Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

603e32027c...a2.exe

windows7-x64

7

603e32027c...a2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/09/2024, 18:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    603e32027cda8f7f21bc3c1e4abebe3856bf363861301216044521f1e4b1e3a2.exe

  • Size

    768KB

  • MD5

    7d8e3dc2674f529f527f3f2e25e5cb52

  • SHA1

    6d521d712909dbeb00515d189feae32ffb8fd309

  • SHA256

    603e32027cda8f7f21bc3c1e4abebe3856bf363861301216044521f1e4b1e3a2

  • SHA512

    9d208a81519c20db18671a24de1d1fba8aec54a43941100c1aff7a784b6afe6d209949356ead0e35df08122f47e84a7f3b579af80c9e447da5f93901480d2486

  • SSDEEP

    24576:776spxV2558WVIFNcLEmdBkNaFwLFm+MWSz/L/i/f:77/JaOgDAaghMRL/iH

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 6 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3548
      • C:\Users\Admin\AppData\Local\Temp\603e32027cda8f7f21bc3c1e4abebe3856bf363861301216044521f1e4b1e3a2.exe
        "C:\Users\Admin\AppData\Local\Temp\603e32027cda8f7f21bc3c1e4abebe3856bf363861301216044521f1e4b1e3a2.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a80F7.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3692
          • C:\Users\Admin\AppData\Local\Temp\603e32027cda8f7f21bc3c1e4abebe3856bf363861301216044521f1e4b1e3a2.exe
            "C:\Users\Admin\AppData\Local\Temp\603e32027cda8f7f21bc3c1e4abebe3856bf363861301216044521f1e4b1e3a2.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:1776
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3940
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3976
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3056

    Network

    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      100.209.201.84.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      100.209.201.84.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      73.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      241.42.69.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.42.69.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      197.87.175.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      197.87.175.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      81.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      81.144.22.2.in-addr.arpa
      IN PTR
      Response
      81.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-81deploystaticakamaitechnologiescom
    • flag-us
      DNS
      48.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      48.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      100.209.201.84.in-addr.arpa
      dns
      73 B
       133 B
       1
      1

      DNS Request

      100.209.201.84.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      73.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      73.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      146 B
       147 B
       2
      1

      DNS Request

      104.219.191.52.in-addr.arpa

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      210 B
       156 B
       3
      1

      DNS Request

      50.23.12.20.in-addr.arpa

      DNS Request

      50.23.12.20.in-addr.arpa

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      241.42.69.40.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      241.42.69.40.in-addr.arpa

    • 8.8.8.8:53
      197.87.175.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      197.87.175.4.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      81.144.22.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      81.144.22.2.in-addr.arpa

    • 8.8.8.8:53
      48.229.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      48.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      244KB

      MD5

      f048e6aefe1361962ed31dcf10f0c253

      SHA1

      65e54123268cd3d73920c2aeeade390519af7505

      SHA256

      270bdd74449b75ac4a265921aa3994e8490bfe95f66bac19be344184674e86a5

      SHA512

      78502fb1394d852e7a34d35032e7dd3e3008240ad62d7e43d62cdb69e7ef22974f3feba4f96486d1af5f17cbf6c8c6203dde569b4aba0e37c9963dd43c4837b6

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      570KB

      MD5

      69b270eb1b5bb5248153fd84041c54d8

      SHA1

      bd9ddaacedc0b861aefe868b14ec23667d070244

      SHA256

      9bcb2a37876f0a5bab916c4c7e06d528bc40b6b710187593cf1d0f971923c738

      SHA512

      73ff4ab38ee6925d60933dfdc35567eeeb4eabaaa414b8a462b52dea2f98b1cf0c4c39dc2a09ef4fb2b89e239a08d14367d34c71fc8ebf5af3db232d3615a489

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      636KB

      MD5

      2500f702e2b9632127c14e4eaae5d424

      SHA1

      8726fef12958265214eeb58001c995629834b13a

      SHA256

      82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

      SHA512

      f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a80F7.bat
      Filesize

      722B

      MD5

      e5597bd4cde91b56c9a5bc4a00327998

      SHA1

      9d104cabd1bf5fbc3f92548085ec4b1de7f9513b

      SHA256

      bf7e8b82ac01c7aceffe383062e629f0d05e2e87ad62f100b0e36402e95a6ec7

      SHA512

      627ac293ccfe67579e470bb074f0ca0dea20c8f421dce3dfde657e56ce5b0f2b12835fb96da25aabb644597000017d085606a8e6226ead1d50dcf6e9fb2facd1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\603e32027cda8f7f21bc3c1e4abebe3856bf363861301216044521f1e4b1e3a2.exe.exe
      Filesize

      742KB

      MD5

      feb8de22d9cb947160d2c9b1675e9da6

      SHA1

      103050e3a435fb9969fac0e268953ed8cc0feb29

      SHA256

      4bad4e875a39a7ec86e80e9dbe8e48422c80726ff238ccc58b27676e378ef8eb

      SHA512

      413abafd4e1cc9392f39e265e08956afa76a72e1c45a6d8dbad03ee589d2bcb08c107b8fe619f96f6bc7a8f199d3821fba5d29cab9b8e9c465f2f0edf9dc0e2e

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      26KB

      MD5

      b16a721c27323a57a788fa4a64f82a51

      SHA1

      b24a4d80cda438a35755f02926a15770e727c782

      SHA256

      e109a10411f1ccd6317ac7b50eb37eab6c579bac07c970ecffc83f83ac34eba9

      SHA512

      44ba649592d3ed4425710cd215a7d3917c00c03ad6812f1ca87b50b3dc9ef99dc2fbd0c5558e4d59ce82c8bc65b1ab4ccb0e0cdc236d40f32e8153f7a0ac4bbc

      Download Submit

    • C:\Windows\wc98pp.dll
      Filesize

      50KB

      MD5

      01ce67a8b8f546986309c28d4594d29c

      SHA1

      c375555e487481ba317af381d8f8524ab20defb0

      SHA256

      74bd7a4d90534a25f73b253c4cd21d8886b4c9d83c05a609f2bce91dfc3caf5c

      SHA512

      62654f5834909a8c20e29344ff2083fcdcdc9f2a29dc68cfe0f2374cd29fb8c5be2a50ea73632e66a408dea1f34e0f76f47c32400edbaa2fd066b2eded36f94a

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-355097885-2402257403-2971294179-1000\_desktop.ini
      Filesize

      9B

      MD5

      e02899454c67c7d6d1af854fdcb53b67

      SHA1

      26fb213f7c299c2a4d8c4afd234ee0b751d7a30e

      SHA256

      0e67e90646d3ba7b46f935b205c9f89e8bff2dca7aeda3cd5dfb93868b262315

      SHA512

      e1519bebf62ab4cb28e630a201312812e04f815ec0663f7b68b478da97c0bf7c7c2238a8632540d3d1f37acbe83919fb198b39ebeb222c19faa2130ab65ffffa

      Download Submit

    • memory/1776-31-0x0000000005070000-0x0000000005081000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1776-19-0x0000000002230000-0x0000000002231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1776-30-0x0000000000400000-0x00000000004D3000-memory.dmp

      Filesize

      844KB

      Download

    • memory/1776-32-0x0000000002230000-0x0000000002231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1776-25-0x0000000005070000-0x0000000005081000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3016-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3016-11-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3940-49-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3940-57-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3940-28-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3940-1091-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3940-1260-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3940-39-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3940-4822-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3940-8-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3940-5271-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.