Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    09/08/2024, 05:10

General

  • Target

    fc92f1389ff0310b0eaa65b44c55129947c857f036ec724d779663019ef8ff40.exe

  • Size

    364KB

  • MD5

    25dd2deac477c00307be4e35fe36d16a

  • SHA1

    6cbf31d3f76282c7bebf245608cf52857fbe4b0d

  • SHA256

    fc92f1389ff0310b0eaa65b44c55129947c857f036ec724d779663019ef8ff40

  • SHA512

    e5a545859036dd3617cfc013d72e4d267d3a9c4e303d0fa7c7010c34b0e97266c88549f3f0e2a0de4aa1194be21927084571cd8492dd0258227107aef40ee69f

  • SSDEEP

    6144:tCuJPzU66bkWmchVySqkvAH3qo0wWJC6G/SMT4FWqC:1U66b5zhVymA/XSRh

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\fc92f1389ff0310b0eaa65b44c55129947c857f036ec724d779663019ef8ff40.exe
        "C:\Users\Admin\AppData\Local\Temp\fc92f1389ff0310b0eaa65b44c55129947c857f036ec724d779663019ef8ff40.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2900
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC513.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2300
          • C:\Users\Admin\AppData\Local\Temp\fc92f1389ff0310b0eaa65b44c55129947c857f036ec724d779663019ef8ff40.exe
            "C:\Users\Admin\AppData\Local\Temp\fc92f1389ff0310b0eaa65b44c55129947c857f036ec724d779663019ef8ff40.exe"
            4⤵
            • Executes dropped EXE
            PID:2704
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2116
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2492
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2716

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

      Filesize

      254KB

      MD5

      13ab6f992499a26f664246ba9e6aa42b

      SHA1

      6f66a0e0c2a6b0c4d8ce6cae440390ec57b4122f

      SHA256

      674a8940e5dedbcbd1ef3cb161df118cc5341fad90c8f0932e1da0894e363588

      SHA512

      ee0702bc750ba4af65155435202aa2a2b411df32c4ad9216489dd85b645cb5113b1a9ad08a70af3eb0e94c889dc508caf251a53b9240aa79c66ae116226be886

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

      Filesize

      474KB

      MD5

      6eabc463f8025a7e6e65f38cba22f126

      SHA1

      3e430ee5ec01c5509ed750b88d3473e7990dfe95

      SHA256

      cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

      SHA512

      c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

    • C:\Users\Admin\AppData\Local\Temp\$$aC513.bat

      Filesize

      722B

      MD5

      d2d9744d1fb5d4968af8820bca632e24

      SHA1

      9ff1d09e39a71c1046759ca1e8427507e68a6d21

      SHA256

      c8daa1a0c41d2fcbc713ab749eeae8421a78809b289db18d4b651f206851917e

      SHA512

      fec6bc4428807682d8472705e78368a91bf8d01c7e3e6780c427708d51c90fefa0deb0958b21b8ff4befbd4324a2cb698866da6ec410fe0d3abcbc89fd686cec

    • C:\Users\Admin\AppData\Local\Temp\fc92f1389ff0310b0eaa65b44c55129947c857f036ec724d779663019ef8ff40.exe.exe

      Filesize

      335KB

      MD5

      40ac62c087648ccc2c58dae066d34c98

      SHA1

      0e87efb6ddfe59e534ea9e829cad35be8563e5f7

      SHA256

      482c4c1562490e164d5f17990253373691aa5eab55a81c7f890fe9583a9ea916

      SHA512

      0c1ff13ff88409d54fee2ceb07fe65135ce2a9aa6f8da51ac0158abb2cfbb3a898ef26f476931986f1367622f21a7c0b0e742d0f4de8be6e215596b0d88c518f

    • C:\Windows\rundl132.exe

      Filesize

      29KB

      MD5

      c64b5702b462a9345363255cd38a3788

      SHA1

      9b6b6e857e544e61ee783065926c92d48337f0ce

      SHA256

      16c685475090f9e09f57bb8836c127fb02a08926f76779de941fad5d6305f825

      SHA512

      26c0c862561e1521891ee018bec7e128578343b2bc0e3471b87c5ef536e235c7ac9665c3ba84f9e0b9b206d3fae859ebefb1fd373123e0ee31b670e9bbe73836

    • F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\_desktop.ini

      Filesize

      8B

      MD5

      fcbaf0a2c3988ef775359f94d545ab42

      SHA1

      174ccd98ff87b8e6f46eebc493f379beafeb3b08

      SHA256

      895aaa8dac57f2bb76ddc8c2681e0480bf57dbf3f62cda3840cb448b8615612f

      SHA512

      7c81b6445708b1c482599bfb808e90462d6111e885691dd947d9cdf95ba028d580b20027575814a310a81f310261b649792b65153ce43063da063b5005561d20

    • memory/1208-29-0x0000000002590000-0x0000000002591000-memory.dmp

      Filesize

      4KB

    • memory/2116-96-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2116-31-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2116-38-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2116-44-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2116-90-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2116-475-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2116-1873-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2116-3333-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2116-18-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2900-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2900-16-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB