Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2a1ef429ec...2b.exe

windows7-x64

7

2a1ef429ec...2b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/08/2024, 07:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe

  • Size

    1.1MB

  • MD5

    5a8018168c71b8f6e85458bfe043ca52

  • SHA1

    e81d346c4584f7574bc9bbeafaff81dad805e45f

  • SHA256

    2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b

  • SHA512

    4871a70e741ac705dfd729c873b9dd5d102fe6f1c886187adabe6c021bc0aab52456e29da6d1770092cc7cdb3d97464ee50a6f73b57e10c2a5a04790cfbe22d0

  • SSDEEP

    12288:q/S88rXg+wb1EI/QCmhfxl9QR12OAQHwV6V4:28jg+waI/Q/hpleR12O/

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3488
      • C:\Users\Admin\AppData\Local\Temp\2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe
        "C:\Users\Admin\AppData\Local\Temp\2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3924
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a77D0.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4040
          • C:\Users\Admin\AppData\Local\Temp\2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe
            "C:\Users\Admin\AppData\Local\Temp\2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4016
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
              dw20.exe -x -s 808
              5⤵
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Enumerates system info in registry
              • Suspicious use of AdjustPrivilegeToken
              PID:3948
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3968
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4632
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:5108

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      247KB

      MD5

      e440b5bbbbcce84e067fd7e5ea90ab24

      SHA1

      b1479b7652e9775e459133e69e0f9b90a1b2a785

      SHA256

      a8480343324ee591d772de83c6d956258cb7d37c505b9155e9a7aef4df5aa3ff

      SHA512

      e28e2546486cbb1b59b4ab93a5d8a202e6d6eab8cbfa4e96b3436694a47a5b9e7628b55eb473be19d16ecd751ac81b7a4a622f598ee81e2275b7c9a7a7582e20

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      573KB

      MD5

      2ab6e8b7aab48ca2c3ce6355d99e0412

      SHA1

      0497cb4608490d89e0d6d142fec80495041aa79c

      SHA256

      7fc89158149be43ce900c001fa51b3136f604268cab2e249a51b2d51aca30d15

      SHA512

      77db9d50da415b7d632b350df9dfe3d0de67bb33ca9cacba81531be1c32fdf72a87bbfe0aa18d222abff4c613326d81d3682a3c6065c91ba4c358e039ae74b08

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      639KB

      MD5

      ad5a7e5eb1a1cdd791957e07c93748ae

      SHA1

      6e4f8c5f4d791327e11d0d68ca6f514554af8481

      SHA256

      cfee92d916fbbb95d8282c3264d3708ad1ddfdd9db4daaf00e0c96a22854c4dc

      SHA512

      a8acd191aec48dac8d5808a93ee973ea52793140e318b4d870fb10e4e8ba0756fe95654134dd1c175168375a0f7caebfd8a7d46a9b3dc71006f830b53dd9fefe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a77D0.bat
      Filesize

      722B

      MD5

      29a14de96a5e5798a8d8851fa99fee86

      SHA1

      471d2e3db0948e5e8138ef790ba7edc3eb58515c

      SHA256

      d94ce97126e74836d344a80411a19a0499edb68a34fe510042f635a06d244997

      SHA512

      a0175b4ecd502e6ef1196fa670ac97b397e489554b4758db09edf22527240b8c772aa5c1e9ea649d2a58f8dee1fb5e60c87e821dee84a62ee53d6dc96e38b52a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe.exe
      Filesize

      1.1MB

      MD5

      aea8a93c9b6c176ad19580c0a9e5b480

      SHA1

      c0d71d5fef8257837a0f1ce4867755416484a05a

      SHA256

      4a27a6824e34a250a350d42461e0768e306f908cb8e5a2faf3e2eae22d218c25

      SHA512

      c539a02963e5aa3aaa453ce1c14b9e92cbf079f9f5ee593cc653192f57aed2dd05fe6c221fc53d633e45bdca4a879cc0175b4bb349c7b89126bbedb1059fe033

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      29KB

      MD5

      e204efa82c4df71160c451caec4787e5

      SHA1

      e56ddb6d0afdb9aa1bf4808765b25cf4a2fdc279

      SHA256

      4ff7272e95a79354eb6d72c784593bd6a0820fe9e512ff176a51fef8929b5bd9

      SHA512

      6ee14cc010de5b04eee707242a6f4471739cc62bf86a332d5c0e90f15a778fe2ef1d8e1bf7f86a603cbf00fa8e302c09f533f837f5d67f62743396074ed030c9

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2412658365-3084825385-3340777666-1000\_desktop.ini
      Filesize

      9B

      MD5

      fa81249b1f991386d1e1de2a5a03499e

      SHA1

      70e9b6e238a42e7472c1f5f2f4ea3f86f8352185

      SHA256

      5421d45a710074ffe77329c2300e528ce8feceb0748aacbd89ef2ed0aae5a87f

      SHA512

      bc652d20db7ab6bde42b15f5639c2b36e000179c232c4b9e3e218e670b93a6d7b73530b3bd6fdfca5d61c5a578c1e7508fb97f9bffdfa17dff214359b094e409

      Download Submit

    • memory/3924-10-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3924-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3968-1244-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3968-1077-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3968-5247-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3968-37-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3968-43-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3968-47-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3968-11-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3968-30-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3968-4802-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3968-2048-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4016-20-0x0000000074820000-0x0000000074DD1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4016-21-0x0000000074820000-0x0000000074DD1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4016-19-0x0000000074822000-0x0000000074823000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4016-28-0x0000000074820000-0x0000000074DD1000-memory.dmp

      Filesize

      5.7MB

      Download