Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

5e3c5ab150...f8.exe

windows7-x64

7

5e3c5ab150...f8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/06/2024, 18:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e3c5ab150b906815bea2449b120393ec71f2249e8a0b8f992f242b13847eef8.exe

  • Size

    568KB

  • MD5

    587ea9b0c403691d463cffda0f57fb17

  • SHA1

    6054061be509c66800fc5e92b1dd3212eadd1f64

  • SHA256

    5e3c5ab150b906815bea2449b120393ec71f2249e8a0b8f992f242b13847eef8

  • SHA512

    75346273bea889409f916da81f7462c0d7db300e0ab533743186913024bbbe41a2f3703baa8505b6d65cc593b9efa295b870e15094c82a796d7e870b1c280213

  • SSDEEP

    12288:U7+ovP+BNSebhEFoUbElY7dx0Gyz1batvex:U7WhiFoUbEwdngx

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3476
      • C:\Users\Admin\AppData\Local\Temp\5e3c5ab150b906815bea2449b120393ec71f2249e8a0b8f992f242b13847eef8.exe
        "C:\Users\Admin\AppData\Local\Temp\5e3c5ab150b906815bea2449b120393ec71f2249e8a0b8f992f242b13847eef8.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3908
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3529.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3392
          • C:\Users\Admin\AppData\Local\Temp\5e3c5ab150b906815bea2449b120393ec71f2249e8a0b8f992f242b13847eef8.exe
            "C:\Users\Admin\AppData\Local\Temp\5e3c5ab150b906815bea2449b120393ec71f2249e8a0b8f992f242b13847eef8.exe"
            4⤵
            • Executes dropped EXE
            PID:1384
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3724
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4892
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:3436

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        533ce215a7c274602dc456ca375cef93

        SHA1

        76c502d7c45eca3fd96f6b04eb850e751bc785dd

        SHA256

        d70c9f73bbeed5cbc0df4a4d14bae68789f84d8092281337d2919322b288ce9c

        SHA512

        09d9dee36c48567921de4b7c31c4a822d5f9ed5e0b1cb0330031b320f40b5ba9b15e89dc37d52561094642c0ff16c14d32e81ed5b1dac06150fefbbd6f3365bf

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        570KB

        MD5

        e3cafc7557cf7a03b7d8dac8da969d35

        SHA1

        b78ea56fb133598f5cc60176d0d6fafbfde5d966

        SHA256

        edbd4ee1f536fbb25d4920792aed7d91b26b1629fcebad22ca41b69b271595de

        SHA512

        c46a3a9b014a7d158585799590f2c17ce40e0eac938589f0da2b3476f444419925312be8caba3dbde3f7a4b5466062ca319d8f2ab0d10ae6b516ba4fc30b144e

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        636KB

        MD5

        2500f702e2b9632127c14e4eaae5d424

        SHA1

        8726fef12958265214eeb58001c995629834b13a

        SHA256

        82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

        SHA512

        f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a3529.bat
        Filesize

        722B

        MD5

        a2ad7ef0e3311d6c158e62b88b73e218

        SHA1

        14439b16d99bfd94bb63a7e06d92ef39c93a1946

        SHA256

        b0c54cf5c8af0dd76ccc2fff6f6c8e045d8b0f8697623e34027f14190be19ae4

        SHA512

        1673eee6b203c3acd760687499004704f1f94fb54faa3fc5535c71a244eee5751012ec6ab28a1a9f1a5301396e26e2940d0ef12fce7ff5921b4c1bd108b613fc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\5e3c5ab150b906815bea2449b120393ec71f2249e8a0b8f992f242b13847eef8.exe.exe
        Filesize

        542KB

        MD5

        f41760229b98eefe702a4a5bbf6481a5

        SHA1

        139bc04d1466405b85e736f2dc861c125700cb80

        SHA256

        5279d9f6c41db7c9a13ce2f82fa0ad108904c9a2892ff1ec0c19a16eaab80a07

        SHA512

        c1ae8dd8dd3b15bb361cdf7a059406ffd174116aea2ae0ec972989b1efe1d0068f5600b67c4acde8a920af8354674f8eacce6d92257c69ec4b93d90a6c34aff5

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        925efa8e6ec043b04fdaf9e6c9f95b9f

        SHA1

        4bb883e016bdeecc3f21b562df6364944b777ae3

        SHA256

        6513ef9968b68f982fb83460b5919e55470f514db71c3831c2ea5c7b3a2721db

        SHA512

        bf4978b5b10932de14d0c64566768708331f89a815f153323173506aecc296236a22d387b5caceba100c72b44e6b870e879f7350f1abce413bb92d54e70b133e

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-4204450073-1267028356-951339405-1000\_desktop.ini
        Filesize

        9B

        MD5

        1884bfdeea71ff22db39c196f4447c9c

        SHA1

        3eafc7e6e17ba6ce7a087a3588fb1efb596da038

        SHA256

        163167bc5a01ad6b3ed4406c2a9a1baaf2c0ef4620ab7d5b39aeddf976ca776d

        SHA512

        b22124aa3a912462e6face7f71ad3dfec4b27dab16b2e20e3a0adc277f89f631ec889c91b185ac4b9b670933d881b8fd26c25d6f405e465aa8148cdbb7f7c3e2

        Download Submit

      • memory/3724-27-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3724-33-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3724-37-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3724-20-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3724-1237-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3724-4966-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3724-8-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3724-5405-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3908-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3908-10-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download