Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

50985ad414...42.exe

windows7-x64

7

50985ad414...42.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19/07/2024, 09:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50985ad414bd80273788a2f1a0249e090332520e2882695edfbff01c88885242.exe

  • Size

    571KB

  • MD5

    3d4f245f4ecab8563dad26f5f430b77c

  • SHA1

    b988a0cb3d6aa18b6a5927cd1dcb9da30c691a60

  • SHA256

    50985ad414bd80273788a2f1a0249e090332520e2882695edfbff01c88885242

  • SHA512

    df3ecf2a69ff0a8be865a6dffc4a78d46e50027b1c922ff2995350dd7b54fca456178dc71c8f45d4bfb8323bd6ebfef5563f63f3e8c92e043234f6a02de046c2

  • SSDEEP

    6144:FFpnE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQfu:3pE7a3iwbihym2g7XO3LWUQfh4Co

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1188
      • C:\Users\Admin\AppData\Local\Temp\50985ad414bd80273788a2f1a0249e090332520e2882695edfbff01c88885242.exe
        "C:\Users\Admin\AppData\Local\Temp\50985ad414bd80273788a2f1a0249e090332520e2882695edfbff01c88885242.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2220
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA1FA.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1220
          • C:\Users\Admin\AppData\Local\Temp\50985ad414bd80273788a2f1a0249e090332520e2882695edfbff01c88885242.exe
            "C:\Users\Admin\AppData\Local\Temp\50985ad414bd80273788a2f1a0249e090332520e2882695edfbff01c88885242.exe"
            4⤵
            • Executes dropped EXE
            PID:2060
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:588
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2164
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2068

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        252KB

        MD5

        fe5f05d737cd2089016a825f0192cf28

        SHA1

        d91a05651b841fffd919bae6d7d1ef59b7513806

        SHA256

        361e214a2c9a45352b7f6b0262985bdf6b8c73dabf1e091d4f3b5b7d816d768c

        SHA512

        47807c7443b711e30eb82d9dade17ed91a7bfebddf5826e7fbb9dc4248ddb302c869167cfb7a7b9169cf9c54f60d41e64e690f8f779ada9f763b8782d32f1d7d

        Download Submit

      • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
        Filesize

        472KB

        MD5

        88eb1bca8c399bc3f46e99cdde2f047e

        SHA1

        55fafbceb011e1af2edced978686a90971bd95f2

        SHA256

        42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

        SHA512

        149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$aA1FA.bat
        Filesize

        722B

        MD5

        b0733ce00af202d7826270e29127ffaa

        SHA1

        52f47415c7e94c764aa31e890ca14f84997e167a

        SHA256

        2fb13e1ce38ae5718138e1acb8ffa582c99e15615ef280e41db4db150d40b634

        SHA512

        ebe396a0f9fbe617adfaf347eccfac1c084c5390476a3376dd8c74d3d6729b8b83f312659e67357e68e4cdddb3a9757aff9a015330887ea1f349abb59ed115fe

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\50985ad414bd80273788a2f1a0249e090332520e2882695edfbff01c88885242.exe.exe
        Filesize

        544KB

        MD5

        9a1dd1d96481d61934dcc2d568971d06

        SHA1

        f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

        SHA256

        8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

        SHA512

        7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        27KB

        MD5

        8e96c0ef0db96d026f71e9d837cb489a

        SHA1

        bf5bedca58917d7b42d0dee51eafa3af0bb599f5

        SHA256

        da4cea5c23067fd57a490a921977092819eae3f24ed6f59226f2ccc5e763ddb2

        SHA512

        a0896617bf0f1ed2155440e1c94dfa4bc8d0776271a468472feebbba9683cd0c70e15fa39940161f5a486ec0d59488c1f2d30044416e39d011ec24808a344b7f

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\_desktop.ini
        Filesize

        9B

        MD5

        1368e4d784ef82633de86fa6bc6e37f9

        SHA1

        77c7384e886b27647bb4f2fd364e7947e7b6abc6

        SHA256

        57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

        SHA512

        3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

        Download Submit

      • memory/588-96-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/588-31-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/588-38-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/588-44-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/588-90-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/588-663-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/588-1873-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/588-2447-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/588-3333-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/588-21-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1188-29-0x0000000002500000-0x0000000002501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2220-0-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/2220-16-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download