Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2024, 04:47

General

  • Target

    ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe

  • Size

    179KB

  • MD5

    81325cd4b583dd573500319142c6ec53

  • SHA1

    2ca3d9cac674694e1366916117f9238b3576b4bb

  • SHA256

    ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a

  • SHA512

    c879f57aba2904a4a12037ef7939cc2a9c1ba3217179f6bdb505540fe2511b69b36638c2ac59b19233e952aa73e5472a200bc75873712a339a4a5888fabadb2a

  • SSDEEP

    3072:xAyLd0K/JdOydO/COH//kxBsg87jT14yBHlMCTok+sul:XLZ/JdnOTHkxOg87GyBH9j+5l

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe
    "C:\Users\Admin\AppData\Local\Temp\ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:512
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE6B6.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:216
      • C:\Users\Admin\AppData\Local\Temp\ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe
        "C:\Users\Admin\AppData\Local\Temp\ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe"
        3⤵
        • Executes dropped EXE
        PID:1240
    • C:\Windows\Logo1_.exe
      C:\Windows\Logo1_.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Windows\SysWOW64\net.exe
        net stop "Kingsoft AntiVirus Service"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2368
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
          4⤵
            PID:1812
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=3656 /prefetch:8
      1⤵
        PID:3508

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\7-Zip\7zG.exe

        Filesize

        750KB

        MD5

        74a562bc868f4b6042abe60236d381e0

        SHA1

        1f30ac25a134b2c211ee3280123feb89cc522c87

        SHA256

        ecdace247ec475259f3a7bdddc7390dba1a4c643b1b8456fba7721b29cbc3fc9

        SHA512

        a1ec48ec10da7b63598d8164739fc99ab49c5b604c7aeb87cdb0a3c0a4116ce9e0da498ab0cf8f0a3db3dc34b368cf4f37ed5c6a724bf52e307b2f521d426647

      • C:\Users\Admin\AppData\Local\Temp\$$aE6B6.bat

        Filesize

        722B

        MD5

        8941b4cbc634477749a2b516eaba100b

        SHA1

        33c16c330d0727e5c25eff8bb13c8804ad3cc03a

        SHA256

        e336c577b42fd937bd6ef952a653082c6446c5c091ffa2082b31f568594709c6

        SHA512

        5f74f50dad1d8ac1241b513fc95b0ff5cdcf00e1679fee788a991e284c373e4b813d0522c0da42388c9523dae830253958addf8b2a29b2683c6c5a67ddfc933f

      • C:\Users\Admin\AppData\Local\Temp\ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe.exe

        Filesize

        113KB

        MD5

        b777409e43897fbad31319874035055f

        SHA1

        fd279403092e23136b5c1afa1940d3c24816afd9

        SHA256

        cc1d59f183410a925944c92bb7e67c5f6985c158b0e9039172751ecd27874446

        SHA512

        5e7baf63f18024a7e040d50cfd35c26eaae38fb6472c5575c088c7f4121952422960622e5884f88c643c715322dbbbbde046aeabe0bb0d9774416aeec1fc5ae3

      • C:\Windows\Logo1_.exe

        Filesize

        66KB

        MD5

        bac152d659a8e5c8b297ee885a362ab7

        SHA1

        e35922075011a55e96a69695645985ed2e4d7336

        SHA256

        db778391e2816d919f43276cff95d64e544e28e8f4262a8722e9e904038af413

        SHA512

        ec5a747cd6602130886b0c04638eac550a8dc287368ff3fba6b526bd83f4f678b8ebc3d6482a0282aba720af556df91ae986cccef36c5b77465c4f0003c9a150

      • memory/512-7-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/1016-15-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/1016-13-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/1016-17-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/1016-12-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/1016-141-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/1016-217-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/1016-220-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/1016-230-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB