Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/10/2024, 06:25

General

  • Target

    ccb5598576316f752c7d3155de78871f5e88eaa70fbf2ad689f83957d36f6aaa.exe

  • Size

    52KB

  • MD5

    881dd0fc2ef489a84a7aa3fdff69dcb4

  • SHA1

    f8fadbb90370903714cfe1a2673f60c48fdb951a

  • SHA256

    ccb5598576316f752c7d3155de78871f5e88eaa70fbf2ad689f83957d36f6aaa

  • SHA512

    ebdddca2bbc649f8cdfcb69abd2ba4566d3904dcc6fdefb1bd461c26873c0bf9f94a25fa5023a52101ed9ab7dbba7390b03c6ff069f71ffb668dcf1082842b90

  • SSDEEP

    768:49Mn16GVRu1yK9fMnJG2V9dLEqgt6jpYU5ltbDrYiI0oPxWExI:49M13SHuJV9k6jWWvr78Pxc

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3456
      • C:\Users\Admin\AppData\Local\Temp\ccb5598576316f752c7d3155de78871f5e88eaa70fbf2ad689f83957d36f6aaa.exe
        "C:\Users\Admin\AppData\Local\Temp\ccb5598576316f752c7d3155de78871f5e88eaa70fbf2ad689f83957d36f6aaa.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB323.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:500
          • C:\Users\Admin\AppData\Local\Temp\ccb5598576316f752c7d3155de78871f5e88eaa70fbf2ad689f83957d36f6aaa.exe
            "C:\Users\Admin\AppData\Local\Temp\ccb5598576316f752c7d3155de78871f5e88eaa70fbf2ad689f83957d36f6aaa.exe"
            4⤵
            • Executes dropped EXE
            PID:4532
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:980
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:372
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4628
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1556

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

      Filesize

      247KB

      MD5

      98dd7c1511e132e59c9d441b3dbf987c

      SHA1

      36c7d00b0b524300f44a3b7da7b3415bfad369e4

      SHA256

      afe966017bdbfb5195a6fdf32e2eab42aa7e332ac9c83a123db5daf1b3171aa3

      SHA512

      959e4cc73a8c6ac67c004c29dee3bc71599059f2559502496eedc4a0b6d1773c3f5fdee8104f12d58fbc4ce66191bd1e786bb7ae706e93a0062657b986996409

    • C:\Program Files\7-Zip\7z.exe

      Filesize

      573KB

      MD5

      4aafd131a93af2ecf070c7c59e905e66

      SHA1

      d97dc15b3f7bbe559886f3bea2879e83cecc6809

      SHA256

      92925beb42af0a02fcd0b0cd89a2d8eb67556b173cb5eb391adb6fdd8ea1d11b

      SHA512

      4bf8e9fb37162f9c04ca5b65910bf80fc0f63cc1d75cc0cae88415282750411a49a571be3661cb4f50724461e082617285ed9a68f10d7f716a919f06f564d190

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

      Filesize

      639KB

      MD5

      fe2fab2d4c843edc9198a7767e9842e3

      SHA1

      42d7effdc358db8ef6fc6afbb9f09141535b5d11

      SHA256

      4c50aca6c5c15d52d26c69be9dce9e7a1020e233f44d4ad245c60ea355f1e8a8

      SHA512

      8b8c5d11732e088ac444554482294f42ccd386ce88ea9d40c59beeb04800696713f118e6d60fe2378f666862e08a8a32c322d443d21b96121552b498fb9c5f14

    • C:\Users\Admin\AppData\Local\Temp\$$aB323.bat

      Filesize

      722B

      MD5

      967f4e867521c3b79f0046f0077c779a

      SHA1

      4285425a3bc3a857fdab67980f812343e48aa58e

      SHA256

      4593e90c7b8919b238e959785a20b5591d37eb64260ea2d9a3c4d642b545a63d

      SHA512

      c59867aced7dc5339ec37a032c8872b5a6eb0100b6131bf4bae0526f609fd63956a615dd02573dfcf9da3a4c45aec91008dea625a03e7ff905b0189496a14268

    • C:\Users\Admin\AppData\Local\Temp\ccb5598576316f752c7d3155de78871f5e88eaa70fbf2ad689f83957d36f6aaa.exe.exe

      Filesize

      23KB

      MD5

      3f9dbfee668294872ef01b90740b01d0

      SHA1

      99a4702b65485cd14736b1c2cdfb81b455dda01c

      SHA256

      40b32fea1fcadcb2db369475e2bba58b0b83f5c3bb647e2e63877726c35a9f86

      SHA512

      0113cec160d97ea0cce70860cc5b79b502d16191ee237a3abb84309499be193aa0127dbcb41fc05a90fa61484b061ec4332ad29a918db598e32fe832b74bd1e3

    • C:\Windows\Logo1_.exe

      Filesize

      29KB

      MD5

      4c513a4884d5671553b53e59a8c5149a

      SHA1

      57afa0c2f1936a9adc9ddcb007499472a8a37d6d

      SHA256

      0413d2f733470a6ae51171bd9de1abe1034020f8951e2c9c10156188471f3df3

      SHA512

      2ac965599f0d154c1af515bd102436247fb8a83f0b34d0d01cde2d2063802d07258b0cc022e04f62eb06e5c983ff0ee2df4e727a0214f930ecc9b9e7be4a7924

    • F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\_desktop.ini

      Filesize

      10B

      MD5

      1603436fb34d76c51d66ab1816519131

      SHA1

      3d5dc4ccfe3cc992c253dccfccf66ea727f66bf6

      SHA256

      9072a674ab684ff3ef851bf4f0fdc4118d2bcbe765282f38f3f6de4360057d60

      SHA512

      30d89b59822313e4b281b8f63b959f36262b2b948cf38e6389e9a1a7517c7c239349a41de9e35c8cd27d6b852ab5349206c2fb85b631dc59fab5421d997dbd46

    • memory/980-27-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/980-33-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/980-37-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/980-20-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/980-466-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/980-1234-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/980-4785-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/980-11-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/980-5254-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2664-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2664-9-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB