Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2024, 09:55

General

  • Target

    1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe

  • Size

    1.3MB

  • MD5

    a61cfc6c4c203311d43ab8b08cd3f087

  • SHA1

    25133ed1bb80ccf9f17b60e09e14de6a79c7b1f2

  • SHA256

    1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe

  • SHA512

    66416012e51dce8be66150d0213c8edf5c51c3783cea4c0ee6443178aeaf445bf7d5ea82f83dd920b8e1b65a9dc4e20638ed1ce769913fda40b6cf592b43791c

  • SSDEEP

    24576:M79OdZfkO6+EFFKBqM8C9uU0N4ryz4EAX6pipxX6:M79wEoUZ5N4rREAX64pxX6

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3472
      • C:\Users\Admin\AppData\Local\Temp\1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe
        "C:\Users\Admin\AppData\Local\Temp\1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3880
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB258.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3680
          • C:\Users\Admin\AppData\Local\Temp\1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe
            "C:\Users\Admin\AppData\Local\Temp\1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4572
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:404
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4112
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4756

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

      Filesize

      244KB

      MD5

      eda97e2bff8a53be06025304152892c1

      SHA1

      7acc3b17f6c62690f42519ee9dc4706221165f67

      SHA256

      52277041a1ae6cb4ddf4e0db7d1e8239b5d93cdc5930941c3904a2b5999609d7

      SHA512

      e2daca195d81fa8a9a44ce4f338650b641a9459ad2e4612cd0bb53ccdee3d2f326eba3cdf216fcdd983aa936eb6f22165b7d2c3ac0ac876cd5205406b3bad0f1

    • C:\Program Files\7-Zip\7z.exe

      Filesize

      570KB

      MD5

      ce7e43d72e4a3de460ea0c3c25d52c72

      SHA1

      16781c2100cb6095607fbe18c69ce30c3d2a6786

      SHA256

      d14f142663a8442e596ce805c3d1b694a9caf9db7f9d8174f5c9251c45957661

      SHA512

      c50b9b37c31a3316cbfad52089497e6770980259c7600dded7ebaa25894c20fa6614bc75a009dcb8b7b603e03662244b4121e0d9771ce8bf8ff06e48ae3d355c

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

      Filesize

      636KB

      MD5

      82168b5f40194e6e86457c2b534cfc21

      SHA1

      3e2702a384a03243e98ee6866e09f6d5df9b5de5

      SHA256

      c2f452c90356d0070c71ce17da69c4245dc24f46e1215eca22748567e48279d9

      SHA512

      6d041166b41e4608aa46b1724322a22d49e5d709f4b1bf89d2c6819282a813c88cd74ba6167f337d4d36a741ae53830b04e58e92fbfc597f85cd7f763284c774

    • C:\Users\Admin\AppData\Local\Temp\$$aB258.bat

      Filesize

      722B

      MD5

      6b5d9a03cacd4426229e98e76b3574b9

      SHA1

      14479ace9950be1c3bdf289e1cf554a873df8cc1

      SHA256

      14680f0c4c9af7ca2cd23e6c69933b1c46ebe23b5b9a430424a72040eb66d5ce

      SHA512

      59929dd2c5da4ee5b5bf406d5bf1b4f4721424cd985f85bf8350a5c45ff62c64587bc041a23eef75355ab76f9ee8a8a7cf1654253f10fd9d27683e19ba9c50ee

    • C:\Users\Admin\AppData\Local\Temp\1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe.exe

      Filesize

      1.3MB

      MD5

      ce73e5b504434e95869a276c0b908a6e

      SHA1

      abadfe6f48fcbca375021b34bd7483bb6428b699

      SHA256

      6bf251b9615a53f84b2ecbd19f146b8b977aae3bc6a7abadfefe30eca6ec64e2

      SHA512

      395066d444ef8bdb9d6bfb56e729b75517855ec5e8ec123e2f0fd6d4994aa26b126dc5f6c733767880063c599d270c9e26499f2d41fd2eef9062127bbaffc2ad

    • C:\Windows\Logo1_.exe

      Filesize

      26KB

      MD5

      dd889a3e0c7516d8e3ba89a8b6b98232

      SHA1

      5a7733c34782590a34e9931221cdf8654c3e465e

      SHA256

      21af4733e7b12937ef11a44607a9dbe649d6ab3af8b296eef08f0a42c4802f2f

      SHA512

      a9ce858ca0b5972bcdadf3bc06dd6fcc323cd0178dc2a24949f736b947832de0a629a7f63a171823377d49e391fc8beb5f0d9b73358ac931c8273d8e3cfbf266

    • F:\$RECYCLE.BIN\S-1-5-21-2392887640-1187051047-2909758433-1000\_desktop.ini

      Filesize

      8B

      MD5

      646a1be8fae9210cfba53ee1aab14c96

      SHA1

      8677ff347131a9c8304f10b48012ebd8b075030c

      SHA256

      660d57a3dc71884e70a9cbd6ca26d02872f4706abeb098c6d35f6b217462edf5

      SHA512

      812b716a422628d486a4c78c66a85c641f13976537fbd452e14fab9a6c440b442632df04de8437c485c9c8164e3b3499201d3dbe681b36fe6bec749df1ab75e4

    • memory/404-28-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/404-34-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/404-38-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/404-21-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/404-620-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/404-1235-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/404-4792-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/404-8-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/404-5237-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3880-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3880-11-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB