Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 00:58

General

  • Target

    c363c89bd36d03d2af293795deeb7ab37f523ed6fb3470c1da64ee0fbeeeffd3.exe

  • Size

    52KB

  • MD5

    6c41d1c20a510cf9e830f0e20be6b195

  • SHA1

    264b5e0f57d3d14d81881b923012856a97a00e59

  • SHA256

    c363c89bd36d03d2af293795deeb7ab37f523ed6fb3470c1da64ee0fbeeeffd3

  • SHA512

    1c75cbfeeca34c05f2252303584781a4776341c61c846ab466390256fed156ed5de49a34f9e4a995075244501e4015c2a19b8e79adcc29de7c8d4f21770aac03

  • SSDEEP

    768:pC16GVRu1yK9fMnJG2V9dHS85qgt6jpYU5ltbDrYiI0oPxWExI:pE3SHuJV9NP6jWWvr78Pxc

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\c363c89bd36d03d2af293795deeb7ab37f523ed6fb3470c1da64ee0fbeeeffd3.exe
        "C:\Users\Admin\AppData\Local\Temp\c363c89bd36d03d2af293795deeb7ab37f523ed6fb3470c1da64ee0fbeeeffd3.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2060
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE917.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2596
          • C:\Users\Admin\AppData\Local\Temp\c363c89bd36d03d2af293795deeb7ab37f523ed6fb3470c1da64ee0fbeeeffd3.exe
            "C:\Users\Admin\AppData\Local\Temp\c363c89bd36d03d2af293795deeb7ab37f523ed6fb3470c1da64ee0fbeeeffd3.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2648
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 2648 -s 124
              5⤵
              • Loads dropped DLL
              PID:2524
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1424
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2624
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2708

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

      Filesize

      254KB

      MD5

      3ca1bf22fc4c86f1ffd00a866ab6ff39

      SHA1

      059063c11ade4cafeb9eea49592aa4a049ee9269

      SHA256

      1123254ef1434c7002e054e89afbbb5a47cba9aff92916c03203e3dff7704220

      SHA512

      5ff6e33ff4e45571b0684ddc95e4ffaf8260151b2fcd2ae9be2bd72be27ee8e8364e2185e1df5f1019e9d9d937b757bcd538483ca12d0eca6cc7f36bd88d81b0

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

      Filesize

      474KB

      MD5

      6eabc463f8025a7e6e65f38cba22f126

      SHA1

      3e430ee5ec01c5509ed750b88d3473e7990dfe95

      SHA256

      cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

      SHA512

      c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

    • C:\Users\Admin\AppData\Local\Temp\$$aE917.bat

      Filesize

      722B

      MD5

      04462c803b406942d19d18c7a99432d1

      SHA1

      4ed73382a6d4467279b3a815194bdc6e24054f23

      SHA256

      ee43f485c00a5f383ed1cad232dabdf6bfe215828597d18b7485d34aee6f03a5

      SHA512

      54e1c2790639a9134167119f9f4829e2a3d5522811a6cf75259c260ba1ccc82972ff91218d422b04a78f0bb143bdc7987aa6b4da4a8f0049fe28cb8b3f832f66

    • C:\Users\Admin\AppData\Local\Temp\c363c89bd36d03d2af293795deeb7ab37f523ed6fb3470c1da64ee0fbeeeffd3.exe.exe

      Filesize

      23KB

      MD5

      3f9dbfee668294872ef01b90740b01d0

      SHA1

      99a4702b65485cd14736b1c2cdfb81b455dda01c

      SHA256

      40b32fea1fcadcb2db369475e2bba58b0b83f5c3bb647e2e63877726c35a9f86

      SHA512

      0113cec160d97ea0cce70860cc5b79b502d16191ee237a3abb84309499be193aa0127dbcb41fc05a90fa61484b061ec4332ad29a918db598e32fe832b74bd1e3

    • C:\Windows\Logo1_.exe

      Filesize

      29KB

      MD5

      8e134732e471b77cbaecf5d11f8d6949

      SHA1

      62db8b6ef2f8ff0893f692fd3fd36d704fc43c67

      SHA256

      0f65cfb0d4c3fda3b0c30629eee04caa0341dcb465a585c07f9f43652bd9bc71

      SHA512

      30e7ebf198886879a59515016dbc5c752594b18e27de067871a17dacdb478cfc02327e77e8a699c292fa8620c7ca4af230d37d76ed92621c3807c882ba42f6bc

    • F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\_desktop.ini

      Filesize

      9B

      MD5

      475984718232cf008bb73666d834f1f4

      SHA1

      12f23c9301c222f599a279e02a811d274d0f4abc

      SHA256

      a5b32591119f87eb3c8a00c0c39e26ea6d6414aa9887d85fcb4903e1c14921b5

      SHA512

      80235dc2560b7991d79f9550cdeca6ac02c00cee6bf186f8f20d4ff3fbd7718be937b73ab768d71c4027e153557b08bbfd95ea88d2e0857a7c70cf1da6fa9937

    • memory/1208-33-0x00000000025C0000-0x00000000025C1000-memory.dmp

      Filesize

      4KB

    • memory/1424-101-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1424-35-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1424-42-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1424-48-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1424-94-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1424-233-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1424-1877-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1424-3337-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1424-18-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2060-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2060-16-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB