Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

0b66585a6d...b5.exe

windows7-x64

7

0b66585a6d...b5.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/09/2024, 18:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b66585a6dc50183a59eb5f1910926af69e14d3234812983001948c9513fc1b5.exe

  • Size

    9.3MB

  • MD5

    d3cab54df1727c177908bbd442b63be4

  • SHA1

    a3b71510e5547f90ebf6cf595618edbd6bc3d525

  • SHA256

    0b66585a6dc50183a59eb5f1910926af69e14d3234812983001948c9513fc1b5

  • SHA512

    703be1552aff54d8eaf61ca3913f9b87780bef6be45054886fc0bf05341a5ff597c137e822f183dcbe07017eb664105bebaa34147f815b87a2ca815f5b963540

  • SSDEEP

    98304:IxfZeZiONXe0cK7jfI60f8BYNg3kQVLPXnmGLH376+MyUXnby:INZekOte0cifXmZNg0ILPXnmGDm3

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1180
      • C:\Users\Admin\AppData\Local\Temp\0b66585a6dc50183a59eb5f1910926af69e14d3234812983001948c9513fc1b5.exe
        "C:\Users\Admin\AppData\Local\Temp\0b66585a6dc50183a59eb5f1910926af69e14d3234812983001948c9513fc1b5.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2452
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBE6F.bat
          3⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:2572
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2892
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:336
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1564

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      254KB

      MD5

      04fd07e468e40a1a44fe6c15958d8022

      SHA1

      1e92dd9e4b7f16f8764439b02202d64198906905

      SHA256

      c067048ee526b0d90a06335e08f6e0836a255de78d133f1ed592a6c409445786

      SHA512

      2661435b45ea8b929e3215f91918cd5e1a144a6563a625016d2a734870825644c4ea90083f51e35e74df1538d7e22bd4b6c5d2af4c9df8a897e969336a8dd9c1

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      474KB

      MD5

      c14a5111b798cff20d7d66b0e035d409

      SHA1

      29f0894552b30815fed6ad231b5721e876869552

      SHA256

      fd6f57dc1b82f6301cbecbf9db5728a9a69b10e3edbf4f8a1dfef571c77a6cb6

      SHA512

      a4d8b74216c76fa3d48ab7300452725602bc6d5bcc0e6c23d458d65362cd24751f23755180ae69633090b172e95f18f225c0cb4a71dd1e050d8b3dff466e7f1b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aBE6F.bat
      Filesize

      722B

      MD5

      a4ec1a137e3dfd2e2b6a458c4a029281

      SHA1

      4fbb5d8dbe67d13237fc1bf676eaf75a5ebf1616

      SHA256

      d8d30111a7d1a53148f5e37bf06a3fefdb8a7093d890d71424bfa77f64ac3eb7

      SHA512

      d71f3a5c05618c6e15e0300fbb61316b21353f9476c8579212ef29a92fb10abd47617eb2b4e61466d611650bbb66f9a39aec900ea58c53b86293b5c93526fdf9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\0b66585a6dc50183a59eb5f1910926af69e14d3234812983001948c9513fc1b5.exe.exe
      Filesize

      9.3MB

      MD5

      b86f86ef5c09df3336638ad99b7c0c0f

      SHA1

      0428ad68c4dd86cebf917582d9de21ad2bdac97f

      SHA256

      3ef229a273ff767f0dbc891329fa906455e8f696beb5b6611efe9d6f657d7ced

      SHA512

      cd3ef6725bbc15c2090f3eee10af01766030a428ec39e8dab8f0174961e9aaef1a573fdbba3f7db0e251c5888a83b701cfab8055b28c30474405c2b00e826f97

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      29KB

      MD5

      ca4a7862478fb4f3b45a9e5d76664163

      SHA1

      3af635e45dca388b8575fc87ceb0c0e3607edfd1

      SHA256

      c58b63edba763641f3aade2039f2297ad2a94a56d155de78f562b40afd215e0f

      SHA512

      099fa71c1b45b4e85cf39bc16fb9436efcfeb954ce2a42bd4f3b9c94a30bde50a1d2d376dbebe941f08061f1c506fc6819b499ea52f7abd55de455be3f25322f

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\_desktop.ini
      Filesize

      9B

      MD5

      f74f4ac317419affe59fa4d389dd7e7c

      SHA1

      010f494382d5a64298702fe3732c9b96f438c653

      SHA256

      74fafb0f14fb17a8a4963d5f46fc50b3517e7aa13414ac5f42edfdf212a9bb01

      SHA512

      f82fea1632b97d2b6771f43a6941c84d7fbb86f4c4f69e9b4335aa0e166e2670f09d451da61b13cb16994b9294e99b1cfa27f2447579645b3886b7bd014cc00f

      Download Submit

    • memory/1180-64-0x00000000025C0000-0x00000000025C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2452-12-0x0000000000230000-0x0000000000266000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2452-17-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2452-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2572-58-0x0000000002550000-0x0000000002551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2892-22-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2892-83-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2892-129-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2892-135-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2892-934-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2892-1912-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2892-77-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2892-3372-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2892-69-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download