Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    199s
  • max time network
    179s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 16:37

General

  • Target

    b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe

  • Size

    655KB

  • MD5

    04e66c511fdf2485df76cbc4a2cb14b0

  • SHA1

    a669c062474a18e31f61dc00a4a3fcaf697b02e9

  • SHA256

    b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9

  • SHA512

    090c99782f65618ab0e9230846b2ab5dc1bcdf433d34819d6a819297bc6b173484259905427420241a965640bf584c4e66db68d7898c08aa5a04c37041235210

  • SSDEEP

    12288:Jq+a9slb39XcI9TC9/1bfLkKKeXnehedVzQjRGf6DbLHAqujSIySgzJ2w7eQke:JqB9TtklkBTzQlGf6DbLHAqujSIcC6

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
    "C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        3⤵
          PID:1048
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3B7B.bat
        2⤵
        • Deletes itself
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
          "C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1788
          • C:\Windows\SysWOW64\explorer.exe
            "C:\Windows\System32\explorer.exe" URL="http://down.360safe.com/setup.exe"
            4⤵
              PID:972
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          2⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:848
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1676
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:1812
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:676
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                4⤵
                  PID:768
          • C:\Windows\Explorer.EXE
            C:\Windows\Explorer.EXE
            1⤵
              PID:1216
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:1392
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" http://down.360safe.com/setup.exe
                2⤵
                • Modifies Internet Explorer Phishing Filter
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1004
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1004 CREDAT:275457 /prefetch:2
                  3⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:1868

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\$$a3B7B.bat

              Filesize

              722B

              MD5

              7a4c24d120cb259dda2477e298e57899

              SHA1

              4ce2bd7bdc767507fd7d9de17f9204dc3804dcd7

              SHA256

              e188ca437b0e325cc2b09323c6a779fbafd15d79c3f92c17d82d065af0532e20

              SHA512

              0b047701feec68b2f1c25e58cd77cc19e7005f562dc70888177ba8cb3b9dc99e94dcfebccf40416f29018a1144fc5f167481c3d6febbba21b3912ff10b74a73b

            • C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe

              Filesize

              621KB

              MD5

              b96935d921cb6665638ff00f1b6b8098

              SHA1

              b71c40c76301a52e3d49b06ad3f99afffa178934

              SHA256

              ca5b1c8f21cb3209e93636300391aba0693ad68957e997fe3ce85c0880eb1f93

              SHA512

              40505dc52b697907a9ca9a196a156b751af43e75c97eb6d99835147bafd0561b25b8943ea421350bee5b6cc398b4d13159dfc0d500a4f5ce99130c9ca301e5e8

            • C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe.exe

              Filesize

              621KB

              MD5

              b96935d921cb6665638ff00f1b6b8098

              SHA1

              b71c40c76301a52e3d49b06ad3f99afffa178934

              SHA256

              ca5b1c8f21cb3209e93636300391aba0693ad68957e997fe3ce85c0880eb1f93

              SHA512

              40505dc52b697907a9ca9a196a156b751af43e75c97eb6d99835147bafd0561b25b8943ea421350bee5b6cc398b4d13159dfc0d500a4f5ce99130c9ca301e5e8

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9HRFVZWB.txt

              Filesize

              603B

              MD5

              5c721aa855b77dbb9664127c85439fb2

              SHA1

              c640cd11726ff2d9b12d02d0a775923299785e6b

              SHA256

              ba4ed478d65ffa5b3e819f243ce0c7242bc525e420b6d95e46d769296ee2254f

              SHA512

              aee53f02135a03b07cbfab489f8a03764433779a27319e35e0c3ad0d5ccc86b6d2c5985225662a3802410be678ecb5e31cd067c2caeefb8434bf8d4bcc46c15b

            • C:\Windows\Logo1_.exe

              Filesize

              33KB

              MD5

              d3c9b20260fa9b0131b750f762f5d083

              SHA1

              a41ae48d90e642b7ec53c03e2dcefe75ff9c523c

              SHA256

              73bc4265b6f4825db9a7ee89cc589ffd01891b2878d7037da02a9bbdcfd6a33f

              SHA512

              c69d28908697b802ab9c3997c5af54d3ee3d369bb4e349f9cee846418609715eea7251620f4e09f0e485ac6287d9650aee89c663da538577e46137378db88d64

            • C:\Windows\Logo1_.exe

              Filesize

              33KB

              MD5

              d3c9b20260fa9b0131b750f762f5d083

              SHA1

              a41ae48d90e642b7ec53c03e2dcefe75ff9c523c

              SHA256

              73bc4265b6f4825db9a7ee89cc589ffd01891b2878d7037da02a9bbdcfd6a33f

              SHA512

              c69d28908697b802ab9c3997c5af54d3ee3d369bb4e349f9cee846418609715eea7251620f4e09f0e485ac6287d9650aee89c663da538577e46137378db88d64

            • C:\Windows\rundl132.exe

              Filesize

              33KB

              MD5

              d3c9b20260fa9b0131b750f762f5d083

              SHA1

              a41ae48d90e642b7ec53c03e2dcefe75ff9c523c

              SHA256

              73bc4265b6f4825db9a7ee89cc589ffd01891b2878d7037da02a9bbdcfd6a33f

              SHA512

              c69d28908697b802ab9c3997c5af54d3ee3d369bb4e349f9cee846418609715eea7251620f4e09f0e485ac6287d9650aee89c663da538577e46137378db88d64

            • \Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe

              Filesize

              621KB

              MD5

              b96935d921cb6665638ff00f1b6b8098

              SHA1

              b71c40c76301a52e3d49b06ad3f99afffa178934

              SHA256

              ca5b1c8f21cb3209e93636300391aba0693ad68957e997fe3ce85c0880eb1f93

              SHA512

              40505dc52b697907a9ca9a196a156b751af43e75c97eb6d99835147bafd0561b25b8943ea421350bee5b6cc398b4d13159dfc0d500a4f5ce99130c9ca301e5e8

            • memory/848-61-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/848-74-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/972-77-0x00000000749E1000-0x00000000749E3000-memory.dmp

              Filesize

              8KB

            • memory/1392-78-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

              Filesize

              8KB

            • memory/1784-59-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/1784-54-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/1788-70-0x00000000751A1000-0x00000000751A3000-memory.dmp

              Filesize

              8KB