Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

0651eb83a8...8b.exe

windows7-x64

7

0651eb83a8...8b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2024, 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe

  • Size

    573KB

  • MD5

    0fa358463d01292dc0c29cd2cb4d6ae9

  • SHA1

    be8615293359814fefcdb50f4938d963c52daef7

  • SHA256

    0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b

  • SHA512

    2cbb5396bef624a3dfe784ecae721567146ad8c27a536dc4039d69176a73c48b6f67a9efe5dc92ad7ac0e9ccfce6e23c935d0900d4c3859a5c9dd2a5420d0c12

  • SSDEEP

    6144:suJpE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQfu:47a3iwbihym2g7XO3LWUQfh4Co

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3416
      • C:\Users\Admin\AppData\Local\Temp\0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe
        "C:\Users\Admin\AppData\Local\Temp\0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4892
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a47A8.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3216
          • C:\Users\Admin\AppData\Local\Temp\0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe
            "C:\Users\Admin\AppData\Local\Temp\0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe"
            4⤵
            • Executes dropped EXE
            PID:4876
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3588
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2316

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        254KB

        MD5

        d53dfe8ee60a8ec53507b414770b008c

        SHA1

        3428891b51a84cc48294c7c504ff73815eb09ae6

        SHA256

        8b03c2b78678dc4c33f2301edcc9de1128c5cf44a1b532fcb5316c773914007f

        SHA512

        6a5e60f2952a04b6b209cc75ca997f3655cd8cf2a7aea2bc7799eb59e49e638abd7631a6cf3c1455933e961bb6ec1ff3561c6c14027ff4481054243e09af1ab7

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        573KB

        MD5

        0fa358463d01292dc0c29cd2cb4d6ae9

        SHA1

        be8615293359814fefcdb50f4938d963c52daef7

        SHA256

        0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b

        SHA512

        2cbb5396bef624a3dfe784ecae721567146ad8c27a536dc4039d69176a73c48b6f67a9efe5dc92ad7ac0e9ccfce6e23c935d0900d4c3859a5c9dd2a5420d0c12

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        639KB

        MD5

        8e20cd4ac13828acae9e458cea8e8c56

        SHA1

        794cb8e8b5519214c4d4c89e9d5ff0967e224d72

        SHA256

        ed2019032918ac1a2a246a501166a13f7f2bda2f2ca354ad2db584c41c774e5c

        SHA512

        e5e6d2147fb76a7c11e738fbfacbe0b189862cdb35b7de75c82b4ed5784b90953cfda3d1052fceecf3f76a9f873b7ed052c70a4847669b7657bfce522ff907d4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a47A8.bat
        Filesize

        722B

        MD5

        4b6f70aa09ef8380c87e11dd74b2c7f0

        SHA1

        d85e090f5626cb2517020897901c04c9f010ad6a

        SHA256

        623bde1e54553c9a8bab81d73725b151c4d0127bfbda144ba27c80c8f2fabd7b

        SHA512

        04802add19ad9b9a8758a0b6531456b6eb79a2f27c664e8fac55a56c1e5ede89012510df74bd485e28a78bd7dcdbee430d79b584936ccf30b40857cee0f025eb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe.exe
        Filesize

        544KB

        MD5

        9a1dd1d96481d61934dcc2d568971d06

        SHA1

        f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

        SHA256

        8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

        SHA512

        7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        c3a6498aeafb967730b138db7706cfbd

        SHA1

        82c69ca3f3eaf8bb5fa8288db2b88bc735f18017

        SHA256

        9a8bea687af727ad62d8e900f8fa2c686600ddaaa69c8ff9f431a93e1aaae472

        SHA512

        0a06043720af675a122478c9c71dbb78730821361f7b88ac44a05471a870bfef32e6a8bbead08a4d35be897a031dca9bd46966ea9f7727ceb88d1fa6e1cb43a2

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-540404634-651139247-2967210625-1000\_desktop.ini
        Filesize

        8B

        MD5

        fa8bf97ffdb152205be1f3a9bd9faec3

        SHA1

        88a5a98b6074543e357ec7ad221eaee5e30ec82a

        SHA256

        08a129c008511d5fc4ee1e2ad0fad3d0b033407f74285a18c6fe956d5dc2c9cb

        SHA512

        ea0a63f52af441964e4a2cddede537d87f1ad78241c883cf40334801056879bb1639ae75b2d9e3cceb90471837263760fc7d6c6708819c7a73fec703ba098443

        Download Submit

      • memory/3588-27-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3588-33-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3588-37-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3588-20-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3588-1231-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3588-11-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3588-4797-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3588-5236-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4892-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4892-10-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download