Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

4263f368a4...76.exe

windows7-x64

7

4263f368a4...76.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/08/2023, 10:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4263f368a427cf138a382e762b6b90ebe897710bc90893d460badf9c2fa68976.exe

  • Size

    66KB

  • MD5

    df2e5ad69e194af7fb7269b85ed6c55c

  • SHA1

    9ee87dff1c42b0b11c10632b29fb9499a07638f6

  • SHA256

    4263f368a427cf138a382e762b6b90ebe897710bc90893d460badf9c2fa68976

  • SHA512

    cc2e7825707591bdef0de5147e003e592529594b9dbc4f98369bcdb7495b7c997805073a3688aba9579615c9de9cecae8ab104dd49f71c1ba1351a26f9c7188c

  • SSDEEP

    768:2tXuRZa+Vxr1x5cE9Fl5pz8w1rU9hFInlIUC4OMMwP3Sy6EGyI4t6a9AkHNXLrM:2tXuRksrz8GvnGUC4ayFGyHNXk

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3192
      • C:\Users\Admin\AppData\Local\Temp\4263f368a427cf138a382e762b6b90ebe897710bc90893d460badf9c2fa68976.exe
        "C:\Users\Admin\AppData\Local\Temp\4263f368a427cf138a382e762b6b90ebe897710bc90893d460badf9c2fa68976.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4624
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2908
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1908
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9F4D.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1772
            • C:\Users\Admin\AppData\Local\Temp\4263f368a427cf138a382e762b6b90ebe897710bc90893d460badf9c2fa68976.exe
              "C:\Users\Admin\AppData\Local\Temp\4263f368a427cf138a382e762b6b90ebe897710bc90893d460badf9c2fa68976.exe"
              4⤵
              • Executes dropped EXE
              PID:4524
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2556
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:5068
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3068
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1572
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4176

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            f38a5d409fad5fef8b0a2ccf71837ee2

            SHA1

            7a234891f91c8043e86afe9141a4ebb4f99eac1c

            SHA256

            1365498a31e7691222e0a6cfa28e15c6734b3b9630ba4f0820ccc6cfd654fc4b

            SHA512

            5e5640512dc13adf12717ed8accc510b738c076b418bc3d58920a5d49ac89936121124ab4aebd10f493c836b0f7657740708d5bae9fd22f5a7432adde57b1b58

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            491KB

            MD5

            ba26b564ef3cacce32fe09efba54d138

            SHA1

            eb1fef21937541a73d3b7a00d9684c76b97049d9

            SHA256

            fdf9f6d004e77f0cc676abf33a6f6f0887d5163aa0cdd9087e5f16df10a94ad2

            SHA512

            9414adb13a45d140b01c1cd35e793c28fef4b37bc0e28b5da9ee090761db7d0dd199a3a7e37970e09d29348cd20d97ec6fdbd0f92508290e58b349fc59d45ddf

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            b10dd190226eddfd063390b1bacadba5

            SHA1

            91415d7c037c419649f28be50f33f7cea8c2c1c3

            SHA256

            aeafcb5b19bbc0d61d0bcc5ee2dca7f885e116833384df9f8edee4975021396b

            SHA512

            db6857aca5fd32f41021c2889aba0571ae4046cb896a4ae470a6cb94dd557222172d70782e2537baaed16491c593c6a065d569b87dd891f8c69f0e5e3eba1bd2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a9F4D.bat
            Filesize

            722B

            MD5

            d68e14f5fdc60e602ec60e9c0a6b2374

            SHA1

            40909ca9a4787a4f91f6281e416445b0487deda8

            SHA256

            74b28d2faeb93cc410db55795e6eeddc0d5a9cc157dc3e84010792c2f775d742

            SHA512

            97b8f928efa9278e56a30e16ea9e6db0f1f307aa04cf5ee471ef57f376c006b0388c8febbff08e1ab6873a496af4e33b66d6a76b7b1d41dbf37a9ed26fe54afb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\4263f368a427cf138a382e762b6b90ebe897710bc90893d460badf9c2fa68976.exe
            Filesize

            33KB

            MD5

            bdbce90ce74990df3b2c7c8484dde146

            SHA1

            ae6aadaf5467b97779d4c1a81b5cd3dfb9d8ecb4

            SHA256

            f4a3c012f2859ead10af1298d9b20fbd8ca2257f73d530a2b0c25937cb16f6eb

            SHA512

            78e2f31759ce490f38e898ef17a700dd0898cc32b526325e8d7230b4ff119c39124cd2abf30038f70318931cc995abee523b334a29812bf875302dc126c9f958

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\4263f368a427cf138a382e762b6b90ebe897710bc90893d460badf9c2fa68976.exe.exe
            Filesize

            33KB

            MD5

            bdbce90ce74990df3b2c7c8484dde146

            SHA1

            ae6aadaf5467b97779d4c1a81b5cd3dfb9d8ecb4

            SHA256

            f4a3c012f2859ead10af1298d9b20fbd8ca2257f73d530a2b0c25937cb16f6eb

            SHA512

            78e2f31759ce490f38e898ef17a700dd0898cc32b526325e8d7230b4ff119c39124cd2abf30038f70318931cc995abee523b334a29812bf875302dc126c9f958

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            662bb334e5c14da91d5c32a823f99036

            SHA1

            a468d80c82a0a10df9a1c0bd632137d0589717d6

            SHA256

            9eb682d1be68cf22939602275f743f8b276889d83a567dc2e3324bf6f291bb16

            SHA512

            d6a86f1b0b1c6247de411749b61d5fc3d4ba2d543f9c58153e3bb0f248b7cc9c70edf03af15d8af310e3d7cf26bab7fce5859dc6e739759d79ce0a895571b856

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            662bb334e5c14da91d5c32a823f99036

            SHA1

            a468d80c82a0a10df9a1c0bd632137d0589717d6

            SHA256

            9eb682d1be68cf22939602275f743f8b276889d83a567dc2e3324bf6f291bb16

            SHA512

            d6a86f1b0b1c6247de411749b61d5fc3d4ba2d543f9c58153e3bb0f248b7cc9c70edf03af15d8af310e3d7cf26bab7fce5859dc6e739759d79ce0a895571b856

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            662bb334e5c14da91d5c32a823f99036

            SHA1

            a468d80c82a0a10df9a1c0bd632137d0589717d6

            SHA256

            9eb682d1be68cf22939602275f743f8b276889d83a567dc2e3324bf6f291bb16

            SHA512

            d6a86f1b0b1c6247de411749b61d5fc3d4ba2d543f9c58153e3bb0f248b7cc9c70edf03af15d8af310e3d7cf26bab7fce5859dc6e739759d79ce0a895571b856

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3195054982-4292022746-1467505928-1000\_desktop.ini
            Filesize

            9B

            MD5

            9cf07741f0217a1c9b3d7efb195e326c

            SHA1

            1a3d9c17ea97cc6da370a7d9db4ba27dfac95967

            SHA256

            ffe1314ca6ae8d1ddea45361e73d0d8155ec1f97d389fe164934f126de5cf659

            SHA512

            48cec431954f6b7e29e356854a86f1253e622a968302ea2b6d021fb3788e98957e77f22a8d47866b79392ffda1ed0d8d42182a277c28ac7b98d36ad4153f0f25

            Download Submit

          • memory/2556-1348-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2556-150-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2556-4526-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2556-142-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2556-7798-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2556-8830-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4624-133-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4624-143-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download