Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

37ee23adaa...b2.exe

windows7-x64

7

37ee23adaa...b2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/09/2023, 10:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe

  • Size

    2.1MB

  • MD5

    ed7bd7f8cf60d6f503b0334b51885b30

  • SHA1

    da15c33d2bd425f8f44f8fcfd60cb4f19c30be35

  • SHA256

    37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2

  • SHA512

    a11075499f58696592e1067e7258729f462554cd51f46087b3e6314e8ce9cece351ed12563e82130244712652133cb9e3e2a2f3bec6ba53c0a7de47863805eba

  • SSDEEP

    24576:hB4EM1W3i4phW7P5DZ+06jJOCnATyES6ybessFAc:hB4EM1W3i4phW7P5KdATyEelsFAc

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3136
      • C:\Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe
        "C:\Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:5040
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2576
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2804
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a73E8.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4544
            • C:\Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe
              "C:\Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe"
              4⤵
              • Executes dropped EXE
              PID:1108
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4640
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2240
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1568
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:524
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2508

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            032ded763c5053d895d417f701221790

            SHA1

            24bbbf207686532931c052e3713501e75aee5ab3

            SHA256

            0c410aebd8419882efaeee6265f89fc4c276be6ebaafa8a5faf2508f1d43551e

            SHA512

            32c70b29eec95e80c6976971a26eebff295e42c749c579a745f973dd306812fd82de15298b853bad5c599edc85ca4593a2f587102318b3911d50a356af0af001

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            491KB

            MD5

            83a8f6315017d900e14375c55372c60f

            SHA1

            b321c9a9e858c91127e323e54ad13dd4ebc11a4a

            SHA256

            7ac770f0caad25cf9b858e819bee68419b3bb4182ca8559a09d9aca793bc849a

            SHA512

            cdb0e898507908f11a793948ed32749ca2c0d93548631b3c3d12bf75144c117569d554a3991abdfbddabcb7ded76ea4a45aa7db9765fdb3bc03b28f75075a0d3

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            26855796aad15692849304ed0905a3a5

            SHA1

            c2a4b980c9ef043c652698cab3707d1611c31f80

            SHA256

            45aefb8183665c4374c0663ed6a99ded2383be669200a05fd2d5dc363201ec99

            SHA512

            c97b14579640f8762e1dc94f66343ca90101f1890f8f528cf0f6bcdc0d48affa3ebf1f41aba839621fbfb6dc81380835ac9002e963dba000a08ccbaa47e72461

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a73E8.bat
            Filesize

            722B

            MD5

            bb77df00954e99c83ed8d1ae6a953fe3

            SHA1

            5369a49b967e93bf5df213fb9862cb12286cd180

            SHA256

            968b7fceae19e9cac826bdafdf580a81a0647b1d5d48143cb8f596a445b58ed1

            SHA512

            2d10f0dfb2b88fac099166caef0444e6489189936d16729f2ed55d157ec3e05b63b1cb14da48bd0edf734aa365659449f4a260551f0d13ea2a58304374e33734

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe
            Filesize

            2.1MB

            MD5

            a22ce15e4298766deac3b4f7088136cd

            SHA1

            bebc83ea0d57201074ed7063459e63933ca89eab

            SHA256

            b95e29141f3fdb36dbb3b93acb0a9e4d09ff584aad2892b9b35b9ed786142a1e

            SHA512

            c5899d607c7dbeeb4918c3f289f0aef8bc4458b292b8769b04691f5eef5b82471a4b8263b5b140410efae0eaacb33a4e2bc5dd0aed83d3f899d15ee6d4570d80

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\37ee23adaa06f88c9b3ed46500b201280014ab92e35c2e123014485c0e051bb2.exe.exe
            Filesize

            2.1MB

            MD5

            a22ce15e4298766deac3b4f7088136cd

            SHA1

            bebc83ea0d57201074ed7063459e63933ca89eab

            SHA256

            b95e29141f3fdb36dbb3b93acb0a9e4d09ff584aad2892b9b35b9ed786142a1e

            SHA512

            c5899d607c7dbeeb4918c3f289f0aef8bc4458b292b8769b04691f5eef5b82471a4b8263b5b140410efae0eaacb33a4e2bc5dd0aed83d3f899d15ee6d4570d80

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            06ace9eb2d0855f1ff523c933936e82c

            SHA1

            7340342baf9245740ec36251496b498eaedccbe1

            SHA256

            1d81248e789c990ec2bf5bc1d77a49b63305c0d511be0a5ce31c9dc7ef3a25c9

            SHA512

            76cab9e1e28f22dd65d13f315f9b9374edd2996f73dd16cf3fb3a7cce405427e1f90faf25e62f0f381a24faaf5a40c253d375da609bad62fbea4027652396fc9

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            06ace9eb2d0855f1ff523c933936e82c

            SHA1

            7340342baf9245740ec36251496b498eaedccbe1

            SHA256

            1d81248e789c990ec2bf5bc1d77a49b63305c0d511be0a5ce31c9dc7ef3a25c9

            SHA512

            76cab9e1e28f22dd65d13f315f9b9374edd2996f73dd16cf3fb3a7cce405427e1f90faf25e62f0f381a24faaf5a40c253d375da609bad62fbea4027652396fc9

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            06ace9eb2d0855f1ff523c933936e82c

            SHA1

            7340342baf9245740ec36251496b498eaedccbe1

            SHA256

            1d81248e789c990ec2bf5bc1d77a49b63305c0d511be0a5ce31c9dc7ef3a25c9

            SHA512

            76cab9e1e28f22dd65d13f315f9b9374edd2996f73dd16cf3fb3a7cce405427e1f90faf25e62f0f381a24faaf5a40c253d375da609bad62fbea4027652396fc9

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2415528079-3794552930-4264847036-1000\_desktop.ini
            Filesize

            8B

            MD5

            587438ba3214d6958f23eced1b2cd39c

            SHA1

            56d9150b977089419b026aaf6ee032981c437dfd

            SHA256

            4a9d4c3f321c10e2bb0319dca7695b9b3252a0e1d35cfc2a09bac15d5c36e090

            SHA512

            31309fcfa73bf18bb138cbe3744414acc13498184290586c8f185e828027f7b0c647f3f102826099465c7995a29e8a33d95f832ffac8d16b619b53f037e4fd63

            Download Submit

          • memory/4640-17-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4640-1697-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4640-8-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4640-5648-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4640-8763-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/5040-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/5040-10-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download