Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

47a3c9fcb4...34.exe

windows7-x64

7

47a3c9fcb4...34.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2024, 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    47a3c9fcb4a059cf7ef91367307b86ce502550c03f7d64b18f6a7afdb6c5c834.exe

  • Size

    577KB

  • MD5

    c5a3b44ea543351c4ed6f327c16cfb0a

  • SHA1

    a9efb7b530f6c7d796fe4af7b1f88919cc2d3787

  • SHA256

    47a3c9fcb4a059cf7ef91367307b86ce502550c03f7d64b18f6a7afdb6c5c834

  • SHA512

    83921fc1464610c6ea640505ba9a797d07815a57e676af5b803ac8de17fa9fb274b88fd90f9674c258c6b0ee4a603b925fed0c16e495a3eef25f9f6909387f8f

  • SSDEEP

    6144:RVuJTI79NH//QYLq2wNf2lGEz9QqSkZf6UD:eIrH//Q12Un69QhkZT

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3428
      • C:\Users\Admin\AppData\Local\Temp\47a3c9fcb4a059cf7ef91367307b86ce502550c03f7d64b18f6a7afdb6c5c834.exe
        "C:\Users\Admin\AppData\Local\Temp\47a3c9fcb4a059cf7ef91367307b86ce502550c03f7d64b18f6a7afdb6c5c834.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4040
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9D69.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:556
          • C:\Users\Admin\AppData\Local\Temp\47a3c9fcb4a059cf7ef91367307b86ce502550c03f7d64b18f6a7afdb6c5c834.exe
            "C:\Users\Admin\AppData\Local\Temp\47a3c9fcb4a059cf7ef91367307b86ce502550c03f7d64b18f6a7afdb6c5c834.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3800
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
              dw20.exe -x -s 800
              5⤵
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Enumerates system info in registry
              • Suspicious use of AdjustPrivilegeToken
              PID:4568
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1300
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2992
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4152

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      247KB

      MD5

      3b459cf28009f8014dcbfb0aa20f71aa

      SHA1

      a4d986419f714064fa51ddc486dd4390cabd47b3

      SHA256

      e08d5590e834eea2ff47ac3bae016a9ba3adff4d99f7b5b82df8719004c68b84

      SHA512

      046354a0e0af321950c45228618d58b280e00595e34ab9df1b10d38426778146e6e68430583c08f9eff29660fbb1261c03b1d5316297a193fbf9eb9217c50a3f

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      573KB

      MD5

      3373795262b22368980b33e2b5c567b7

      SHA1

      31b77cfa16c4562c87d4fb9f42a9f00771d397d8

      SHA256

      8c30684a68e87be8087d61bda0eac9322c48d38c563064a6b93bcfc63a77c5be

      SHA512

      5af99e464c8b9b0c2f460d0b30a7aa8cc9d2709e0bbb79e256965f63680d66125ab6a45486e922e9c65611874c98666617c0d80a5b19e22a2372fb219ef9ef60

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      639KB

      MD5

      cda7714d2ec36fbd5dfd358b3cc885ce

      SHA1

      410c57ed71630d168738f40cea3ccc65529b0ae1

      SHA256

      d2c7832ddb52cfbb750dfffae048fd9c6a9cf06a52b7de91a0be255dffadef4e

      SHA512

      89cc9f52ae02711a9f90f2ba8e6b62c8ac442b967903067e1f3c5c12ff3ca012b62b8af4e4e7c3762b4c3ee255826b509fdb064c0d2861a2c2953a02c4fc1714

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a9D69.bat
      Filesize

      722B

      MD5

      2f9ff7875ce75de2148f705881a2f3f7

      SHA1

      95007d122ec1a5e5b8a921069cd2d29eb4e3d432

      SHA256

      2c6de0073214208a8c6a8c6cfbcb72d0b25dc8f01884d59361608fa663303483

      SHA512

      41d6c095152d17696d5036c18c687d2145ef5a61e6e257469500400c8cee0a6be3c3c65eacf9c15898a4d8984150d83ff1cbbf2e673d01061e0871fcdc907ce9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\47a3c9fcb4a059cf7ef91367307b86ce502550c03f7d64b18f6a7afdb6c5c834.exe.exe
      Filesize

      548KB

      MD5

      99f5ad280275b636ca54950ef479e41f

      SHA1

      5b3444cee5ba2eedbf176557ef80bc3be9f2e612

      SHA256

      0da0e49fb3d4e6861a71466def49924841a478ab3d1798730f51b2c6421c20b2

      SHA512

      22ed742d47ce75e11b49af8aaa7e8ff98e36d41ae9c58563d5f3cd23d29e1a5833a887ad0487ad6715e23fcae506db0f9421263b5431fdcbffb3b6cd7e15d4d3

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      29KB

      MD5

      e60d42b1d6a0f2cad24978c2b6d1f97b

      SHA1

      475ffcfa24cc1592f4df365e812de3cc9b7fab1e

      SHA256

      0659547e92dee1b004fe2e5892411d4b6aa740a76fc0830f968b75527c1a5b55

      SHA512

      fa2ca1553e4351657355646090a4ee23a14e3c68f01516aff097f9b119736205f5dde54630f0dd141ec8eaf8e5f4e4c08e8989801863b14879043b715838b25d

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-355097885-2402257403-2971294179-1000\_desktop.ini
      Filesize

      8B

      MD5

      646a1be8fae9210cfba53ee1aab14c96

      SHA1

      8677ff347131a9c8304f10b48012ebd8b075030c

      SHA256

      660d57a3dc71884e70a9cbd6ca26d02872f4706abeb098c6d35f6b217462edf5

      SHA512

      812b716a422628d486a4c78c66a85c641f13976537fbd452e14fab9a6c440b442632df04de8437c485c9c8164e3b3499201d3dbe681b36fe6bec749df1ab75e4

      Download Submit

    • memory/1300-1245-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1300-92-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1300-5248-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1300-30-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1300-4803-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1300-38-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1300-44-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1300-48-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1300-8-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3800-20-0x0000000074690000-0x0000000074C41000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3800-21-0x0000000074690000-0x0000000074C41000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3800-19-0x0000000074692000-0x0000000074693000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3800-28-0x0000000074690000-0x0000000074C41000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4040-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4040-11-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download