Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

63ac684ec0...43.exe

windows7-x64

8

63ac684ec0...43.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2022, 20:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe

  • Size

    116KB

  • MD5

    0b885ed723a267e39d90dacd99d29e71

  • SHA1

    0eea34d096dfd5b70cb8fea2bdd2fe411dfa39ab

  • SHA256

    63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43

  • SHA512

    e4d120648b71010d7eb51c858e1c1e9b985a352bf4f16daa4ec59831e6131f9b5bcddfd318615e60fb25485dacd71514b03663503ed0cb7c2d9b02ae561179aa

  • SSDEEP

    1536:6bqBQiRBxl5EzcBK/evhxx7C/iijdP5qHw76xDjqTQEnYa7bRgfoSXkgvV84vadC:zbRBxl5NBHt8RP4q6x0Zn3Cbkgy4C

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1340
      • C:\Users\Admin\AppData\Local\Temp\63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
        "C:\Users\Admin\AppData\Local\Temp\63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1956
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:280
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5C83.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:952
            • C:\Users\Admin\AppData\Local\Temp\63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
              "C:\Users\Admin\AppData\Local\Temp\63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe"
              4⤵
              • Executes dropped EXE
              PID:1524
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1664
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1608
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1456
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1440
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:664

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$a5C83.bat
            Filesize

            722B

            MD5

            48adb030905636055e2ca1259de54697

            SHA1

            c193b2d45d4d7dc97d376bd31193c5a5091abb83

            SHA256

            591682f93416711cb3440fae957f078a05246b4d03774529783037f7172244a3

            SHA512

            600499f219dc8cce4d13cfd9ee37965ec1e71c88e5ca1964bc9cb2331954ee3a9ccebd3700d363df52a8b5beb0046c96de5b883064d73ba146871a99754ea328

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
            Filesize

            14KB

            MD5

            f0dfb2a69d35078d5df8739cb62fadf1

            SHA1

            2928b68d948940525c9a171a08c83f569d3ac744

            SHA256

            947df2894a77d3c4ea639222e2dfcc910430b6dc9618a48035c6e7cce62f4f85

            SHA512

            220ed6bcbb19897277f8b26a3ff541296d200932af102a0012dff973ca99cf52a1a2110b79d8a3597b740de42de4826cbdd4d03393a4aa2750db455ee0af73e8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe.exe
            Filesize

            14KB

            MD5

            f0dfb2a69d35078d5df8739cb62fadf1

            SHA1

            2928b68d948940525c9a171a08c83f569d3ac744

            SHA256

            947df2894a77d3c4ea639222e2dfcc910430b6dc9618a48035c6e7cce62f4f85

            SHA512

            220ed6bcbb19897277f8b26a3ff541296d200932af102a0012dff973ca99cf52a1a2110b79d8a3597b740de42de4826cbdd4d03393a4aa2750db455ee0af73e8

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            102KB

            MD5

            d877bc30563b5b563dc157612abd7604

            SHA1

            529b855df49a169099c93401dd282fb2b5242a29

            SHA256

            99b6fec9b18091bb3dc617be2df3d75c5f5b51945503f23486f3f49579632cb6

            SHA512

            9398fd0078dce71cedaf067fcd59afcc8599d52cd6fddb66496d26025ab60d59b82aeeb471fe21a97b71c25a587fe4f202ff26fe46da347fea60d3d0105281a3

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            102KB

            MD5

            d877bc30563b5b563dc157612abd7604

            SHA1

            529b855df49a169099c93401dd282fb2b5242a29

            SHA256

            99b6fec9b18091bb3dc617be2df3d75c5f5b51945503f23486f3f49579632cb6

            SHA512

            9398fd0078dce71cedaf067fcd59afcc8599d52cd6fddb66496d26025ab60d59b82aeeb471fe21a97b71c25a587fe4f202ff26fe46da347fea60d3d0105281a3

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            102KB

            MD5

            d877bc30563b5b563dc157612abd7604

            SHA1

            529b855df49a169099c93401dd282fb2b5242a29

            SHA256

            99b6fec9b18091bb3dc617be2df3d75c5f5b51945503f23486f3f49579632cb6

            SHA512

            9398fd0078dce71cedaf067fcd59afcc8599d52cd6fddb66496d26025ab60d59b82aeeb471fe21a97b71c25a587fe4f202ff26fe46da347fea60d3d0105281a3

            Download Submit

          • \Users\Admin\AppData\Local\Temp\63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
            Filesize

            14KB

            MD5

            f0dfb2a69d35078d5df8739cb62fadf1

            SHA1

            2928b68d948940525c9a171a08c83f569d3ac744

            SHA256

            947df2894a77d3c4ea639222e2dfcc910430b6dc9618a48035c6e7cce62f4f85

            SHA512

            220ed6bcbb19897277f8b26a3ff541296d200932af102a0012dff973ca99cf52a1a2110b79d8a3597b740de42de4826cbdd4d03393a4aa2750db455ee0af73e8

            Download Submit