Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

ae275c6d2b...fd.exe

windows7-x64

8

ae275c6d2b...fd.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    58s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 10:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae275c6d2bf397a37d1cdb5eef2f213aa2f2256ead213a0b7b9dd54114c766fd.exe

  • Size

    66KB

  • MD5

    e26be163c0824f1af5fd4a9de6cd4d17

  • SHA1

    0de9b52e61b9b8ce03830aa5b61f338b1a177984

  • SHA256

    ae275c6d2bf397a37d1cdb5eef2f213aa2f2256ead213a0b7b9dd54114c766fd

  • SHA512

    294319e2702e1326bb16d3edaf9991a03702fcba31fb4bb9f856afa54541f01a9ac0c27d165506c3498eb02106db72ef537ec8d3c228d648549a5bb55cdc1993

  • SSDEEP

    1536:Oie+Zk77RNzXFWQdXDSGe+nLfAJlw++hhhhhhhhhhhhhhhhhhPAPslbJdMc:Oie+aX3zX8QBD1nb6l2APUnMc

Score
8/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1396
      • C:\Users\Admin\AppData\Local\Temp\ae275c6d2bf397a37d1cdb5eef2f213aa2f2256ead213a0b7b9dd54114c766fd.exe
        "C:\Users\Admin\AppData\Local\Temp\ae275c6d2bf397a37d1cdb5eef2f213aa2f2256ead213a0b7b9dd54114c766fd.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:956
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:916
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1012
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a393A.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1616
            • C:\Users\Admin\AppData\Local\Temp\ae275c6d2bf397a37d1cdb5eef2f213aa2f2256ead213a0b7b9dd54114c766fd.exe
              "C:\Users\Admin\AppData\Local\Temp\ae275c6d2bf397a37d1cdb5eef2f213aa2f2256ead213a0b7b9dd54114c766fd.exe"
              4⤵
              • Executes dropped EXE
              PID:1692
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:816
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1504
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:684
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1536
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1216

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$a393A.bat
            Filesize

            722B

            MD5

            b45875c38aabc4245c3d3fdbaca1759d

            SHA1

            d5cd56a24c4c60ec0bfd4b12d121931825f9eab3

            SHA256

            b7af3035b8ba93c834698f399377cf2b685d8fc7f79302d842be37726ea0bd31

            SHA512

            caf5218c9ee50bf6bb97fdf10afde1a49459b374ede147e42b488cfef5f94476d7921bf59aa6a85440514603245c35b9f4d16084b91d67601c50ed3ad9228af1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ae275c6d2bf397a37d1cdb5eef2f213aa2f2256ead213a0b7b9dd54114c766fd.exe
            Filesize

            33KB

            MD5

            2312a2e4f4acd681b0a5ad84073ff5c6

            SHA1

            5c5c39f3c12696a5cca9bbda1f136c6344db016c

            SHA256

            f077efa6ece55477eb08d3257996cea63cce889cc85248dec12f175a6665c098

            SHA512

            9277c7ddde8abd6735767a8cee2e8659c28a062d1c8a27072b250992f2f50bc6a631b230d2d0b07bdae3b3180e804b69631327562574aa892ae81e7f091dd875

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ae275c6d2bf397a37d1cdb5eef2f213aa2f2256ead213a0b7b9dd54114c766fd.exe.exe
            Filesize

            33KB

            MD5

            2312a2e4f4acd681b0a5ad84073ff5c6

            SHA1

            5c5c39f3c12696a5cca9bbda1f136c6344db016c

            SHA256

            f077efa6ece55477eb08d3257996cea63cce889cc85248dec12f175a6665c098

            SHA512

            9277c7ddde8abd6735767a8cee2e8659c28a062d1c8a27072b250992f2f50bc6a631b230d2d0b07bdae3b3180e804b69631327562574aa892ae81e7f091dd875

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            86fecf259ac9512fe3038023c4403c8c

            SHA1

            9b4d5cfe92d0170e30a335acadad79cba234fbb2

            SHA256

            e7000d02314792f25f9c1a59bc848296a0a9bc9c89c3ef4c64fdf1a43366dd6e

            SHA512

            a14eb332c2bd6603a132e35c8738eff99be5c7d8d3c5df0ee2888c6f719ac930ee803b91a8bb70c8ade349cc700322401763ff0f832f9d9537d2fb22016a82dd

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            86fecf259ac9512fe3038023c4403c8c

            SHA1

            9b4d5cfe92d0170e30a335acadad79cba234fbb2

            SHA256

            e7000d02314792f25f9c1a59bc848296a0a9bc9c89c3ef4c64fdf1a43366dd6e

            SHA512

            a14eb332c2bd6603a132e35c8738eff99be5c7d8d3c5df0ee2888c6f719ac930ee803b91a8bb70c8ade349cc700322401763ff0f832f9d9537d2fb22016a82dd

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            86fecf259ac9512fe3038023c4403c8c

            SHA1

            9b4d5cfe92d0170e30a335acadad79cba234fbb2

            SHA256

            e7000d02314792f25f9c1a59bc848296a0a9bc9c89c3ef4c64fdf1a43366dd6e

            SHA512

            a14eb332c2bd6603a132e35c8738eff99be5c7d8d3c5df0ee2888c6f719ac930ee803b91a8bb70c8ade349cc700322401763ff0f832f9d9537d2fb22016a82dd

            Download Submit

          • \Users\Admin\AppData\Local\Temp\ae275c6d2bf397a37d1cdb5eef2f213aa2f2256ead213a0b7b9dd54114c766fd.exe
            Filesize

            33KB

            MD5

            2312a2e4f4acd681b0a5ad84073ff5c6

            SHA1

            5c5c39f3c12696a5cca9bbda1f136c6344db016c

            SHA256

            f077efa6ece55477eb08d3257996cea63cce889cc85248dec12f175a6665c098

            SHA512

            9277c7ddde8abd6735767a8cee2e8659c28a062d1c8a27072b250992f2f50bc6a631b230d2d0b07bdae3b3180e804b69631327562574aa892ae81e7f091dd875

            Download Submit

          • \Users\Admin\AppData\Local\Temp\ae275c6d2bf397a37d1cdb5eef2f213aa2f2256ead213a0b7b9dd54114c766fd.exe
            Filesize

            33KB

            MD5

            2312a2e4f4acd681b0a5ad84073ff5c6

            SHA1

            5c5c39f3c12696a5cca9bbda1f136c6344db016c

            SHA256

            f077efa6ece55477eb08d3257996cea63cce889cc85248dec12f175a6665c098

            SHA512

            9277c7ddde8abd6735767a8cee2e8659c28a062d1c8a27072b250992f2f50bc6a631b230d2d0b07bdae3b3180e804b69631327562574aa892ae81e7f091dd875

            Download Submit

          • memory/816-71-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/816-75-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/956-60-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/956-54-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1692-70-0x0000000076561000-0x0000000076563000-memory.dmp

            Filesize

            8KB

            Download