Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/09/2024, 21:20

General

  • Target

    d48ef1f6ee74dcf82cf81b6ff609f63d754b320efd69ae50714f93c446b911b6.exe

  • Size

    570KB

  • MD5

    9f279f3bb96dcf0bdb72b1a52e723336

  • SHA1

    3e209c0396a41a3290c83426f86ae6524861426d

  • SHA256

    d48ef1f6ee74dcf82cf81b6ff609f63d754b320efd69ae50714f93c446b911b6

  • SHA512

    bcc62dd396837318312600afcf425851b77deaf528b1443cded90631f50c612d10d7fd85ea29840e62c38f27dc3d631985ddfd9a286176dffc9353f62c2c5b9d

  • SSDEEP

    6144:wsVfjmNCE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BE:v7+57a3iwbihym2g7XO3LWUQfh4Co

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\d48ef1f6ee74dcf82cf81b6ff609f63d754b320efd69ae50714f93c446b911b6.exe
        "C:\Users\Admin\AppData\Local\Temp\d48ef1f6ee74dcf82cf81b6ff609f63d754b320efd69ae50714f93c446b911b6.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2156
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA94A.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2368
          • C:\Users\Admin\AppData\Local\Temp\d48ef1f6ee74dcf82cf81b6ff609f63d754b320efd69ae50714f93c446b911b6.exe
            "C:\Users\Admin\AppData\Local\Temp\d48ef1f6ee74dcf82cf81b6ff609f63d754b320efd69ae50714f93c446b911b6.exe"
            4⤵
            • Executes dropped EXE
            PID:2840
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2492
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2148
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2172

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

      Filesize

      251KB

      MD5

      db63bb344670292cb9d7ef6a65617979

      SHA1

      1b1c0a455a634894ed3dbcf325ea9faeda826aff

      SHA256

      1c417b7bbce3b367b46f4593844703683f5ed97e8978c2b45e611b01daca6dab

      SHA512

      a5f6cb76be3c9009dabca649539fe0cc518edcecfedd1f311df7314b99a6d5ee86450bc1fc1ff48383bff6029282f3fc872693fdd3d91ca669f9bee7a0593c8d

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

      Filesize

      471KB

      MD5

      4cfdb20b04aa239d6f9e83084d5d0a77

      SHA1

      f22863e04cc1fd4435f785993ede165bd8245ac6

      SHA256

      30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

      SHA512

      35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

    • C:\Users\Admin\AppData\Local\Temp\$$aA94A.bat

      Filesize

      722B

      MD5

      7f4bf63227e5f26b7c820ee8be54d3ad

      SHA1

      bba9d05ed1066e26f960c0a2ddae72da0b0c362d

      SHA256

      9424f0540df3aa8da63aa7741214f68606e2d53b4d289625f021c6ad50b395cd

      SHA512

      e33db1fd223dc5b36a5c33f739bbdb04c10bc2449c9c7ee85b4e9943cc6c2ba5614e0c96b149681635b9412cea9c5ec12366691f2106fbc3083c5fc41202ea32

    • C:\Users\Admin\AppData\Local\Temp\d48ef1f6ee74dcf82cf81b6ff609f63d754b320efd69ae50714f93c446b911b6.exe.exe

      Filesize

      544KB

      MD5

      9a1dd1d96481d61934dcc2d568971d06

      SHA1

      f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

      SHA256

      8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

      SHA512

      7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

    • C:\Windows\Logo1_.exe

      Filesize

      26KB

      MD5

      f840b7fc997e1545a0af493debb80730

      SHA1

      68d2c2e571748727d05c214028b1de3bea3fce7d

      SHA256

      49a34f007cecef2b47f106a0d40acb46d55602ad1d7bc01e8c0d268cbb6583f5

      SHA512

      2e8c07ec6aefd6194925769847e38b05620efe7249afcdcf24bfe1cdd6e2586efe1cf48ecf4130fe0bdf42fd05aefe8e15fcd23c62897ba7bdf3762fcabd3b72

    • F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\_desktop.ini

      Filesize

      8B

      MD5

      646a1be8fae9210cfba53ee1aab14c96

      SHA1

      8677ff347131a9c8304f10b48012ebd8b075030c

      SHA256

      660d57a3dc71884e70a9cbd6ca26d02872f4706abeb098c6d35f6b217462edf5

      SHA512

      812b716a422628d486a4c78c66a85c641f13976537fbd452e14fab9a6c440b442632df04de8437c485c9c8164e3b3499201d3dbe681b36fe6bec749df1ab75e4

    • memory/1196-29-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

      Filesize

      4KB

    • memory/2156-16-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2156-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2492-18-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2492-45-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2492-91-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2492-98-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2492-518-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2492-1874-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2492-39-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2492-3334-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2492-31-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB