Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

443edd4fc2...19.exe

windows7-x64

7

443edd4fc2...19.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    01/08/2024, 22:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe

  • Size

    183KB

  • MD5

    68b23c7a625878dc787c9a4c2b50dbc4

  • SHA1

    716904640829aa71e3db077d32fda9f35d291d77

  • SHA256

    443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319

  • SHA512

    f0c9778c5fc1f559123e85f35cca16bf1f98ce9b12f1ef6b25ff97c0d732baf101a9b402b120b60bcbc0827b074f4b0be6ad93fa163c804b72a6752eb9784e40

  • SSDEEP

    3072:bKftffjmNAwLEVbLoEZlKk7611VBzNkDqrB5bGEAd9/E3e7IFxt:bKVfjmNARuk7611VBzhEEu83n

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe
        "C:\Users\Admin\AppData\Local\Temp\443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2552
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD1FF.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Users\Admin\AppData\Local\Temp\443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe
            "C:\Users\Admin\AppData\Local\Temp\443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe"
            4⤵
            • Executes dropped EXE
            PID:2196
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2396
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2408
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2812

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      251KB

      MD5

      3c38b343d23eab2e5cc6ed8750662c3b

      SHA1

      3dcf797905c786d346497c2b8968c6856e843193

      SHA256

      ee4eec41f7b49e2c8fa96044fcb4bb8ca9f6a1f73c1f1f5f10ef2523a35192c1

      SHA512

      e1318550c57ade3ae0a8d597674472d91ad50a2bd97ae6d0a0f282cf43cdd6a6986e4cf76ad9b11e97dbecb10cb3ad9c03da3e5b8d02effd141eda3c189ec0e0

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      471KB

      MD5

      4cfdb20b04aa239d6f9e83084d5d0a77

      SHA1

      f22863e04cc1fd4435f785993ede165bd8245ac6

      SHA256

      30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

      SHA512

      35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aD1FF.bat
      Filesize

      722B

      MD5

      6bf69189311060fe05535330de8b8cf3

      SHA1

      dacd4379dd2cef9822bc1ec1f40c04bf6a14f62a

      SHA256

      17a321417061df86ccdbfc68881de97ba7c42080ca75f30ed7cf7dc7e50f576a

      SHA512

      cf4e16dd70f7730f01eb9c5ddc1000052a46827d7f0dd9610b8c7590f86f402a371aac12a738b12b59e531f58b83bee0671445afb3ceb95da4f4178ff73019ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\443edd4fc269c02a56b2b7e0c00c601c40b0cc211ea50b6c1d92837e4c4fb319.exe.exe
      Filesize

      156KB

      MD5

      bc85df197807ca7bf4db6dc95d880eda

      SHA1

      de6968c16941cd9e61bee24fb18597c775ef3e44

      SHA256

      38284cf5dcb2fc6b523feb1f5f74988a264ab25ca86ab303f34ae3ac338e1879

      SHA512

      f89ab64fa49702acb91d514f13921e53cf31dde007457f6dd3fd8ff02ef9a602802bf8742ebeab9ad6cc8a26c716de58294d5ca937921244fe9c671a0c17b256

      Download Submit

    • C:\Windows\rundl132.exe
      Filesize

      26KB

      MD5

      013b3ba135ea23f5d8c21d3bca2be7af

      SHA1

      ce56fde9f0f8aa0c28fd14ebe2e6c90b3f659993

      SHA256

      5846917027617f7167fdf3f71d0aaefc2f66cdedd36b98c227b40d337af7cf69

      SHA512

      f9e7c8b6db1cdb04b748420bc92ec1b3d543edbeddba1c7e321faefc3fa7275e2a12fd9566a3ba698453c14ac14a748f46e320b725e388028d79617238b94c05

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3294248377-1418901787-4083263181-1000\_desktop.ini
      Filesize

      8B

      MD5

      34f94fcbc939d25f54e986fe97a87522

      SHA1

      dcde2a11c5631b5dbd93ce97e503d0ff42a6f341

      SHA256

      47f454cb045cab0f9ee28683942faddf984b88986cb761e4caa639f91ac4cdd7

      SHA512

      aad5abbdc495f19e0997d67d3daad417eb18f3e3061de2515d3870cc6c2c417aef366de938c8c98d3b62b81ec44f5a16e1227118e28b4624c99b2c1546e1c678

      Download Submit

    • memory/1212-28-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2396-37-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2396-30-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2396-43-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2396-89-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2396-95-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2396-729-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2396-1872-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2396-2489-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2396-3332-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2396-17-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2552-15-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download