Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

6c6e9a1fc4...21.exe

windows7-x64

7

6c6e9a1fc4...21.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/09/2024, 13:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c6e9a1fc4ddd52db20020fe31a673179cb8338e61930dbacd8132a626aa0621.exe

  • Size

    247KB

  • MD5

    15b12da781d4e8b1b5c1436a290819ec

  • SHA1

    33df21ba8a9213e5ef6ebbbb47248ec01c6fae22

  • SHA256

    6c6e9a1fc4ddd52db20020fe31a673179cb8338e61930dbacd8132a626aa0621

  • SHA512

    2052cddf85dbd1d57710b16872a1dd86702b20f95d1ff7ef49bcfacf2b06b0017e26cddc5f9cce42e7de7863c4b33a8ac624ac55fe881f585ccffe39057b3188

  • SSDEEP

    6144:CuJWqml5a6EdkQxiUmRQColKGAOPQK2GwIgfx+qSfF0:/ml5a6EdkQgUmR7G9QK3wJx+qSfF0

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1268
      • C:\Users\Admin\AppData\Local\Temp\6c6e9a1fc4ddd52db20020fe31a673179cb8338e61930dbacd8132a626aa0621.exe
        "C:\Users\Admin\AppData\Local\Temp\6c6e9a1fc4ddd52db20020fe31a673179cb8338e61930dbacd8132a626aa0621.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2256
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD73C.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2288
          • C:\Users\Admin\AppData\Local\Temp\6c6e9a1fc4ddd52db20020fe31a673179cb8338e61930dbacd8132a626aa0621.exe
            "C:\Users\Admin\AppData\Local\Temp\6c6e9a1fc4ddd52db20020fe31a673179cb8338e61930dbacd8132a626aa0621.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2780
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2332
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2264
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2752

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      474KB

      MD5

      17e5de36cf448d652adab881a4557ec2

      SHA1

      c45337444120f4cc4a9a65b2bee63cd61618ca2a

      SHA256

      32568fb07078e0d4e77efac9ad862454dba63de5c5f920d9a14de709372f2430

      SHA512

      22678c9ca2d70d9a3377d1f2c6c91d7649adcaccee564acdf1bd6373e60f13f6e21fc09feed5b590475889996287961a1450542741ef0888a4a0b5e9c9812b92

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aD73C.bat
      Filesize

      722B

      MD5

      8e699f2e71f9bb0086510fdb8995e7ea

      SHA1

      fb80a7de2b55a408d975dbdbe1336cb7e9cb7b82

      SHA256

      4486adfdb4301157b7e8f1ef5a4062f64cb4295ba3f8c049d3e479d7f1ed675b

      SHA512

      06b9d1563fe034cfc014441ba76580fc352fdce1044635683f9ce9615e67c315e04cf2f2a699452b86e0607b381a4e7d049f6608381ebd49eed98f233cbcbde0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\6c6e9a1fc4ddd52db20020fe31a673179cb8338e61930dbacd8132a626aa0621.exe.exe
      Filesize

      217KB

      MD5

      021c57c74de40f7c3b4fcf58a54d3649

      SHA1

      ef363ab45b6fe3dd5b768655adc4188aadf6b6fd

      SHA256

      04adf40ba58d0ab892091c188822191f2597bc47dab8b92423e8fc546dc437ef

      SHA512

      77e3bbb08c661285a49a66e8090a54f535727731c44b7253ea09ffe9548bae9d120ef38a67dfa8a5d8da170dde3e9c1928b96c64dfc07b7f67f93b478937c018

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      29KB

      MD5

      d86e4e8dd72464850871a0ffe047ec47

      SHA1

      6f8cd1a4120e750c324c4691f6705089ac6d702c

      SHA256

      74bed47cfee84b7ac715ab7795abb93f0bc661178bc030c2c2209443ddc57300

      SHA512

      3d6438fad37c0f2c7c7f46aa1eb79e66897631d5c43781d71707cfa5679f37afb856d84736dd0f1b20333756e178dc51324a243824081ca87bff34c688ba1bf8

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\_desktop.ini
      Filesize

      9B

      MD5

      f74f4ac317419affe59fa4d389dd7e7c

      SHA1

      010f494382d5a64298702fe3732c9b96f438c653

      SHA256

      74fafb0f14fb17a8a4963d5f46fc50b3517e7aa13414ac5f42edfdf212a9bb01

      SHA512

      f82fea1632b97d2b6771f43a6941c84d7fbb86f4c4f69e9b4335aa0e166e2670f09d451da61b13cb16994b9294e99b1cfa27f2447579645b3886b7bd014cc00f

      Download Submit

    • memory/1268-29-0x00000000021A0000-0x00000000021A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2256-16-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2256-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2332-33-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2332-41-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2332-47-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2332-93-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2332-100-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2332-422-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2332-1876-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2332-3336-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2332-18-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download