Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

03fddb5af8...3c.exe

windows7-x64

7

03fddb5af8...3c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2024, 06:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe

  • Size

    244KB

  • MD5

    2828638fc1c23a51f16d6556a8b5e3af

  • SHA1

    4e3e41821ffd6f42c8317fe421fc08e9054559bf

  • SHA256

    03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c

  • SHA512

    dc812937bec06af35346257540573dfa1e7e51d2766450a554013a3b2f90d5dcbcfee838d2ee5952fb37dd3209b5e2776ef02f61520942a6ca54a216ca106c4f

  • SSDEEP

    6144:cVfjmN9qml5a6EdkQxiUmRQColKGAOPQK2GwIgfx+qSfF0:e7+Uml5a6EdkQgUmR7G9QK3wJx+qSfF0

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3448
      • C:\Users\Admin\AppData\Local\Temp\03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe
        "C:\Users\Admin\AppData\Local\Temp\03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:5020
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a72AF.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4392
          • C:\Users\Admin\AppData\Local\Temp\03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe
            "C:\Users\Admin\AppData\Local\Temp\03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe"
            4⤵
            • Executes dropped EXE
            PID:3636
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3824
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2660
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:3120

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        570KB

        MD5

        25afab3f0ba6dbad99e03865e50b18f1

        SHA1

        7a0ae79bdc081d5f7a627da5f22d7bc97571cffe

        SHA256

        7362d8af93815c603929360385cc674bdb5430b2778758937a762517b13c8eb1

        SHA512

        e000c907d50f9e482d99b2125bb06878e51785b240f0033a48ec71c151f880518521c04b3a066f0d1b7beedeb93e6562281decee90b0070fd82a113b4aed4997

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        636KB

        MD5

        2500f702e2b9632127c14e4eaae5d424

        SHA1

        8726fef12958265214eeb58001c995629834b13a

        SHA256

        82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

        SHA512

        f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a72AF.bat
        Filesize

        722B

        MD5

        f1ada44ac21b770894aa14e9caaa9e7a

        SHA1

        352eb72dfd1b98a6f4e83cc7391ddfe5075cafa7

        SHA256

        c9caa988b436e2bfde76d94e60fb20f57a802925b1f794b5101d11635b47a92f

        SHA512

        d2ca912a4c1ab34eea3b5a44da8d4b88c53729a0a4fac8f0d19a4e19d23a7cde17669844cd6102555831c2c8942c41ade8a575d4a12a87e7ac8d100b39218bf1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe.exe
        Filesize

        217KB

        MD5

        021c57c74de40f7c3b4fcf58a54d3649

        SHA1

        ef363ab45b6fe3dd5b768655adc4188aadf6b6fd

        SHA256

        04adf40ba58d0ab892091c188822191f2597bc47dab8b92423e8fc546dc437ef

        SHA512

        77e3bbb08c661285a49a66e8090a54f535727731c44b7253ea09ffe9548bae9d120ef38a67dfa8a5d8da170dde3e9c1928b96c64dfc07b7f67f93b478937c018

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        5baaa7218d49b4357f4b6d043e6a9ee1

        SHA1

        53dd6fcaa614d3c83645842887d3374f442139b3

        SHA256

        1f9628abf48c70faa563f7567e75782c372a09caa4f9afd2d3d9757156fabe17

        SHA512

        b62675b8642357aac26b554c0a197995fb8ac2fe4f9936ee8af8da55c14951f8b856a1c94d3c1c470b98c016085c3782c0ead4403512511f7d9d6f56a7f13b66

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-701583114-2636601053-947405450-1000\_desktop.ini
        Filesize

        9B

        MD5

        1368e4d784ef82633de86fa6bc6e37f9

        SHA1

        77c7384e886b27647bb4f2fd364e7947e7b6abc6

        SHA256

        57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

        SHA512

        3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

        Download Submit

      • memory/3824-26-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3824-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3824-32-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3824-36-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3824-12-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3824-1233-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3824-4784-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3824-5229-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/5020-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/5020-8-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download