Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

b2506e70d2...8d.exe

windows7-x64

7

b2506e70d2...8d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/06/2024, 22:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b2506e70d2086cb4b515c1c94995bdd22560dc336e05550f6ce917ad08d6cb8d.exe

  • Size

    563KB

  • MD5

    667e85bd4dde4229556b4c184abc6315

  • SHA1

    efca5158bccfd76802fa812678edd1efc332096f

  • SHA256

    b2506e70d2086cb4b515c1c94995bdd22560dc336e05550f6ce917ad08d6cb8d

  • SHA512

    7e3db649c845d78fc995347adfba86f575ecdd7a7e42d783a12990abaf8a9af1a1e483b60dd548521ab21ee074ed07fb01e3d79bca5db08e41d3609407fc318f

  • SSDEEP

    12288:x7+HLc+Gl3DflwlLrfw+fZdI+eN9K61cNiSvSGtTnOmyMcp7YJhne:x72c+qILkOdIdcN/vvtTObMceJhe

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\b2506e70d2086cb4b515c1c94995bdd22560dc336e05550f6ce917ad08d6cb8d.exe
        "C:\Users\Admin\AppData\Local\Temp\b2506e70d2086cb4b515c1c94995bdd22560dc336e05550f6ce917ad08d6cb8d.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2176
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a24A0.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1724
          • C:\Users\Admin\AppData\Local\Temp\b2506e70d2086cb4b515c1c94995bdd22560dc336e05550f6ce917ad08d6cb8d.exe
            "C:\Users\Admin\AppData\Local\Temp\b2506e70d2086cb4b515c1c94995bdd22560dc336e05550f6ce917ad08d6cb8d.exe"
            4⤵
            • Executes dropped EXE
            PID:1572
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2264
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1904
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1804

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        14ade88c5dc82b0bfa12f95ef44d65e8

        SHA1

        7ec030c11b167d19fbbdc0283ad581593f3e0c68

        SHA256

        4eed98e322b4876e43df6d22b1cd2c7ffd4e7b0ca4fdf4e1d512c040889f6e50

        SHA512

        c9af793ec2a3b508d17e63f3ebe82a021a9f45849ea90473befdd4739a5536b6a08326214870aa7315bfa2e36b06629b8d6e4746e20260108cd9a608c5157eff

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a24A0.bat
        Filesize

        722B

        MD5

        616ca5bca81b44cb8e52d5600ba59ae7

        SHA1

        1a22a7c36e78c0b85dfb63730dc657738f1381fe

        SHA256

        78080d9f27e21f4bae08daeea847421d843961bdd7fc8918c8dc6169032a5964

        SHA512

        16c8596b1d3a11ff843b8c9f297a0bdd35be89a5d1a93eb9a592ad640e411d99fec28185dadf3b828d85316c385aecea59df844d27b306a633e513100663ee10

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\b2506e70d2086cb4b515c1c94995bdd22560dc336e05550f6ce917ad08d6cb8d.exe.exe
        Filesize

        537KB

        MD5

        1693ec6b9172f769440a61f39dc4ec23

        SHA1

        784211d8def7e5047b16858773c1f898e853c761

        SHA256

        d03eb23ef9eaf78e92d7db8febdd0c58bba0c8fa180af3ecb9112d7b5e02ddaa

        SHA512

        059903839564e19b17d9e096db365c643079a68ace6e78b704810e81c57c04788621f987932c2947821ebda01cc3319c646dcde0d04f8cb736128debaade4df0

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        02a751086e70575a0d1fd2ddb0c828f5

        SHA1

        53368acb3a3ec94af65b4fb645311ae861e15896

        SHA256

        bd1b420c600a7fbd919550599f2521bc8100d716025ebec0872565bada4ab974

        SHA512

        5cf5d7066eabb389373ab48945dc35c23175bd1172a951f18b88d1db80b4b244a78df62a1d30073eb69a31dcf8ef0fb30f61274a3fa7ff1ce56806b7852a08c9

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini
        Filesize

        9B

        MD5

        7905486656bdf3fb568c8ea7abf7bda1

        SHA1

        49bd27ff3dcc248ecab0f726abb60ca35dc0e78c

        SHA256

        238153572e1dcd784aa47b53eba4a41558719a908862c7b3d186928fb0237b09

        SHA512

        b981b1fd177812b877c92b63b7261d2951b98871da87c20232cb70317a68694d7f7b24cf2f01bc3db01f192b2b8b84c7569a2472204ec4e66226d1efd14c9c14

        Download Submit

      • memory/1192-31-0x0000000002520000-0x0000000002521000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-17-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2176-15-0x0000000000220000-0x0000000000254000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2176-18-0x0000000000220000-0x0000000000254000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2176-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2264-98-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2264-46-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2264-92-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2264-40-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2264-529-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2264-1851-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2264-2199-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2264-33-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2264-3311-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2264-20-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download