Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

603e32027c...a2.exe

windows7-x64

7

603e32027c...a2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 18:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    603e32027cda8f7f21bc3c1e4abebe3856bf363861301216044521f1e4b1e3a2.exe

  • Size

    768KB

  • MD5

    7d8e3dc2674f529f527f3f2e25e5cb52

  • SHA1

    6d521d712909dbeb00515d189feae32ffb8fd309

  • SHA256

    603e32027cda8f7f21bc3c1e4abebe3856bf363861301216044521f1e4b1e3a2

  • SHA512

    9d208a81519c20db18671a24de1d1fba8aec54a43941100c1aff7a784b6afe6d209949356ead0e35df08122f47e84a7f3b579af80c9e447da5f93901480d2486

  • SSDEEP

    24576:776spxV2558WVIFNcLEmdBkNaFwLFm+MWSz/L/i/f:77/JaOgDAaghMRL/iH

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 6 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1168
      • C:\Users\Admin\AppData\Local\Temp\603e32027cda8f7f21bc3c1e4abebe3856bf363861301216044521f1e4b1e3a2.exe
        "C:\Users\Admin\AppData\Local\Temp\603e32027cda8f7f21bc3c1e4abebe3856bf363861301216044521f1e4b1e3a2.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:776
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBC4D.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2080
          • C:\Users\Admin\AppData\Local\Temp\603e32027cda8f7f21bc3c1e4abebe3856bf363861301216044521f1e4b1e3a2.exe
            "C:\Users\Admin\AppData\Local\Temp\603e32027cda8f7f21bc3c1e4abebe3856bf363861301216044521f1e4b1e3a2.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:1456
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2940
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2716
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      251KB

      MD5

      a9722691468e94260db60952e9259574

      SHA1

      3a02b21e9e1803c5e373adb69a8be22da334d9a8

      SHA256

      06264408c50248dd56585f7115c0e5e449a8f1f6d6dec7a4479b4df8fea2deff

      SHA512

      f22f0912dcb333cd3fdd0ad7f6f7ec90f3cca108f8f20aab9680a9d705f84739db0034efa953a1c9aec062b90a0f87f5c5e1ca9ab1ee57d957fb1abb8f2ee580

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      471KB

      MD5

      4cfdb20b04aa239d6f9e83084d5d0a77

      SHA1

      f22863e04cc1fd4435f785993ede165bd8245ac6

      SHA256

      30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

      SHA512

      35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aBC4D.bat
      Filesize

      722B

      MD5

      1e84649b3a51153267fd463e2afe24f3

      SHA1

      923e292c554ad8ed21e7ddd68686248ee3879853

      SHA256

      c189bd7f85a445555efcb2f54a2dd33c669550667f8a11269bd2d908e2e1c343

      SHA512

      94cf7a008be7c8268b62cb0a9925c163d0dc14d7dcb1fbf2506773dff8263258263020484f6258921f5ba6edb9dd48ff5b970c21fcd0a4353b3d021a3156e25f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\603e32027cda8f7f21bc3c1e4abebe3856bf363861301216044521f1e4b1e3a2.exe.exe
      Filesize

      742KB

      MD5

      feb8de22d9cb947160d2c9b1675e9da6

      SHA1

      103050e3a435fb9969fac0e268953ed8cc0feb29

      SHA256

      4bad4e875a39a7ec86e80e9dbe8e48422c80726ff238ccc58b27676e378ef8eb

      SHA512

      413abafd4e1cc9392f39e265e08956afa76a72e1c45a6d8dbad03ee589d2bcb08c107b8fe619f96f6bc7a8f199d3821fba5d29cab9b8e9c465f2f0edf9dc0e2e

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      26KB

      MD5

      b16a721c27323a57a788fa4a64f82a51

      SHA1

      b24a4d80cda438a35755f02926a15770e727c782

      SHA256

      e109a10411f1ccd6317ac7b50eb37eab6c579bac07c970ecffc83f83ac34eba9

      SHA512

      44ba649592d3ed4425710cd215a7d3917c00c03ad6812f1ca87b50b3dc9ef99dc2fbd0c5558e4d59ce82c8bc65b1ab4ccb0e0cdc236d40f32e8153f7a0ac4bbc

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\_desktop.ini
      Filesize

      9B

      MD5

      e02899454c67c7d6d1af854fdcb53b67

      SHA1

      26fb213f7c299c2a4d8c4afd234ee0b751d7a30e

      SHA256

      0e67e90646d3ba7b46f935b205c9f89e8bff2dca7aeda3cd5dfb93868b262315

      SHA512

      e1519bebf62ab4cb28e630a201312812e04f815ec0663f7b68b478da97c0bf7c7c2238a8632540d3d1f37acbe83919fb198b39ebeb222c19faa2130ab65ffffa

      Download Submit

    • memory/776-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/776-17-0x0000000000440000-0x0000000000474000-memory.dmp

      Filesize

      208KB

      Download

    • memory/776-16-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/776-12-0x0000000000440000-0x0000000000474000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1168-31-0x0000000002D40000-0x0000000002D41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1456-56-0x00000000001B0000-0x00000000001B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1456-54-0x0000000000400000-0x00000000004D3000-memory.dmp

      Filesize

      844KB

      Download

    • memory/1456-55-0x0000000000580000-0x0000000000591000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1456-35-0x0000000000580000-0x0000000000591000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1456-29-0x00000000001B0000-0x00000000001B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2940-52-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2940-63-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2940-73-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2940-123-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2940-133-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2940-623-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2940-1916-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2940-3380-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download