Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

61f4f71e50...4f.exe

windows7-x64

7

61f4f71e50...4f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/09/2024, 02:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    61f4f71e5068eb7671a980cb889454d12a4dbd8155d6818e09d00208cfda3c4f.exe

  • Size

    115KB

  • MD5

    095835b9cd6ddea49a82b6766063fdf3

  • SHA1

    a718d729e32829d8b47c7f73f85112987bc3ac51

  • SHA256

    61f4f71e5068eb7671a980cb889454d12a4dbd8155d6818e09d00208cfda3c4f

  • SHA512

    39a1cde419d315b72267c7917489ecaa7c5847bfc605b175aa9988f23438ee4f96b89ef435585751f7451ae696e0f5b00b7d7d841641ca744850f3e032e4702e

  • SSDEEP

    3072:pPJkuJVL2Q2xgs35efEOD8KxLQgSdJO3Wn:MuJmNV43Wn

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3444
      • C:\Users\Admin\AppData\Local\Temp\61f4f71e5068eb7671a980cb889454d12a4dbd8155d6818e09d00208cfda3c4f.exe
        "C:\Users\Admin\AppData\Local\Temp\61f4f71e5068eb7671a980cb889454d12a4dbd8155d6818e09d00208cfda3c4f.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3844
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8CCF.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:952
          • C:\Users\Admin\AppData\Local\Temp\61f4f71e5068eb7671a980cb889454d12a4dbd8155d6818e09d00208cfda3c4f.exe
            "C:\Users\Admin\AppData\Local\Temp\61f4f71e5068eb7671a980cb889454d12a4dbd8155d6818e09d00208cfda3c4f.exe"
            4⤵
            • Executes dropped EXE
            • Checks system information in the registry
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • System policy modification
            PID:2776
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1648
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3064
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3600

    Network

    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      81.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      81.144.22.2.in-addr.arpa
      IN PTR
      Response
      81.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-81deploystaticakamaitechnologiescom
    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.134.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.134.221.88.in-addr.arpa
      IN PTR
      Response
      18.134.221.88.in-addr.arpa
      IN PTR
      a88-221-134-18deploystaticakamaitechnologiescom
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      154.239.44.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      154.239.44.20.in-addr.arpa

    • 8.8.8.8:53
      81.144.22.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      81.144.22.2.in-addr.arpa

    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      15.164.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      15.164.165.52.in-addr.arpa

    • 8.8.8.8:53
      18.134.221.88.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      18.134.221.88.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      21.236.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      21.236.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      247KB

      MD5

      e440b5bbbbcce84e067fd7e5ea90ab24

      SHA1

      b1479b7652e9775e459133e69e0f9b90a1b2a785

      SHA256

      a8480343324ee591d772de83c6d956258cb7d37c505b9155e9a7aef4df5aa3ff

      SHA512

      e28e2546486cbb1b59b4ab93a5d8a202e6d6eab8cbfa4e96b3436694a47a5b9e7628b55eb473be19d16ecd751ac81b7a4a622f598ee81e2275b7c9a7a7582e20

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      573KB

      MD5

      2ab6e8b7aab48ca2c3ce6355d99e0412

      SHA1

      0497cb4608490d89e0d6d142fec80495041aa79c

      SHA256

      7fc89158149be43ce900c001fa51b3136f604268cab2e249a51b2d51aca30d15

      SHA512

      77db9d50da415b7d632b350df9dfe3d0de67bb33ca9cacba81531be1c32fdf72a87bbfe0aa18d222abff4c613326d81d3682a3c6065c91ba4c358e039ae74b08

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      639KB

      MD5

      ad5a7e5eb1a1cdd791957e07c93748ae

      SHA1

      6e4f8c5f4d791327e11d0d68ca6f514554af8481

      SHA256

      cfee92d916fbbb95d8282c3264d3708ad1ddfdd9db4daaf00e0c96a22854c4dc

      SHA512

      a8acd191aec48dac8d5808a93ee973ea52793140e318b4d870fb10e4e8ba0756fe95654134dd1c175168375a0f7caebfd8a7d46a9b3dc71006f830b53dd9fefe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a8CCF.bat
      Filesize

      722B

      MD5

      b514984a444b2875fd28ed39f8b7469d

      SHA1

      7af68dc2f64d3b01351947dc3445b21b323d2a0c

      SHA256

      3e667cd98534170ed34d281ed4c123ac5d6091eb744aa095243917c71f8529b6

      SHA512

      3142bdccf279d7b5f8b827b45edbfbe7aad297135aa10585453aa1f418c2389f26daaf2751daf5414a72be1b84f2277e0c3de9851c1cb740c6c51bb7adc5a445

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\61f4f71e5068eb7671a980cb889454d12a4dbd8155d6818e09d00208cfda3c4f.exe.exe
      Filesize

      86KB

      MD5

      86c095af49b6eb83523f819aca414823

      SHA1

      d51bed201518f2329e60e211f86af2fa053d58a0

      SHA256

      3087d18262fc4d8f7655389dc10e36d65d7acd5faceac52114bdffcb160ccc62

      SHA512

      0dd3b0b5cc5257d9386404447a581a547576182f725d06a37f7f8a8ca0ccf0c8e9dcbda13b371a9695880cb64dd437af866385ddada3396ab58446ffddc001b6

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      29KB

      MD5

      e204efa82c4df71160c451caec4787e5

      SHA1

      e56ddb6d0afdb9aa1bf4808765b25cf4a2fdc279

      SHA256

      4ff7272e95a79354eb6d72c784593bd6a0820fe9e512ff176a51fef8929b5bd9

      SHA512

      6ee14cc010de5b04eee707242a6f4471739cc62bf86a332d5c0e90f15a778fe2ef1d8e1bf7f86a603cbf00fa8e302c09f533f837f5d67f62743396074ed030c9

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-656926755-4116854191-210765258-1000\_desktop.ini
      Filesize

      9B

      MD5

      9f88a7249d726e0d4ebea8ef2b661d98

      SHA1

      f68a9700c917086c68acd41e85887dc8fcc4c2c3

      SHA256

      969f39ddb9e19420959783eb412b391e2c49b99261750aa2716b781fabcc0f3b

      SHA512

      f68c4e069aeefc665d8c92f0c734098e4de0f4b1bea40dd72510827a49f9bd2ef6dd5b606d05cb0716630f1f27f471c3cf7d036442f34c3faa4f905d6101e21f

      Download Submit

    • memory/1648-30-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1648-36-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1648-40-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1648-23-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1648-660-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1648-1237-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1648-4795-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1648-8-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1648-5240-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3844-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3844-9-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.