3a636bcdd163cc61f8f2d571e14f692995deed14eaa25843e2cb8

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        474KB

        MD5

        6f0ec1ca208b0521f58bcd694897df06

        SHA1

        808a16d524301513af8ee772936f6bdcf41623a6

        SHA256

        53b5d4205b0f2ae4ba0051244fffcaf0cfecbf78dfc448e4d2e68e53e15f15bf

        SHA512

        d8318484059a9988dae4b8a53d1ccec1a54ed825e1937d70fccc9bd26222a0c4b23718f368e6d193e6dd7b9d999e5e8d5f23717ea160468b6287004a722503f2

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini
        Filesize

        9B

        MD5

        e850d9ceb7ebcc619d731dc2f1377b2b

        SHA1

        a45553c9057075c02e28f90d5e8ea57a0dddbacc

        SHA256

        b682a6e85069777ca22f84b99607acd09640eaa80029d74363c0a5aabddead4c

        SHA512

        be92bd8393d0fe69559ec55e1068fcd77ccc699361a9cb98d467bd51a029c371852b7a1196ad53fa8865e956582e6a4d35f6ac6fea3832058b7a427133b0048c

        Download Submit

      • memory/1200-5-0x0000000002D30000-0x0000000002D31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1732-66-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1732-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1732-72-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1732-20-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1732-519-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1732-1825-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1732-1945-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1732-14-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1732-3285-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1732-7-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download