Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

bec92b7ed4...a4.exe

windows7-x64

7

bec92b7ed4...a4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2024, 22:29 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bec92b7ed492cbb643ce9dc45d91e6776785b0ca185dd9ecbb5c5fd5d77bdaa4.exe

  • Size

    73KB

  • MD5

    21e94f334a6ee47431de6e5c8c3d4ada

  • SHA1

    636962e5ffbb16b4c4a28d4cd67b4ad65aea6787

  • SHA256

    bec92b7ed492cbb643ce9dc45d91e6776785b0ca185dd9ecbb5c5fd5d77bdaa4

  • SHA512

    51db417ad9821a74ebd49893d11803345623b132b4cb6ddc66bb39b55e71b903b338426808de08354f15696caaf4a42675e1146ebb8a7070579726be08666cc6

  • SSDEEP

    1536:tfgLdQAQfcfymNAwewCzebOInd4qfymD8xQUf:tftffjmNAwMeb4mD8

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3532
      • C:\Users\Admin\AppData\Local\Temp\bec92b7ed492cbb643ce9dc45d91e6776785b0ca185dd9ecbb5c5fd5d77bdaa4.exe
        "C:\Users\Admin\AppData\Local\Temp\bec92b7ed492cbb643ce9dc45d91e6776785b0ca185dd9ecbb5c5fd5d77bdaa4.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3324
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2DD6.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3220
          • C:\Users\Admin\AppData\Local\Temp\bec92b7ed492cbb643ce9dc45d91e6776785b0ca185dd9ecbb5c5fd5d77bdaa4.exe
            "C:\Users\Admin\AppData\Local\Temp\bec92b7ed492cbb643ce9dc45d91e6776785b0ca185dd9ecbb5c5fd5d77bdaa4.exe"
            4⤵
            • Executes dropped EXE
            PID:4732
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1712
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1960
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1868

      Network

      • flag-us
        DNS
        209.205.72.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        209.205.72.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        0.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        154.239.44.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        154.239.44.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        26.165.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        26.165.165.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        171.39.242.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        171.39.242.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        30.243.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        30.243.111.52.in-addr.arpa
        IN PTR
        Response
      • 52.111.227.11:443
        322 B
         7
      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        74 B
         128 B
         1
        1

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        209.205.72.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        209.205.72.20.in-addr.arpa

      • 8.8.8.8:53
        0.159.190.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        0.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        154.239.44.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        154.239.44.20.in-addr.arpa

      • 8.8.8.8:53
        26.165.165.52.in-addr.arpa
        dns
        72 B
         146 B
         1
        1

        DNS Request

        26.165.165.52.in-addr.arpa

      • 8.8.8.8:53
        171.39.242.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        171.39.242.20.in-addr.arpa

      • 8.8.8.8:53
        30.243.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        30.243.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        fa03025a5356ec12c1be2bf6f554120d

        SHA1

        2bcdaa6bbce818a1d260c4293a07b5076a104e56

        SHA256

        8906bb45077aeebb6eaca93bccaa133623f3b5e9dcc0b50dc4c6edcc3ea1571a

        SHA512

        c78ac5d658231ba4dfb54941dfd3fb6e0752d6ec6215743679d1274bd16f5e283dca110f63db3955c23091d2de3f75c2fc5b6630e0be36ea37a16eb81b8716b0

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        570KB

        MD5

        cdd1e1f44869a40a61f093b2806f23d3

        SHA1

        9856dd59b196a7d2100abee9edbd10c85423783f

        SHA256

        0f71dbf0dc35e50d076d2989bb16406ee436bbb1a8cdb051df58bd515fd230fa

        SHA512

        efaad454eef1d53e3ec8c885914fceebd30503c4791dbe32f0aa64f97ada2c207fab228d6e20142ba793cc76bcfc7ed591fc2c25c03872a2798550e07510fb40

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        636KB

        MD5

        2500f702e2b9632127c14e4eaae5d424

        SHA1

        8726fef12958265214eeb58001c995629834b13a

        SHA256

        82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

        SHA512

        f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a2DD6.bat
        Filesize

        722B

        MD5

        daf648800e499178d414d204c9032756

        SHA1

        16db375dff50e97c62960cc59e5fc673a90fd29e

        SHA256

        8939080021226a1b9ccdc5c0350f6f10b90b9d96943167f52c81b75689a809a0

        SHA512

        a8b81bfebb7669b5933a63de3d638f6220d392e0a96ebd8e8ec6023391a02d02115504ef07d6c5d007528385ecc4ef7e78bf974daed6b31eb77ee42c88080724

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\bec92b7ed492cbb643ce9dc45d91e6776785b0ca185dd9ecbb5c5fd5d77bdaa4.exe.exe
        Filesize

        46KB

        MD5

        4e72b2688d56dbb4f910bfcfab3f14b2

        SHA1

        a5315cba1cfe117f078b3864ebea2a2c67d3d917

        SHA256

        5056f7ab6992658ca02ab06314b6ed59dbb10d5c90b529e9a626d34d8bf34e0f

        SHA512

        e4771f17ffda255a65381d96191077d4dcf13c17fc13e5eefc39ade8e0235e3956ce47c317354d0d56061119643a39425a942a19f6846d37b0525fddb1709d21

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        4298e0c223e6572693e5a6b29279c1da

        SHA1

        5bd4c027c9433de22fec622bb7b13b863cee8de4

        SHA256

        bfe4186213f6d4cc116612e337bbe7a4c713d4cd02155dd649b31bf93476bd43

        SHA512

        d5df016ba3a3bcee7370ddd2aca1518fdde68dd681a17c45c8f7cf25a780be5903d49cf03410accfd8d176ce1653d9a49eb0544f5d0d1d091aa2d99fc8186ec1

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-4018855536-2201274732-320770143-1000\_desktop.ini
        Filesize

        8B

        MD5

        fa8bf97ffdb152205be1f3a9bd9faec3

        SHA1

        88a5a98b6074543e357ec7ad221eaee5e30ec82a

        SHA256

        08a129c008511d5fc4ee1e2ad0fad3d0b033407f74285a18c6fe956d5dc2c9cb

        SHA512

        ea0a63f52af441964e4a2cddede537d87f1ad78241c883cf40334801056879bb1639ae75b2d9e3cceb90471837263760fc7d6c6708819c7a73fec703ba098443

        Download Submit

      • memory/1712-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1712-26-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1712-32-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1712-36-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1712-1230-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1712-4796-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1712-5235-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3324-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3324-10-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.