Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

37ee23adaa...b2.exe

windows7-x64

7

37ee23adaa...b2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    04/09/2023, 10:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe

  • Size

    2.1MB

  • MD5

    ed7bd7f8cf60d6f503b0334b51885b30

  • SHA1

    da15c33d2bd425f8f44f8fcfd60cb4f19c30be35

  • SHA256

    37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2

  • SHA512

    a11075499f58696592e1067e7258729f462554cd51f46087b3e6314e8ce9cece351ed12563e82130244712652133cb9e3e2a2f3bec6ba53c0a7de47863805eba

  • SSDEEP

    24576:hB4EM1W3i4phW7P5DZ+06jJOCnATyES6ybessFAc:hB4EM1W3i4phW7P5KdATyEelsFAc

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe
        "C:\Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2060
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2332
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6E4D.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2600
            • C:\Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe
              "C:\Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe"
              4⤵
              • Executes dropped EXE
              PID:2660
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2620
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2768
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2516
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2608
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2508

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            032ded763c5053d895d417f701221790

            SHA1

            24bbbf207686532931c052e3713501e75aee5ab3

            SHA256

            0c410aebd8419882efaeee6265f89fc4c276be6ebaafa8a5faf2508f1d43551e

            SHA512

            32c70b29eec95e80c6976971a26eebff295e42c749c579a745f973dd306812fd82de15298b853bad5c599edc85ca4593a2f587102318b3911d50a356af0af001

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            26855796aad15692849304ed0905a3a5

            SHA1

            c2a4b980c9ef043c652698cab3707d1611c31f80

            SHA256

            45aefb8183665c4374c0663ed6a99ded2383be669200a05fd2d5dc363201ec99

            SHA512

            c97b14579640f8762e1dc94f66343ca90101f1890f8f528cf0f6bcdc0d48affa3ebf1f41aba839621fbfb6dc81380835ac9002e963dba000a08ccbaa47e72461

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a6E4D.bat
            Filesize

            722B

            MD5

            7d9cdfe9fe53eaa490fd91adbf606e85

            SHA1

            7ad70f659167ebb725207300693dd4973018a7f7

            SHA256

            e3af5a5605a3782a3341df80926512fb5bd9ae33b61a290b4964f441754009e0

            SHA512

            04a5cbe29c5ea9d684a68d2e4091dced3eef0ff1ba28d74e724bd2f5b4b715e32f8111d2497631784c6d964c69e5e3294c18217d991f5e71ed430a0e3ef468c1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a6E4D.bat
            Filesize

            722B

            MD5

            7d9cdfe9fe53eaa490fd91adbf606e85

            SHA1

            7ad70f659167ebb725207300693dd4973018a7f7

            SHA256

            e3af5a5605a3782a3341df80926512fb5bd9ae33b61a290b4964f441754009e0

            SHA512

            04a5cbe29c5ea9d684a68d2e4091dced3eef0ff1ba28d74e724bd2f5b4b715e32f8111d2497631784c6d964c69e5e3294c18217d991f5e71ed430a0e3ef468c1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe
            Filesize

            2.1MB

            MD5

            a22ce15e4298766deac3b4f7088136cd

            SHA1

            bebc83ea0d57201074ed7063459e63933ca89eab

            SHA256

            b95e29141f3fdb36dbb3b93acb0a9e4d09ff584aad2892b9b35b9ed786142a1e

            SHA512

            c5899d607c7dbeeb4918c3f289f0aef8bc4458b292b8769b04691f5eef5b82471a4b8263b5b140410efae0eaacb33a4e2bc5dd0aed83d3f899d15ee6d4570d80

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe.exe
            Filesize

            2.1MB

            MD5

            a22ce15e4298766deac3b4f7088136cd

            SHA1

            bebc83ea0d57201074ed7063459e63933ca89eab

            SHA256

            b95e29141f3fdb36dbb3b93acb0a9e4d09ff584aad2892b9b35b9ed786142a1e

            SHA512

            c5899d607c7dbeeb4918c3f289f0aef8bc4458b292b8769b04691f5eef5b82471a4b8263b5b140410efae0eaacb33a4e2bc5dd0aed83d3f899d15ee6d4570d80

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            06ace9eb2d0855f1ff523c933936e82c

            SHA1

            7340342baf9245740ec36251496b498eaedccbe1

            SHA256

            1d81248e789c990ec2bf5bc1d77a49b63305c0d511be0a5ce31c9dc7ef3a25c9

            SHA512

            76cab9e1e28f22dd65d13f315f9b9374edd2996f73dd16cf3fb3a7cce405427e1f90faf25e62f0f381a24faaf5a40c253d375da609bad62fbea4027652396fc9

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            06ace9eb2d0855f1ff523c933936e82c

            SHA1

            7340342baf9245740ec36251496b498eaedccbe1

            SHA256

            1d81248e789c990ec2bf5bc1d77a49b63305c0d511be0a5ce31c9dc7ef3a25c9

            SHA512

            76cab9e1e28f22dd65d13f315f9b9374edd2996f73dd16cf3fb3a7cce405427e1f90faf25e62f0f381a24faaf5a40c253d375da609bad62fbea4027652396fc9

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            06ace9eb2d0855f1ff523c933936e82c

            SHA1

            7340342baf9245740ec36251496b498eaedccbe1

            SHA256

            1d81248e789c990ec2bf5bc1d77a49b63305c0d511be0a5ce31c9dc7ef3a25c9

            SHA512

            76cab9e1e28f22dd65d13f315f9b9374edd2996f73dd16cf3fb3a7cce405427e1f90faf25e62f0f381a24faaf5a40c253d375da609bad62fbea4027652396fc9

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            06ace9eb2d0855f1ff523c933936e82c

            SHA1

            7340342baf9245740ec36251496b498eaedccbe1

            SHA256

            1d81248e789c990ec2bf5bc1d77a49b63305c0d511be0a5ce31c9dc7ef3a25c9

            SHA512

            76cab9e1e28f22dd65d13f315f9b9374edd2996f73dd16cf3fb3a7cce405427e1f90faf25e62f0f381a24faaf5a40c253d375da609bad62fbea4027652396fc9

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-86725733-3001458681-3405935542-1000\_desktop.ini
            Filesize

            8B

            MD5

            587438ba3214d6958f23eced1b2cd39c

            SHA1

            56d9150b977089419b026aaf6ee032981c437dfd

            SHA256

            4a9d4c3f321c10e2bb0319dca7695b9b3252a0e1d35cfc2a09bac15d5c36e090

            SHA512

            31309fcfa73bf18bb138cbe3744414acc13498184290586c8f185e828027f7b0c647f3f102826099465c7995a29e8a33d95f832ffac8d16b619b53f037e4fd63

            Download Submit

          • \Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe
            Filesize

            2.1MB

            MD5

            a22ce15e4298766deac3b4f7088136cd

            SHA1

            bebc83ea0d57201074ed7063459e63933ca89eab

            SHA256

            b95e29141f3fdb36dbb3b93acb0a9e4d09ff584aad2892b9b35b9ed786142a1e

            SHA512

            c5899d607c7dbeeb4918c3f289f0aef8bc4458b292b8769b04691f5eef5b82471a4b8263b5b140410efae0eaacb33a4e2bc5dd0aed83d3f899d15ee6d4570d80

            Download Submit

          • memory/1200-27-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2620-19-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2620-30-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2620-1356-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2620-3324-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2620-4085-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2996-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2996-16-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2996-12-0x0000000002FC0000-0x0000000002FFF000-memory.dmp

            Filesize

            252KB

            Download