Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    27/07/2024, 09:05

General

  • Target

    bdc3eee5d021b20f8def7ff2bf0355daf38dded2aefa3fd8250401d11613b8f7.exe

  • Size

    398KB

  • MD5

    ca4eef83512d0a2704a0146c7dcc8a92

  • SHA1

    bb6b28582da7a1661fdbb0ec026b2c2919fd84ba

  • SHA256

    bdc3eee5d021b20f8def7ff2bf0355daf38dded2aefa3fd8250401d11613b8f7

  • SHA512

    362457b3a2d89015ec34a181af95442eed8eb43ff6ebe4e8b66a38c36c01991af62c84b7494c936d85cf031548e5ae1aafba55ea8b67a8955aabea64c20e2372

  • SSDEEP

    12288:x7+iY+evpFV5DJhzAtUskJ0eZHQ2ksAKNeiQ30blG:x76HVnkszNerEk

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1188
      • C:\Users\Admin\AppData\Local\Temp\bdc3eee5d021b20f8def7ff2bf0355daf38dded2aefa3fd8250401d11613b8f7.exe
        "C:\Users\Admin\AppData\Local\Temp\bdc3eee5d021b20f8def7ff2bf0355daf38dded2aefa3fd8250401d11613b8f7.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a98F5.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1792
          • C:\Users\Admin\AppData\Local\Temp\bdc3eee5d021b20f8def7ff2bf0355daf38dded2aefa3fd8250401d11613b8f7.exe
            "C:\Users\Admin\AppData\Local\Temp\bdc3eee5d021b20f8def7ff2bf0355daf38dded2aefa3fd8250401d11613b8f7.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2748
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2236
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2756
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2768

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

      Filesize

      251KB

      MD5

      3f9d951f006c9e4eb9951ce307b1154b

      SHA1

      b28c6e9e4d8fe8ff3c5c386d7046f1c1287f6d56

      SHA256

      1c3c896c3005c00cca13630a5e1c42da1f486be098cf7b24bf04b91c1285c564

      SHA512

      11e163e794a3542b98a5e8cb7903dbd5880f79a812502319f07a279ac3a6bb3cce5d20b6e32dbce81e290c0a0d57ad085a2db80622677c3827324fb7c9c987ee

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

      Filesize

      471KB

      MD5

      4cfdb20b04aa239d6f9e83084d5d0a77

      SHA1

      f22863e04cc1fd4435f785993ede165bd8245ac6

      SHA256

      30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

      SHA512

      35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

    • C:\Users\Admin\AppData\Local\Temp\$$a98F5.bat

      Filesize

      722B

      MD5

      76d472f2865dc5d2630ba885b69ab814

      SHA1

      65930959cd7edd96c994d28c59b6bbbd384d1732

      SHA256

      db4f98c17423b6915c16b63ca9560709acdfbcd69027cbf0f1bb40efda2f77bd

      SHA512

      6aefe1636d56c4966a755400383ca59d75cc50e13ffd46c89b8767b44efcfca2db7b256cf6724f6f957075a85ffe6542712c43f7a03172a11f5fbcc536f671c1

    • C:\Users\Admin\AppData\Local\Temp\bdc3eee5d021b20f8def7ff2bf0355daf38dded2aefa3fd8250401d11613b8f7.exe.exe

      Filesize

      372KB

      MD5

      6da7293f38e94cb996573701b304c023

      SHA1

      1138423f6c20051813861da57dbd1d801d45a1a9

      SHA256

      e08a1fd51eb282da8bb1d62f441b9dc1c908dfe48681a53340b0bf4dab2dcd7a

      SHA512

      4642994096d39f226ffa5c9a5d53b8b82fdf507dffe2f23573e4c96b76d5893416e7741245f43cb96e2f1e59b0829b2b81c5bb19caefd1bb3de49ec4821fe407

    • C:\Windows\rundl132.exe

      Filesize

      26KB

      MD5

      299f200b35bb4d4b2806d2126f9adaf0

      SHA1

      d79612590eabd0b56be89ac3df76ff2070e44681

      SHA256

      6f659314234895b3f36d86958d115025e5151bb5f3eb05a7c86a91aa15a3fa82

      SHA512

      5c40e2692cbe3b33f27d8281a4fc5d1069de84964cdae28d6986145e39d66be9751eee147874ab359768e3d33a58053b4ef8ff90fb63326131555d8c3ae58eb8

    • F:\$RECYCLE.BIN\S-1-5-21-3450744190-3404161390-554719085-1000\_desktop.ini

      Filesize

      9B

      MD5

      26a799e5457b5e8836d7b58e5787f437

      SHA1

      7dc33652947afbe41d930e2a928dbd2f2e23e983

      SHA256

      a6038a34fb7a4cafee0fabca96d108d7ffbb35832abfa12290467dea3360e00f

      SHA512

      03d1a024d878a4021e38dfda03c8b8941640dd7f580a85b9045c1b421df3c32925d1bd9d3818983eb4987a6ac18fb88d368f7f712a9095a089657299c233095e

    • memory/1188-31-0x0000000002570000-0x0000000002571000-memory.dmp

      Filesize

      4KB

    • memory/2236-99-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2236-34-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2236-41-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2236-47-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2236-93-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2236-765-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2236-1877-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2236-2940-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2236-3337-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2236-18-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2544-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2544-16-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB