Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

725a1c0a79...cb.exe

windows7-x64

7

725a1c0a79...cb.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 15:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    725a1c0a79b3b26672c06766ed0fb426a5a540123af9a13b5736316bdac240cb.exe

  • Size

    5.7MB

  • MD5

    ec534b18b77be3f61296098eeeb5c518

  • SHA1

    3819b1709e3887bc6afc5f2d9163ea54ec651d23

  • SHA256

    725a1c0a79b3b26672c06766ed0fb426a5a540123af9a13b5736316bdac240cb

  • SHA512

    8737da60ffa15e30c0757f2e234822c88b1eff11b15e0923bf50e41b9d87a94a0cb9c8ba9af73323609ea4ca3d62a304e7fa09e8dcf2b4e8b1ac0fd606d18931

  • SSDEEP

    49152:zPv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTPBJ:bKUgTH2M2m9UMpu1QfLczqssnKSk

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1220
      • C:\Users\Admin\AppData\Local\Temp\725a1c0a79b3b26672c06766ed0fb426a5a540123af9a13b5736316bdac240cb.exe
        "C:\Users\Admin\AppData\Local\Temp\725a1c0a79b3b26672c06766ed0fb426a5a540123af9a13b5736316bdac240cb.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2040
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a39D5.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          PID:2468
          • C:\Users\Admin\AppData\Local\Temp\725a1c0a79b3b26672c06766ed0fb426a5a540123af9a13b5736316bdac240cb.exe
            "C:\Users\Admin\AppData\Local\Temp\725a1c0a79b3b26672c06766ed0fb426a5a540123af9a13b5736316bdac240cb.exe"
            4⤵
            • Executes dropped EXE
            PID:2676
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1208
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2668
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1324

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        d86e00fdec23784005bc452f437fedb8

        SHA1

        5c8d5c4952600659f2177262c2b0554e5dcebd64

        SHA256

        aa56ba1e1b10017ed23bccf1d5ba69dede6dc8dfa40ea585bce45dfd8ae3f0c3

        SHA512

        648667cbdbf62b8ca75fc0091f9313a0a0d76bb2b2f3c1db4464bb8f3299562bcd247a7443dc55af7a05090a6e3acc98d8af10fd33ffad543f841152a1ccef77

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        474KB

        MD5

        999390d1a073d9d30149bfd4832f8783

        SHA1

        23e02a9b82087dc821baf05fe75ce2b81c62d05e

        SHA256

        4c78f9b1285631d761c8005fefa2a29d047f08edd4a8c39c402e351002fc7cb5

        SHA512

        22fe988e5b37e9a1a385bb972f53316141faa3266347e1d2142fe96725d40ee761c8fec13a4c20ada087607e1dc0f4375c329fe03b8c07af6c957a65eb5121bf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a39D5.bat
        Filesize

        722B

        MD5

        7697180881c0f5a2e423a7d0614fa825

        SHA1

        f315f99a60d8dfeeee81909fc9f3a6777ad4843a

        SHA256

        fc26b79cad1d0ef320b96a9fb091e15d1b16126383028f0f9404be6d1bbe9de7

        SHA512

        a7e7e1733481539eb6260d54d689f36640f49a60d7bf6f1ae793fbb88bc3fb1744a861356d78efd5e7273a8947d204794bc0566e1c830606c07243e14238f956

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\725a1c0a79b3b26672c06766ed0fb426a5a540123af9a13b5736316bdac240cb.exe.exe
        Filesize

        5.7MB

        MD5

        ba18e99b3e17adb5b029eaebc457dd89

        SHA1

        ec0458f3c00d35b323f08d4e1cc2e72899429c38

        SHA256

        f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628

        SHA512

        1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        4f5d22667d150fcb87a131ecf4f18373

        SHA1

        ea6b17b4d068f007f17dcc1d2af587a5969ae213

        SHA256

        8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0

        SHA512

        cbce12b897e11aab465fc244a7442f89ea5eac1a0e3bea595eae4951a454a51e065063a68771ee96588ed0b9674777f25776221bed1829075540541a9e28f6e1

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini
        Filesize

        9B

        MD5

        4b2b75605a65a6762ec4715de0a70902

        SHA1

        3b85993ef06d2d814abc405188fdd19a1bffea0c

        SHA256

        77072cc5a7b394508cf5d819ff8cf4385a9b3cb15d8715a59845ccfa235ea34e

        SHA512

        888361e75afd4308bdad817af543704a42ffdf2d798acef619459e9978ac68f1cf4d468c6e0b146ab738b0109fdf331c4380471aa83f637b0f6ab06164840c65

        Download Submit

      • memory/1208-480-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1208-1874-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1208-18-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1208-32-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1208-3334-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1208-39-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1208-45-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1208-91-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1208-97-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1220-30-0x0000000002E20000-0x0000000002E21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2040-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2040-12-0x0000000001D80000-0x0000000001DB6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2040-17-0x0000000001D80000-0x0000000001DB6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2040-19-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download