Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2d859c2259...75.exe

windows7-x64

7

2d859c2259...75.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    16/07/2024, 06:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d859c225937f092cd7ded70b7668b979f0d3cb45264c0590f67717ad25f7175.exe

  • Size

    907KB

  • MD5

    03eee3da3ae6646dae54754d7e1f3c11

  • SHA1

    7039a48929348f7f87d393e88b47966c8b3b7efd

  • SHA256

    2d859c225937f092cd7ded70b7668b979f0d3cb45264c0590f67717ad25f7175

  • SHA512

    6a772b16ccd30359e7020c903531557967fe4bc1730f69c518582c38775a87b08d4d2130e7d9077050a56a807a5ee6a056104f99598b16085b275a0ad18ab651

  • SSDEEP

    24576:/7XuuBj3ZXqv05z2V2KxwnX3S4LZu9UvZfR:/7XV5q85KwX3SGZu9mZfR

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1380
      • C:\Users\Admin\AppData\Local\Temp\2d859c225937f092cd7ded70b7668b979f0d3cb45264c0590f67717ad25f7175.exe
        "C:\Users\Admin\AppData\Local\Temp\2d859c225937f092cd7ded70b7668b979f0d3cb45264c0590f67717ad25f7175.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA63E.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1152
          • C:\Users\Admin\AppData\Local\Temp\2d859c225937f092cd7ded70b7668b979f0d3cb45264c0590f67717ad25f7175.exe
            "C:\Users\Admin\AppData\Local\Temp\2d859c225937f092cd7ded70b7668b979f0d3cb45264c0590f67717ad25f7175.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2260
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2060
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2980
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:1076

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        93682ae617e5b6cca0eed1522c68a8be

        SHA1

        c2e2a5a852ddffd60d93922c25d6c36152c01a11

        SHA256

        58440fceb04e732a78fe83ce9ed85f7bc0b1db862430d3afaa3c03d0500b94b8

        SHA512

        58c6421e32999513946aff532cb697374362f03e84231b0c3bda9539e9141308f4f92b44141ab1b0a6108efe4e26712ed1ce223218aa6dac2e114ef67b0c6117

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        471KB

        MD5

        4cfdb20b04aa239d6f9e83084d5d0a77

        SHA1

        f22863e04cc1fd4435f785993ede165bd8245ac6

        SHA256

        30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

        SHA512

        35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aA63E.bat
        Filesize

        722B

        MD5

        b84d06e6b55640fbe556535eb0219f7a

        SHA1

        b957ab70f84af8822998e6c7094333ce968e8e9b

        SHA256

        d570cfe41783eaec13e0d176e2b52e27f130c785eaf97c35846dbbe8144ae9b9

        SHA512

        66b97c5cfbc141d950dba15b46da48fd507e999edcf0ade80c7600c899dfe876707997fcd5cc4b4eec22e48cf48218023cff47b5baf89893cab769732295ce34

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2d859c225937f092cd7ded70b7668b979f0d3cb45264c0590f67717ad25f7175.exe.exe
        Filesize

        881KB

        MD5

        f047493ec3160cad60fa367f534ba1aa

        SHA1

        5e9f1afcc757149f54f6f509bce9f66d45d42b2b

        SHA256

        f895a6b92606ca7de94e757a00d574551148e583285dee6959d0d7f1c7aa7126

        SHA512

        0327605bcec48e81479f69ac8a3733ae1fc16932cfacc6c1672faae1c439e44f763613984834d4acec65c6d70017ea816448c45414b050fb46d664b1b5833d9d

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        2f809e1bc24e065a06eb9cc885f52666

        SHA1

        5a3f1009a867e84081c8e510a95a6aa67d0ea4f7

        SHA256

        449b2bf4a84e027375af2a6bbe59a0b18c07edfc9aa96c6ff52adfc195fcd739

        SHA512

        25338b9c6561fce3574871b08ec6f5705ca78b74e22828efaed88fb51c2c3a92d6afcd96eabf273ab19678cde13af96ad6db22532e5750e4da6202adb314435c

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1385883288-3042840365-2734249351-1000\_desktop.ini
        Filesize

        9B

        MD5

        47dd2aeea8b548cd2ed3e9a71bf04f02

        SHA1

        fb4ab8a2ceb995fb0ad31326ce2f2aeb9eba5987

        SHA256

        ceadd1f3f299b6a19ca4844eee791af719de61dbec0839b68ed0f1d6cb5c5411

        SHA512

        45843cc926c9c267f3cc967859b7537e937367ab5280f1429cc2f80d7b536131c40238cdcd5a3fc9823521bc596994e79bd3f37d3cc8db8a329f739e0793c50e

        Download Submit

      • memory/1380-30-0x0000000002920000-0x0000000002921000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-39-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2060-32-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2060-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2060-45-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2060-91-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2060-97-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2060-652-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2060-1874-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2060-2136-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2060-3334-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3016-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3016-16-0x0000000000220000-0x0000000000254000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3016-17-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download