Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

ce69f7ebec...82.exe

windows7-x64

7

ce69f7ebec...82.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/06/2024, 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce69f7ebecfebe50af437b063d7e5630400cff6af57a66535306bc8907b96382.exe

  • Size

    85KB

  • MD5

    6e59fd3c3952e47c18275508e8c3a7ca

  • SHA1

    87874346dbd3aa0eea3ca6c9a12ed1e8fcc96f52

  • SHA256

    ce69f7ebecfebe50af437b063d7e5630400cff6af57a66535306bc8907b96382

  • SHA512

    1b910c73da7f2f2b82bfd17aa75ef3ea9cb795a6db93340bb67de9181f34fbb38628a0e6d576336f4ace0ee96a3ba6b001f71db1f76425e5eda454890dcec43c

  • SSDEEP

    768:pBfc16GVRu1yK9fMnJG2V9dHS8EMapdwIT+lCCWxGuq8KsD5L6sKbAp3c4VvMyhC:pQ3SHuJV9N4BXguNKCOsLM4H5uw/a+q

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Program crash 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3552
      • C:\Users\Admin\AppData\Local\Temp\ce69f7ebecfebe50af437b063d7e5630400cff6af57a66535306bc8907b96382.exe
        "C:\Users\Admin\AppData\Local\Temp\ce69f7ebecfebe50af437b063d7e5630400cff6af57a66535306bc8907b96382.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4400
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3F2C.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4752
          • C:\Users\Admin\AppData\Local\Temp\ce69f7ebecfebe50af437b063d7e5630400cff6af57a66535306bc8907b96382.exe
            "C:\Users\Admin\AppData\Local\Temp\ce69f7ebecfebe50af437b063d7e5630400cff6af57a66535306bc8907b96382.exe"
            4⤵
            • Executes dropped EXE
            PID:2812
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 796
              5⤵
              • Program crash
              PID:3200
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1296
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4656
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:64
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2812 -ip 2812
        1⤵
          PID:3316

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          254KB

          MD5

          e542b339816098a38ee16a176deaa93b

          SHA1

          de2fc07c7b251538956beb23b9a9ec238efd91a0

          SHA256

          2bdc58a31e8b85897d78c00f3dbe9ce524cc41481894cfa89d5c9f41f035e9b6

          SHA512

          711c2cb92dadad406fda87d71a634b9ee7fcc96d09a2e169b963e6b19cee6f6a21a07a1b517c62177fd9784cfb7aabe32f8d549172b092879a5ee1189954a377

          Download Submit

        • C:\Program Files\7-Zip\7z.exe
          Filesize

          573KB

          MD5

          6e483dbc5df277343876fe8fdfc6920a

          SHA1

          6523400cd4509cc32e10cf51878a2c2961a7d436

          SHA256

          2f0d4f2ad229e33e046cafb636c7da1065f594c238fcde892d2943e430af211d

          SHA512

          03e8f57c94b973aaa22d31fdf86b0a190e7a936a742561de6579a8fb31b67e92a6ae113a97da6f9d7c2685189b027bc64291cecbbfcd552ea78a4c1cf4cdc786

          Download Submit

        • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
          Filesize

          639KB

          MD5

          c8d281da4c32df16eef470c27c8cb459

          SHA1

          00efc9f6844bfaa37c264b6452c6a7356638ab10

          SHA256

          058c81e5a07f2c6c33cf28dff71d07ad8f179046108d945159957e891bfd9c62

          SHA512

          e3c79e19f620068f668d4ebaa5097f1a95a30dabb8dce75f3787171dddbea9f684fc7ce8d1011a398f38084d7af96dd1ff9a02d25906aab9b13861b8363d24bb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\$$a3F2C.bat
          Filesize

          722B

          MD5

          5c77213972c8616e06e7df69755feab1

          SHA1

          1d9f5573661773491a0d9dac40b3c55207bf98fb

          SHA256

          16c6047a055cda1a811203c6354904c3b5d401906ee3e42302dccfe43e865330

          SHA512

          9517979ac4a45e1f9be9c03e23e41199a2292ae6dcc2bfea63e7a5538e755a165c08a0677095e6a72ab64d4bfab4bee16eb0093ae4f1a503059c3c40398871ed

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\ce69f7ebecfebe50af437b063d7e5630400cff6af57a66535306bc8907b96382.exe.exe
          Filesize

          56KB

          MD5

          c463b700818ce76280712996e0e76cb2

          SHA1

          8d326ff84883861b94b1695f293bcb35545b7514

          SHA256

          01281dc3fd2aa9b95e9c8af2f485365ee4ee042305216366cd3ba30dde048a99

          SHA512

          93481218c4e87b2ee99c3ed3177e07886d537c0fada4fd1b40f59afc3010812beeee9ebeb37d77cfb6b9cb4242188461b4ba9991bcb6b90db28e77a8d94e4bc6

          Download Submit

        • C:\Windows\Logo1_.exe
          Filesize

          29KB

          MD5

          523fd6c3e8adc537e86e5cba904beec7

          SHA1

          78f409b465ead7c142c1ba953f2e2ee672db3c46

          SHA256

          1e71cf4efa0319f39447c3b4de4ac944873f4fbf45e1a3a645625c95e23188b9

          SHA512

          49ef33615976771df5be42adf10651ff12b56b939d6bfbc7e0a4cf7d9896f8cd4d43071f39b399590519478c673a767e217c6ccb921a08689742be85744fe557

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-4204450073-1267028356-951339405-1000\_desktop.ini
          Filesize

          9B

          MD5

          03c36dbecb7f35761f80ba5fc5566da6

          SHA1

          159b7733006187467bda251a1bbb278c141dceb6

          SHA256

          85a53f5b976fb1c26ce14c31e93c1f68997d2d8b09ab9aa2b7e0d32b8e50ec3b

          SHA512

          fe573085d2abef34adcede2f89b1c2810875ab00ef9ba27a1d95ed1dbe93e182fc53d981901a0b8048dd4eb5fdc852b8f0e0c3a0e1a404cbbe70e13a7a14104a

          Download Submit

        • memory/1296-10-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1296-22-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1296-29-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1296-35-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1296-39-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1296-1240-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1296-4968-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1296-5407-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2812-20-0x0000000005230000-0x00000000057D4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2812-18-0x000000007433E000-0x000000007433F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2812-19-0x00000000001C0000-0x00000000001D4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/4400-0-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4400-9-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download