Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

6be81e133c...f1.exe

windows7-x64

7

6be81e133c...f1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/06/2024, 12:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6be81e133c28e32dcae66c4116e00c2d87b1ccda335c1c276c8e6e433e8e95f1.exe

  • Size

    225KB

  • MD5

    1151be4a7702261d356b891b8704d613

  • SHA1

    186c574ea38523ba3b0bf9c15728e814fee74c9e

  • SHA256

    6be81e133c28e32dcae66c4116e00c2d87b1ccda335c1c276c8e6e433e8e95f1

  • SHA512

    0d88cf8ddf30a1ee0c05b7dd9c3570a8812e928c0492dcef4247bbec7bb2b147eaba80d575a0fdebc20db136e3d7dcceb01d55f4def1bd10559f37df7468f607

  • SSDEEP

    3072:9kF3pkdeKzC/lzMPySe8DnpeIPipoHbKvXWXz9LRnsaJUS+6wPXD3fxNW7gq5yGP:qFpkdeKzC/leySe8AIqpoHbnDns1ND9m

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3520
      • C:\Users\Admin\AppData\Local\Temp\6be81e133c28e32dcae66c4116e00c2d87b1ccda335c1c276c8e6e433e8e95f1.exe
        "C:\Users\Admin\AppData\Local\Temp\6be81e133c28e32dcae66c4116e00c2d87b1ccda335c1c276c8e6e433e8e95f1.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1176
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2FE9.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1660
          • C:\Users\Admin\AppData\Local\Temp\6be81e133c28e32dcae66c4116e00c2d87b1ccda335c1c276c8e6e433e8e95f1.exe
            "C:\Users\Admin\AppData\Local\Temp\6be81e133c28e32dcae66c4116e00c2d87b1ccda335c1c276c8e6e433e8e95f1.exe"
            4⤵
            • Executes dropped EXE
            PID:4896
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1644
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:180
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:4684

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        252KB

        MD5

        93742d345e0943ca38a3240b19de76ab

        SHA1

        bc623ad839126d08637a828dac55bd079f086656

        SHA256

        f6171cff4668eb4524c01eebdc9fc6095a138efc42e424358f7f26871b01371b

        SHA512

        5b42d275d289d6bcb8b49b8d148bc282fca250725b2346232f772c8f0d82d084c02d50aceaa620728ed76494de294f8b619476c7b3da75362bbe1e6eddf8dcc9

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        571KB

        MD5

        40c2246a559914d6f805b20993def843

        SHA1

        95703ce7172ac6c16a768e1472b29c79f360b39d

        SHA256

        6c28cd4e023dd136f7399665e5bc7ee69e563f25482bf2297db16294e974310d

        SHA512

        8cae4327195ef1c9ba32311830d96416639c9949c0c82c1d970b670c6e7295a20c66c2a8ed734c6b71684128864c815cc9db23252e6a7dffd26dc7c140e2f1fb

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        637KB

        MD5

        9cba1e86016b20490fff38fb45ff4963

        SHA1

        378720d36869d50d06e9ffeef87488fbc2a8c8f7

        SHA256

        a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19

        SHA512

        2f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a2FE9.bat
        Filesize

        722B

        MD5

        caf60e7871936e583c6aec6f2b05ea56

        SHA1

        f542a2d7e26a9b968b1c5de560b3843bc0708a89

        SHA256

        8186483ca697baa58bfa889fc69dda375fb140fa1b9f7b7f9f93ecc619a195e8

        SHA512

        3fbf964a358cc0028539757c029165252233fbff31521c49bcc898e8c955badf69a2650e97ea2e8250b2a0d6622f63df7d11e54944528dee2206530e89f58c97

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\6be81e133c28e32dcae66c4116e00c2d87b1ccda335c1c276c8e6e433e8e95f1.exe.exe
        Filesize

        198KB

        MD5

        e133c2d85cff4edd7fe8e8f0f8be6cdb

        SHA1

        b8269209ebb6fe44bc50dab35f97b0ae244701b4

        SHA256

        6c5e7d9c81a409e67c143cd3aed33bddc3967fa4c9ab3b98560b7d3bf57d093d

        SHA512

        701b7d1c7e154519d77043f7de09d60c1ff76c95f820fc1c9afca19724efb0847d646686053354156fd4e8a9dab1f29a79d3223f939a3ff1b3613770dc8603b1

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        27KB

        MD5

        6c0c2056d5784fc3f7c04858f85819c4

        SHA1

        203759f0622c3ae4724f946c314bfea1dabb5752

        SHA256

        89f77befd5f884f8fa2677f5214e4e09f0e0c15c1f256791beb9d5ef204aec41

        SHA512

        717f436d961c0da9e04be621d99b19dccbae7bfbe3704bd21a354c2a81b10bbd21ec8a48ca9f769eef78369fcbfb8d184d8c6f98c0faf2418892d02e29745e51

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2080292272-204036150-2159171770-1000\_desktop.ini
        Filesize

        9B

        MD5

        1884bfdeea71ff22db39c196f4447c9c

        SHA1

        3eafc7e6e17ba6ce7a087a3588fb1efb596da038

        SHA256

        163167bc5a01ad6b3ed4406c2a9a1baaf2c0ef4620ab7d5b39aeddf976ca776d

        SHA512

        b22124aa3a912462e6face7f71ad3dfec4b27dab16b2e20e3a0adc277f89f631ec889c91b185ac4b9b670933d881b8fd26c25d6f405e465aa8148cdbb7f7c3e2

        Download Submit

      • memory/1176-13-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1176-0-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1644-27-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1644-37-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1644-33-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1644-1231-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1644-20-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1644-4787-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1644-12-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1644-5226-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download