Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    15/10/2024, 07:29

General

  • Target

    96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe

  • Size

    959KB

  • MD5

    608071c3294ce3da4277e1cbe9d94fc4

  • SHA1

    b4e35bf3a1570cdf4d79218f30cd90cbf669c322

  • SHA256

    96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85

  • SHA512

    8bc3d3375e484c168c2ded176b98ee035a2539c738cc3cdea5e66cf3c9e03bb3572af1193cb44d077737bb243198a2ee3411dee7e0fc9dceca4f113e9fdebb38

  • SSDEEP

    12288:3ORKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:3nBpDRmi78gkPXlyo0G/jr

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1220
      • C:\Users\Admin\AppData\Local\Temp\96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe
        "C:\Users\Admin\AppData\Local\Temp\96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2252
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6ED9.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2680
          • C:\Users\Admin\AppData\Local\Temp\96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe
            "C:\Users\Admin\AppData\Local\Temp\96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2912
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2096
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2728
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

      Filesize

      254KB

      MD5

      888fe90f1785f31e7709f9fd7eb99c44

      SHA1

      fa207006c195f3e493a1106bdf4ffb7d90189d62

      SHA256

      8a920e0b7196342c7144048da25f4d9655ec6952f546f4bc69f492fa1a5d9397

      SHA512

      143ce2670a8293aea1bb421ea3f187bdfc41a1972dd8a06d17d08ca96fa066d8418c31ccafa79afd9b489c1508cd3c86ef0f27cb9614b6be552a67f158281af6

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

      Filesize

      474KB

      MD5

      db8f69c773c40773218d175dd5e0fd0b

      SHA1

      41ec4f0e7c66b6d0699f8e2e4125e4d41333f44d

      SHA256

      844d74aff6a0fe5c32ad867e6c4da437d924c576794438dc099b5d4435239a7d

      SHA512

      212ac966254943cbea620c0c63b8e0a2e33d466d586bc194b6deac8fb38fa2e24b1fc8905d98fd58a454d37471a754a24a662b5e26c6d67a1e27b038d6c124db

    • C:\Users\Admin\AppData\Local\Temp\$$a6ED9.bat

      Filesize

      722B

      MD5

      61590aeee2cdbe118ba17ea56a44a244

      SHA1

      3e987ce050485b303bf52c318e404c861dac7077

      SHA256

      8bb009b3fdacff00463212aa136e4e6ce35683886f244ad330e0481b6b3e145a

      SHA512

      f01bdc5ee057c6cdf9fc5e89ad36b6bc78b655edcc6af0c0f5b9a129c072d1c48a40919b5a45b2cd7bb2d58b6b8f3aa99eff3ba78c8a54b50fd597a980553c28

    • C:\Users\Admin\AppData\Local\Temp\96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe.exe

      Filesize

      930KB

      MD5

      30ac0b832d75598fb3ec37b6f2a8c86a

      SHA1

      6f47dbfd6ff36df7ba581a4cef024da527dc3046

      SHA256

      1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

      SHA512

      505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

    • C:\Windows\Logo1_.exe

      Filesize

      29KB

      MD5

      f1a5c230c008ac88544a42f70081f862

      SHA1

      af50bd6dcdf02c312e569fc861a02befd5f1d501

      SHA256

      4fb055be2b07ebeff596af014fc33d044e97e60da0964c22150d84494d09a332

      SHA512

      f7ebb84dbba01c02b1f25f7ac77988d128c93545f9f600f92463f7a2f9e293d4e15cf8bb6ebd0200921e244978f4c9ea86e2924dfef710e33219e2c35d1e0518

    • F:\$RECYCLE.BIN\S-1-5-21-2039016743-699959520-214465309-1000\_desktop.ini

      Filesize

      10B

      MD5

      52a225cec34530c05c340f9ae894aa31

      SHA1

      d6553bc25b5bc40447184e9dd520dd7c88f5c2aa

      SHA256

      bddf98f152ff77575c277b91c8f7aa5f69973cd3bfe7aa55ebe61b7d3df17fab

      SHA512

      726f8a96e3dab9ec548bda81a01dc3e0d93afa2363c76c4bf639de4b0471f8a43a8e32e90b230b95639e82b7daa8da3e8d9c848755e2b58398aa48e46e5ba5b5

    • memory/1220-30-0x0000000002520000-0x0000000002521000-memory.dmp

      Filesize

      4KB

    • memory/2096-101-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2096-33-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2096-41-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2096-47-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2096-94-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2096-257-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2096-1877-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2096-3337-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2096-18-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2252-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2252-16-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB