Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

bec92b7ed4...a4.exe

windows7-x64

7

bec92b7ed4...a4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    05/06/2024, 22:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bec92b7ed492cbb643ce9dc45d91e6776785b0ca185dd9ecbb5c5fd5d77bdaa4.exe

  • Size

    73KB

  • MD5

    21e94f334a6ee47431de6e5c8c3d4ada

  • SHA1

    636962e5ffbb16b4c4a28d4cd67b4ad65aea6787

  • SHA256

    bec92b7ed492cbb643ce9dc45d91e6776785b0ca185dd9ecbb5c5fd5d77bdaa4

  • SHA512

    51db417ad9821a74ebd49893d11803345623b132b4cb6ddc66bb39b55e71b903b338426808de08354f15696caaf4a42675e1146ebb8a7070579726be08666cc6

  • SSDEEP

    1536:tfgLdQAQfcfymNAwewCzebOInd4qfymD8xQUf:tftffjmNAwMeb4mD8

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\bec92b7ed492cbb643ce9dc45d91e6776785b0ca185dd9ecbb5c5fd5d77bdaa4.exe
        "C:\Users\Admin\AppData\Local\Temp\bec92b7ed492cbb643ce9dc45d91e6776785b0ca185dd9ecbb5c5fd5d77bdaa4.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3004
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a620D.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2644
          • C:\Users\Admin\AppData\Local\Temp\bec92b7ed492cbb643ce9dc45d91e6776785b0ca185dd9ecbb5c5fd5d77bdaa4.exe
            "C:\Users\Admin\AppData\Local\Temp\bec92b7ed492cbb643ce9dc45d91e6776785b0ca185dd9ecbb5c5fd5d77bdaa4.exe"
            4⤵
            • Executes dropped EXE
            PID:2592
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2656
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2624

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        fa03025a5356ec12c1be2bf6f554120d

        SHA1

        2bcdaa6bbce818a1d260c4293a07b5076a104e56

        SHA256

        8906bb45077aeebb6eaca93bccaa133623f3b5e9dcc0b50dc4c6edcc3ea1571a

        SHA512

        c78ac5d658231ba4dfb54941dfd3fb6e0752d6ec6215743679d1274bd16f5e283dca110f63db3955c23091d2de3f75c2fc5b6630e0be36ea37a16eb81b8716b0

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a620D.bat
        Filesize

        722B

        MD5

        f189a994aecf818da2f4a93cfd99a10d

        SHA1

        1b33c2399e525d7930af135afd9a0073a54ca6af

        SHA256

        d696f2ae7da445a4e026dd226e907c619e185f02698d9ff8c4a62f33452153a7

        SHA512

        f574faec3001faf956f1cf68e5d55282e3f8d7b04ba18d66d32d078b2c5993229c35c4ba910ab82da3ff5cb06021d64792fe2a559398ff405b64d5dd57e00a6e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\bec92b7ed492cbb643ce9dc45d91e6776785b0ca185dd9ecbb5c5fd5d77bdaa4.exe.exe
        Filesize

        46KB

        MD5

        4e72b2688d56dbb4f910bfcfab3f14b2

        SHA1

        a5315cba1cfe117f078b3864ebea2a2c67d3d917

        SHA256

        5056f7ab6992658ca02ab06314b6ed59dbb10d5c90b529e9a626d34d8bf34e0f

        SHA512

        e4771f17ffda255a65381d96191077d4dcf13c17fc13e5eefc39ade8e0235e3956ce47c317354d0d56061119643a39425a942a19f6846d37b0525fddb1709d21

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        4298e0c223e6572693e5a6b29279c1da

        SHA1

        5bd4c027c9433de22fec622bb7b13b863cee8de4

        SHA256

        bfe4186213f6d4cc116612e337bbe7a4c713d4cd02155dd649b31bf93476bd43

        SHA512

        d5df016ba3a3bcee7370ddd2aca1518fdde68dd681a17c45c8f7cf25a780be5903d49cf03410accfd8d176ce1653d9a49eb0544f5d0d1d091aa2d99fc8186ec1

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini
        Filesize

        8B

        MD5

        fa8bf97ffdb152205be1f3a9bd9faec3

        SHA1

        88a5a98b6074543e357ec7ad221eaee5e30ec82a

        SHA256

        08a129c008511d5fc4ee1e2ad0fad3d0b033407f74285a18c6fe956d5dc2c9cb

        SHA512

        ea0a63f52af441964e4a2cddede537d87f1ad78241c883cf40334801056879bb1639ae75b2d9e3cceb90471837263760fc7d6c6708819c7a73fec703ba098443

        Download Submit

      • memory/1204-29-0x0000000002D30000-0x0000000002D31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2656-96-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2656-31-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2656-38-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2656-44-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2656-90-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2656-623-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2656-1849-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2656-2144-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2656-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2656-3309-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3004-17-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3004-10-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download