Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

68648c7c66...4e.exe

windows7-x64

8

68648c7c66...4e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 16:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe

  • Size

    1.1MB

  • MD5

    04406580f7a56a97734a4e98222e9361

  • SHA1

    486c6f5cbc0e63ff623aae5508e047b2ed99b1ed

  • SHA256

    68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e

  • SHA512

    69248fb6ac33541cbf0b30bf3db7fc78a97bb6faf401620b40c99b3de0385f714c2a17b007b8d841baa0c7a984432b3c3dde0befcef6434a170a2a7084997d25

  • SSDEEP

    12288:L3N4qOPajQUXXP8QvLWFx6Mo5rippDC7ee1hpls4Ey+g:L3N4najQEPnvg6PhWDC750g

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1412
      • C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
        "C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1584
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1772
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1648
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7D99.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:988
            • C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
              "C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2028
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:856
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1488
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1312
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1816
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1640

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$a7D99.bat
            Filesize

            722B

            MD5

            28c86913e4ec8e1932366005cd1b64f4

            SHA1

            ad8e225e7fc9e5e660ddb220898444ee81857b43

            SHA256

            e4a49e4060bb6fd277e8e306740a3812e77fc0a9ed9f1d17935afe8824e6ad9e

            SHA512

            9f460ac2295c2d4d8ff6e3414c7bea444c047881df663221ed381f90c464bd7a3862a68a4b114dd22ea44f3eef909f33f46f613eb3615bc6c5441e4806cb8d58

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
            Filesize

            1.1MB

            MD5

            b0375fadbb808beaf33971aa2b1b56e2

            SHA1

            2b978167e0b264e7dd3484c61df8b31799f6867f

            SHA256

            92efe448504a68a44bdcdccad6c903580900a32977ef65b9af229f972551df33

            SHA512

            8e75fbda817d0c57e1206dbc689a0f2e2fc84f6af5774e0679c8b6088691b48e0399135b3ca9f530ded10a54ba84078f9b39060c54595b5ddd910b959a4f9d58

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe.exe
            Filesize

            1.1MB

            MD5

            b0375fadbb808beaf33971aa2b1b56e2

            SHA1

            2b978167e0b264e7dd3484c61df8b31799f6867f

            SHA256

            92efe448504a68a44bdcdccad6c903580900a32977ef65b9af229f972551df33

            SHA512

            8e75fbda817d0c57e1206dbc689a0f2e2fc84f6af5774e0679c8b6088691b48e0399135b3ca9f530ded10a54ba84078f9b39060c54595b5ddd910b959a4f9d58

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            fda93e69b1fe9e9ba2bf9faef22b6829

            SHA1

            f782afc8aae08a93a4e7d444efc680d17fce002b

            SHA256

            180298bb40291e89cd0a6d4526b1f694f5f2b579f36d6eab9ae9fd1925785739

            SHA512

            91e0c39c4890a1a49082bbf14e2ba553bf8f563805b265892e2c985bccff2e266e5e81e298bfb37b16b6468ccb6064e564d11794cf06e4d9d094a58af0ca19f6

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            fda93e69b1fe9e9ba2bf9faef22b6829

            SHA1

            f782afc8aae08a93a4e7d444efc680d17fce002b

            SHA256

            180298bb40291e89cd0a6d4526b1f694f5f2b579f36d6eab9ae9fd1925785739

            SHA512

            91e0c39c4890a1a49082bbf14e2ba553bf8f563805b265892e2c985bccff2e266e5e81e298bfb37b16b6468ccb6064e564d11794cf06e4d9d094a58af0ca19f6

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            fda93e69b1fe9e9ba2bf9faef22b6829

            SHA1

            f782afc8aae08a93a4e7d444efc680d17fce002b

            SHA256

            180298bb40291e89cd0a6d4526b1f694f5f2b579f36d6eab9ae9fd1925785739

            SHA512

            91e0c39c4890a1a49082bbf14e2ba553bf8f563805b265892e2c985bccff2e266e5e81e298bfb37b16b6468ccb6064e564d11794cf06e4d9d094a58af0ca19f6

            Download Submit

          • \Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
            Filesize

            1.1MB

            MD5

            b0375fadbb808beaf33971aa2b1b56e2

            SHA1

            2b978167e0b264e7dd3484c61df8b31799f6867f

            SHA256

            92efe448504a68a44bdcdccad6c903580900a32977ef65b9af229f972551df33

            SHA512

            8e75fbda817d0c57e1206dbc689a0f2e2fc84f6af5774e0679c8b6088691b48e0399135b3ca9f530ded10a54ba84078f9b39060c54595b5ddd910b959a4f9d58

            Download Submit

          • \Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
            Filesize

            1.1MB

            MD5

            b0375fadbb808beaf33971aa2b1b56e2

            SHA1

            2b978167e0b264e7dd3484c61df8b31799f6867f

            SHA256

            92efe448504a68a44bdcdccad6c903580900a32977ef65b9af229f972551df33

            SHA512

            8e75fbda817d0c57e1206dbc689a0f2e2fc84f6af5774e0679c8b6088691b48e0399135b3ca9f530ded10a54ba84078f9b39060c54595b5ddd910b959a4f9d58

            Download Submit

          • memory/856-70-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/856-75-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1584-61-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1584-54-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2028-71-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

            Filesize

            8KB

            Download