Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

6c6e9a1fc4...21.exe

windows7-x64

7

6c6e9a1fc4...21.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/09/2024, 13:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c6e9a1fc4ddd52db20020fe31a673179cb8338e61930dbacd8132a626aa0621.exe

  • Size

    247KB

  • MD5

    15b12da781d4e8b1b5c1436a290819ec

  • SHA1

    33df21ba8a9213e5ef6ebbbb47248ec01c6fae22

  • SHA256

    6c6e9a1fc4ddd52db20020fe31a673179cb8338e61930dbacd8132a626aa0621

  • SHA512

    2052cddf85dbd1d57710b16872a1dd86702b20f95d1ff7ef49bcfacf2b06b0017e26cddc5f9cce42e7de7863c4b33a8ac624ac55fe881f585ccffe39057b3188

  • SSDEEP

    6144:CuJWqml5a6EdkQxiUmRQColKGAOPQK2GwIgfx+qSfF0:/ml5a6EdkQgUmR7G9QK3wJx+qSfF0

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3480
      • C:\Users\Admin\AppData\Local\Temp\6c6e9a1fc4ddd52db20020fe31a673179cb8338e61930dbacd8132a626aa0621.exe
        "C:\Users\Admin\AppData\Local\Temp\6c6e9a1fc4ddd52db20020fe31a673179cb8338e61930dbacd8132a626aa0621.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4824
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a636D.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4996
          • C:\Users\Admin\AppData\Local\Temp\6c6e9a1fc4ddd52db20020fe31a673179cb8338e61930dbacd8132a626aa0621.exe
            "C:\Users\Admin\AppData\Local\Temp\6c6e9a1fc4ddd52db20020fe31a673179cb8338e61930dbacd8132a626aa0621.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:436
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3416
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1364
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3384

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      573KB

      MD5

      bbbdafdf8ac88d42ce8a5e9bd31117b9

      SHA1

      012575b25510db566ef1ae68ff0ebc88187ec4d3

      SHA256

      8ca52571f501091fe13e6c105a5a28cbb99ab62c790b8cafc3086be38b1a56bb

      SHA512

      1d944eed2c93f735a70289c9eed10417e598ec1569884189b7119e6c164a806c89f7d0f4e94cd72a99e65ab1315aecd99983c90b3d3ab281aaa0277f1336a18e

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      639KB

      MD5

      cda7714d2ec36fbd5dfd358b3cc885ce

      SHA1

      410c57ed71630d168738f40cea3ccc65529b0ae1

      SHA256

      d2c7832ddb52cfbb750dfffae048fd9c6a9cf06a52b7de91a0be255dffadef4e

      SHA512

      89cc9f52ae02711a9f90f2ba8e6b62c8ac442b967903067e1f3c5c12ff3ca012b62b8af4e4e7c3762b4c3ee255826b509fdb064c0d2861a2c2953a02c4fc1714

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a636D.bat
      Filesize

      722B

      MD5

      167845ee017f7052256c6d05c3e86090

      SHA1

      10a88f1276bdff1a41a47b5c096c8c7a7cce541d

      SHA256

      7fc616080ce127650cd109be1d2f19df2104dd3c67d6a87a0d696fd4d0837936

      SHA512

      89e5be70f11fb84121f3a3541a3f67eef717849f1d1fecb70de3acb040b52ab31884ff0a71ad5585c2e6013463524ef2e022fda4ceac096478a88c47f650012f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\6c6e9a1fc4ddd52db20020fe31a673179cb8338e61930dbacd8132a626aa0621.exe.exe
      Filesize

      217KB

      MD5

      021c57c74de40f7c3b4fcf58a54d3649

      SHA1

      ef363ab45b6fe3dd5b768655adc4188aadf6b6fd

      SHA256

      04adf40ba58d0ab892091c188822191f2597bc47dab8b92423e8fc546dc437ef

      SHA512

      77e3bbb08c661285a49a66e8090a54f535727731c44b7253ea09ffe9548bae9d120ef38a67dfa8a5d8da170dde3e9c1928b96c64dfc07b7f67f93b478937c018

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      29KB

      MD5

      d86e4e8dd72464850871a0ffe047ec47

      SHA1

      6f8cd1a4120e750c324c4691f6705089ac6d702c

      SHA256

      74bed47cfee84b7ac715ab7795abb93f0bc661178bc030c2c2209443ddc57300

      SHA512

      3d6438fad37c0f2c7c7f46aa1eb79e66897631d5c43781d71707cfa5679f37afb856d84736dd0f1b20333756e178dc51324a243824081ca87bff34c688ba1bf8

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2718105630-359604950-2820636825-1000\_desktop.ini
      Filesize

      9B

      MD5

      f74f4ac317419affe59fa4d389dd7e7c

      SHA1

      010f494382d5a64298702fe3732c9b96f438c653

      SHA256

      74fafb0f14fb17a8a4963d5f46fc50b3517e7aa13414ac5f42edfdf212a9bb01

      SHA512

      f82fea1632b97d2b6771f43a6941c84d7fbb86f4c4f69e9b4335aa0e166e2670f09d451da61b13cb16994b9294e99b1cfa27f2447579645b3886b7bd014cc00f

      Download Submit

    • memory/3416-26-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3416-19-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3416-32-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3416-36-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3416-728-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3416-1233-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3416-4791-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3416-8-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3416-5236-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4824-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4824-9-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download