Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

32712a3036...c2.exe

windows7-x64

7

32712a3036...c2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    32712a3036b8222afb45c622a22d4ca7264bd96f691569ab0a36b46a823acfc2.exe

  • Size

    258KB

  • MD5

    006a3b66d21ee3a19400d563d741e05d

  • SHA1

    fd8970cc55501c01cb65c845fe77dc65342d8c97

  • SHA256

    32712a3036b8222afb45c622a22d4ca7264bd96f691569ab0a36b46a823acfc2

  • SHA512

    9d398dd7a8754335f1cd5a5b4dfe42a5a81a131d473e21db04827d05f106e38826ade8257f54f554bca3c1c93c96a322950441d527273a876d1434d4bfa8ae88

  • SSDEEP

    1536:jZ3SHmLKarIpYQILFkbeumIkA39xSZW175V7UZQJ0UjsWpcdVO4Mqg+aJRaCAd1L:jZkF3plLRkgUA1nQZwFGVO4Mqg+WDY

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1152
      • C:\Users\Admin\AppData\Local\Temp\32712a3036b8222afb45c622a22d4ca7264bd96f691569ab0a36b46a823acfc2.exe
        "C:\Users\Admin\AppData\Local\Temp\32712a3036b8222afb45c622a22d4ca7264bd96f691569ab0a36b46a823acfc2.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2008
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8102.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1624
          • C:\Users\Admin\AppData\Local\Temp\32712a3036b8222afb45c622a22d4ca7264bd96f691569ab0a36b46a823acfc2.exe
            "C:\Users\Admin\AppData\Local\Temp\32712a3036b8222afb45c622a22d4ca7264bd96f691569ab0a36b46a823acfc2.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2276
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1664
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2224
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2488

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      252KB

      MD5

      a808ca996b14696d489c8113d27c8bf4

      SHA1

      3686daeb450d654c6abe586bedcad32e3253c5da

      SHA256

      5297764ce75736b13a7a54a1b29ad86e9830cb809491069e0240081646f4970b

      SHA512

      83c8d825956c23b11fc156d953dd1f91d009fe5b566ee3bdb9007d9788c4230b723a9aeae73b92d44cef8193c2a7f9d6d2d35d4d087e89954ad70a5a78a82523

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      472KB

      MD5

      88eb1bca8c399bc3f46e99cdde2f047e

      SHA1

      55fafbceb011e1af2edced978686a90971bd95f2

      SHA256

      42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

      SHA512

      149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a8102.bat
      Filesize

      722B

      MD5

      28097b7407afe08a40a48567241c5cfc

      SHA1

      3e9427fb83a653b91f81bf447041f052c3fe8d5c

      SHA256

      1146a3116aed73d926089f7ec5976aa895d5bcc2cf1f93d186965082372c6de4

      SHA512

      476c8965d77744c3d2bfccba9f9dfa6722564ed028d7c4dfbb3931553c344697b73cc151091e4d73163bd0ce04322fa0016080a8ec02e61062ce0906db217ef8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\32712a3036b8222afb45c622a22d4ca7264bd96f691569ab0a36b46a823acfc2.exe.exe
      Filesize

      231KB

      MD5

      6f581a41167d2d484fcba20e6fc3c39a

      SHA1

      d48de48d24101b9baaa24f674066577e38e6b75c

      SHA256

      3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

      SHA512

      e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      27KB

      MD5

      9bbc3817237b1731d5dbe97befe25e6e

      SHA1

      082ff1063b8b48172a4b728afc53cea1e8cf1c47

      SHA256

      740805a91a84f106a413b5fb5a2b8de558091f6b852f07c9af44172467c6927a

      SHA512

      815371ad32f7951aace75fb9a56c38d914cd50d66f8730f142687d383636f7dac45ddcaa071fe1deca10d0e3526fe6d9d0f2f474c9660e347787316780e16807

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\_desktop.ini
      Filesize

      9B

      MD5

      475984718232cf008bb73666d834f1f4

      SHA1

      12f23c9301c222f599a279e02a811d274d0f4abc

      SHA256

      a5b32591119f87eb3c8a00c0c39e26ea6d6414aa9887d85fcb4903e1c14921b5

      SHA512

      80235dc2560b7991d79f9550cdeca6ac02c00cee6bf186f8f20d4ff3fbd7718be937b73ab768d71c4027e153557b08bbfd95ea88d2e0857a7c70cf1da6fa9937

      Download Submit

    • memory/1152-29-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1664-97-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1664-31-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1664-38-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1664-44-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1664-90-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1664-423-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1664-1873-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1664-3333-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1664-18-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2008-0-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2008-16-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download