Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

61f4f71e50...4f.exe

windows7-x64

7

61f4f71e50...4f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/09/2024, 02:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    61f4f71e5068eb7671a980cb889454d12a4dbd8155d6818e09d00208cfda3c4f.exe

  • Size

    115KB

  • MD5

    095835b9cd6ddea49a82b6766063fdf3

  • SHA1

    a718d729e32829d8b47c7f73f85112987bc3ac51

  • SHA256

    61f4f71e5068eb7671a980cb889454d12a4dbd8155d6818e09d00208cfda3c4f

  • SHA512

    39a1cde419d315b72267c7917489ecaa7c5847bfc605b175aa9988f23438ee4f96b89ef435585751f7451ae696e0f5b00b7d7d841641ca744850f3e032e4702e

  • SSDEEP

    3072:pPJkuJVL2Q2xgs35efEOD8KxLQgSdJO3Wn:MuJmNV43Wn

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1232
      • C:\Users\Admin\AppData\Local\Temp\61f4f71e5068eb7671a980cb889454d12a4dbd8155d6818e09d00208cfda3c4f.exe
        "C:\Users\Admin\AppData\Local\Temp\61f4f71e5068eb7671a980cb889454d12a4dbd8155d6818e09d00208cfda3c4f.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2440
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB98F.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1124
          • C:\Users\Admin\AppData\Local\Temp\61f4f71e5068eb7671a980cb889454d12a4dbd8155d6818e09d00208cfda3c4f.exe
            "C:\Users\Admin\AppData\Local\Temp\61f4f71e5068eb7671a980cb889454d12a4dbd8155d6818e09d00208cfda3c4f.exe"
            4⤵
            • Executes dropped EXE
            PID:1896
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1944
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:264
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:580

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      254KB

      MD5

      586340b58f02ffb1b754d46c776ecaa9

      SHA1

      d860ee44aedafb70befe321b936c5eba49dbdda3

      SHA256

      3f2a34592999a9ed095c898b45cb55f54712ed0486bda1f3bb54ae798516639b

      SHA512

      8c3b824fa1462406a81f60ffaa1ff8f517d3d0503e6653eee5b1d5f312ee0e13d2b9d2767f5b1f3f8644f28e5c40da1956a781551752c056332ed76ef62dbe58

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      474KB

      MD5

      c14a5111b798cff20d7d66b0e035d409

      SHA1

      29f0894552b30815fed6ad231b5721e876869552

      SHA256

      fd6f57dc1b82f6301cbecbf9db5728a9a69b10e3edbf4f8a1dfef571c77a6cb6

      SHA512

      a4d8b74216c76fa3d48ab7300452725602bc6d5bcc0e6c23d458d65362cd24751f23755180ae69633090b172e95f18f225c0cb4a71dd1e050d8b3dff466e7f1b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aB98F.bat
      Filesize

      722B

      MD5

      87a21842140d817643d295edbbd9b6dc

      SHA1

      8a7830714093e0b885c7da140f04947b2ad394ea

      SHA256

      c5880a31670a05cddf4eb1e22d3ee8f5d6ac2ef9b014e26e0682b01a62cb2ae4

      SHA512

      4dea673e2ed77ffa9214c13f349eeb5073777823cca17d273de914bba79822991ee9fd8a6a909c9f2a2d194437cfbc2331093e58d1de07b1e733011a91c43dd0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\61f4f71e5068eb7671a980cb889454d12a4dbd8155d6818e09d00208cfda3c4f.exe.exe
      Filesize

      86KB

      MD5

      86c095af49b6eb83523f819aca414823

      SHA1

      d51bed201518f2329e60e211f86af2fa053d58a0

      SHA256

      3087d18262fc4d8f7655389dc10e36d65d7acd5faceac52114bdffcb160ccc62

      SHA512

      0dd3b0b5cc5257d9386404447a581a547576182f725d06a37f7f8a8ca0ccf0c8e9dcbda13b371a9695880cb64dd437af866385ddada3396ab58446ffddc001b6

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      29KB

      MD5

      e204efa82c4df71160c451caec4787e5

      SHA1

      e56ddb6d0afdb9aa1bf4808765b25cf4a2fdc279

      SHA256

      4ff7272e95a79354eb6d72c784593bd6a0820fe9e512ff176a51fef8929b5bd9

      SHA512

      6ee14cc010de5b04eee707242a6f4471739cc62bf86a332d5c0e90f15a778fe2ef1d8e1bf7f86a603cbf00fa8e302c09f533f837f5d67f62743396074ed030c9

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\_desktop.ini
      Filesize

      9B

      MD5

      9f88a7249d726e0d4ebea8ef2b661d98

      SHA1

      f68a9700c917086c68acd41e85887dc8fcc4c2c3

      SHA256

      969f39ddb9e19420959783eb412b391e2c49b99261750aa2716b781fabcc0f3b

      SHA512

      f68c4e069aeefc665d8c92f0c734098e4de0f4b1bea40dd72510827a49f9bd2ef6dd5b606d05cb0716630f1f27f471c3cf7d036442f34c3faa4f905d6101e21f

      Download Submit

    • memory/1232-30-0x0000000002E90000-0x0000000002E91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1944-32-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1944-40-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1944-46-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1944-92-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1944-99-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1944-363-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1944-1875-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1944-18-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1944-3335-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2440-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2440-16-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download