Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

512cd8104a...c3.exe

windows7-x64

7

512cd8104a...c3.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2024, 08:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    512cd8104a96191216e2316b00a729b9e9cfd0191551d39fcd4944080d2670c3.exe

  • Size

    70KB

  • MD5

    892772aa0331b21a22e480928647f38f

  • SHA1

    eb0aa18bd65f530c866b32962436a9993d4fca57

  • SHA256

    512cd8104a96191216e2316b00a729b9e9cfd0191551d39fcd4944080d2670c3

  • SHA512

    19ed9aa4c06759824f8cdfc36b5843f05baffbb1cd8463a219030551304a4a212700c31fda7c7180b40c056aa572dff13f4cc176b3dcf5702fd98652bf57946a

  • SSDEEP

    1536:ps3SHuJV9NdEToa9D4ZQKbgZi1dst7x9PxQ:pskuJVLtlZQKbgZi1St7xQ

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3504
      • C:\Users\Admin\AppData\Local\Temp\512cd8104a96191216e2316b00a729b9e9cfd0191551d39fcd4944080d2670c3.exe
        "C:\Users\Admin\AppData\Local\Temp\512cd8104a96191216e2316b00a729b9e9cfd0191551d39fcd4944080d2670c3.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4028
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB527.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2936
          • C:\Users\Admin\AppData\Local\Temp\512cd8104a96191216e2316b00a729b9e9cfd0191551d39fcd4944080d2670c3.exe
            "C:\Users\Admin\AppData\Local\Temp\512cd8104a96191216e2316b00a729b9e9cfd0191551d39fcd4944080d2670c3.exe"
            4⤵
            • Executes dropped EXE
            PID:3392
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3296
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3144
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2016

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
        Filesize

        247KB

        MD5

        7c714fc26fd9e2865588bb0e36ee4251

        SHA1

        df71dd16905490143ae5f57b2f50f11e282b8474

        SHA256

        1798922f375df3e6846c25c7c0a0cdaf00eb435655d1b88b17275870c84627c4

        SHA512

        4299d5a720c17d63a24c87f90ade18cc0296b8f9343cf504d66b959a897767fcc6ab436ef42455896663f12b4f3f91c9bf7a00b142265d052e413abad8fa30d2

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        573KB

        MD5

        7aec67ade27b1be7e2055f22f472f023

        SHA1

        c7eb18a71a83d2435a6d61d03174fe40e41b4ac5

        SHA256

        cf43e59bcace4a0538f63509cf7f3c9e318350381f18ed29d353cbec6d5d17ce

        SHA512

        8798d6ae5677af810d15b68613eeede5e9872cc55302e3fe6fc4593933b04d257cbdfb8374298dc7e5fa8c0bb287e47f00487229391cf00585ae02c584daca78

        Download Submit

      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        639KB

        MD5

        f2dd3625350094e9f92f96bd0211a47a

        SHA1

        4b54b7f337ebdde42b179120d3141b974e604859

        SHA256

        93ebf0f160833b337c35ca68d4e30e5805148c8cb318d842006fb867d44867ba

        SHA512

        110aab7585b4bc8b710e7180c9e19420ad8c2aac1483db8b5245e507864f8994d8ec3670950e00ebc199c19b14bc17253ca854e4e524887e10e99f650fc23f9c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aB527.bat
        Filesize

        722B

        MD5

        2e98528b08d0df8c89866cbd1596bf0f

        SHA1

        60ff5ae2e53c3f507233e8f6e6cd05d8e1b75798

        SHA256

        3c33462dda02edc1dc142a8745aa887d841f9157b8fb3b6b246f6061577e4b9a

        SHA512

        4a1db4945ff5c8c6a418e55755efd97673989cded1f3339f13141130886d2684ae915bfb974896f1df75b5897dae4bf77af7b61f07476f9e9c6fa3ad3a723697

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\512cd8104a96191216e2316b00a729b9e9cfd0191551d39fcd4944080d2670c3.exe.exe
        Filesize

        41KB

        MD5

        977e405c109268909fd24a94cc23d4f0

        SHA1

        af5d032c2b6caa2164cf298e95b09060665c4188

        SHA256

        cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

        SHA512

        12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        29KB

        MD5

        5b4c3134de39fdc610b472ca6e113242

        SHA1

        7941f97bab57022193bad8718a864b72c55eefc9

        SHA256

        cd8cbf6357454d633657c471e6ef57a5cbeadb7df75d37d8ebe93e0097967a6c

        SHA512

        717ba94652d293686833b1f4a759826d54cac51498fabbfaff240c1c9959d9deea38f277537c604d21ad70e8237fec0cf769bb5adcb4bc52e5ade69efbddab86

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1750093773-264148664-1320403265-1000\_desktop.ini
        Filesize

        9B

        MD5

        1368e4d784ef82633de86fa6bc6e37f9

        SHA1

        77c7384e886b27647bb4f2fd364e7947e7b6abc6

        SHA256

        57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

        SHA512

        3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

        Download Submit

      • memory/3296-27-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3296-33-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3296-37-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3296-20-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3296-1234-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3296-4800-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3296-11-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3296-5245-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4028-0-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4028-10-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download