Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2a1ef429ec...2b.exe

windows7-x64

7

2a1ef429ec...2b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14/08/2024, 07:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe

  • Size

    1.1MB

  • MD5

    5a8018168c71b8f6e85458bfe043ca52

  • SHA1

    e81d346c4584f7574bc9bbeafaff81dad805e45f

  • SHA256

    2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b

  • SHA512

    4871a70e741ac705dfd729c873b9dd5d102fe6f1c886187adabe6c021bc0aab52456e29da6d1770092cc7cdb3d97464ee50a6f73b57e10c2a5a04790cfbe22d0

  • SSDEEP

    12288:q/S88rXg+wb1EI/QCmhfxl9QR12OAQHwV6V4:28jg+waI/Q/hpleR12O/

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1340
      • C:\Users\Admin\AppData\Local\Temp\2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe
        "C:\Users\Admin\AppData\Local\Temp\2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2192
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1C38.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2272
          • C:\Users\Admin\AppData\Local\Temp\2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe
            "C:\Users\Admin\AppData\Local\Temp\2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1916
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
              dw20.exe -x -s 416
              5⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:2920
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2584
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1720
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2660

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      254KB

      MD5

      586340b58f02ffb1b754d46c776ecaa9

      SHA1

      d860ee44aedafb70befe321b936c5eba49dbdda3

      SHA256

      3f2a34592999a9ed095c898b45cb55f54712ed0486bda1f3bb54ae798516639b

      SHA512

      8c3b824fa1462406a81f60ffaa1ff8f517d3d0503e6653eee5b1d5f312ee0e13d2b9d2767f5b1f3f8644f28e5c40da1956a781551752c056332ed76ef62dbe58

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      474KB

      MD5

      c14a5111b798cff20d7d66b0e035d409

      SHA1

      29f0894552b30815fed6ad231b5721e876869552

      SHA256

      fd6f57dc1b82f6301cbecbf9db5728a9a69b10e3edbf4f8a1dfef571c77a6cb6

      SHA512

      a4d8b74216c76fa3d48ab7300452725602bc6d5bcc0e6c23d458d65362cd24751f23755180ae69633090b172e95f18f225c0cb4a71dd1e050d8b3dff466e7f1b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a1C38.bat
      Filesize

      722B

      MD5

      a51f0bfb5fccfd09c854d32a9e28eb5a

      SHA1

      46d7ac7620ba8e08c47c41b3f7cc4ff760a84570

      SHA256

      bd50d1362f3109b00c839ca5b4454267881821eaa156d15c868e7d4d0d9de9f3

      SHA512

      557fb3e07c36ab5d6d145fbb2694293e63c5e2a16116d75c3e480b12a9431164c602d048d5814c3102bbd6d2224dfb225db28dd6acccaa81df563bd46670982a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe.exe
      Filesize

      1.1MB

      MD5

      aea8a93c9b6c176ad19580c0a9e5b480

      SHA1

      c0d71d5fef8257837a0f1ce4867755416484a05a

      SHA256

      4a27a6824e34a250a350d42461e0768e306f908cb8e5a2faf3e2eae22d218c25

      SHA512

      c539a02963e5aa3aaa453ce1c14b9e92cbf079f9f5ee593cc653192f57aed2dd05fe6c221fc53d633e45bdca4a879cc0175b4bb349c7b89126bbedb1059fe033

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      29KB

      MD5

      e204efa82c4df71160c451caec4787e5

      SHA1

      e56ddb6d0afdb9aa1bf4808765b25cf4a2fdc279

      SHA256

      4ff7272e95a79354eb6d72c784593bd6a0820fe9e512ff176a51fef8929b5bd9

      SHA512

      6ee14cc010de5b04eee707242a6f4471739cc62bf86a332d5c0e90f15a778fe2ef1d8e1bf7f86a603cbf00fa8e302c09f533f837f5d67f62743396074ed030c9

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\_desktop.ini
      Filesize

      9B

      MD5

      fa81249b1f991386d1e1de2a5a03499e

      SHA1

      70e9b6e238a42e7472c1f5f2f4ea3f86f8352185

      SHA256

      5421d45a710074ffe77329c2300e528ce8feceb0748aacbd89ef2ed0aae5a87f

      SHA512

      bc652d20db7ab6bde42b15f5639c2b36e000179c232c4b9e3e218e670b93a6d7b73530b3bd6fdfca5d61c5a578c1e7508fb97f9bffdfa17dff214359b094e409

      Download Submit

    • memory/1340-34-0x0000000002A00000-0x0000000002A01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1916-45-0x0000000074BF0000-0x000000007519B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1916-31-0x0000000074BF0000-0x000000007519B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1916-32-0x0000000074BF0000-0x000000007519B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1916-30-0x0000000074BF1000-0x0000000074BF2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2192-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2192-15-0x00000000003A0000-0x00000000003D6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2192-17-0x00000000003A0000-0x00000000003D6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2192-18-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2584-37-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2584-46-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2584-51-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2584-97-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2584-103-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2584-1881-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2584-3341-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download