Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

426b18d6ef...18.exe

windows7-x64

7

426b18d6ef...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/09/2023, 05:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    426b18d6ef1280bc4c2d4746c58aa6b4d80ca198ca53d6bc8b5d509067cbb018.exe

  • Size

    2.8MB

  • MD5

    256dd5ebd731d0776f4e5cd0dfd61faa

  • SHA1

    3305d0c8749e172c56f8823ca8aff5359484d96c

  • SHA256

    426b18d6ef1280bc4c2d4746c58aa6b4d80ca198ca53d6bc8b5d509067cbb018

  • SHA512

    c9113cee8f6c92a7ddd63e766d0ada9239327a6d635442259174845d5fcf8f0feee6312fe715917c8ca11f14c20e3a1f22d2264f9a14c55d6937abf34a1c2123

  • SSDEEP

    49152:3C6gLKJuMarhVnMFwTH8/giBiBcbk4ZxZ2DqFeVMhuxcPh:3Hd1XdhBiiMa7

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3204
      • C:\Users\Admin\AppData\Local\Temp\426b18d6ef1280bc4c2d4746c58aa6b4d80ca198ca53d6bc8b5d509067cbb018.exe
        "C:\Users\Admin\AppData\Local\Temp\426b18d6ef1280bc4c2d4746c58aa6b4d80ca198ca53d6bc8b5d509067cbb018.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2516
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4428
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2432
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a93D4.bat
            3⤵
              PID:5044
              • C:\Users\Admin\AppData\Local\Temp\426b18d6ef1280bc4c2d4746c58aa6b4d80ca198ca53d6bc8b5d509067cbb018.exe
                "C:\Users\Admin\AppData\Local\Temp\426b18d6ef1280bc4c2d4746c58aa6b4d80ca198ca53d6bc8b5d509067cbb018.exe"
                4⤵
                • Executes dropped EXE
                PID:4156
            • C:\Windows\Logo1_.exe
              C:\Windows\Logo1_.exe
              3⤵
              • Drops startup file
              • Executes dropped EXE
              • Enumerates connected drives
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:3052
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1228
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:5008
                • C:\Windows\SysWOW64\net.exe
                  net stop "Kingsoft AntiVirus Service"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3920
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                    5⤵
                      PID:4292

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
              Filesize

              258KB

              MD5

              806c56b4f1c79375f1f1283272042133

              SHA1

              13639705ca7ba144fe7fbf9d91cbf94204dee251

              SHA256

              e114ca92444ee60417e23449cd9df3f2dbb0f03b89a820ac239b96d3f4c7340d

              SHA512

              6c4e0242baea4236a092d87d5553e27ea40d6fca260b01fd4260f1e83a2aa0f71c06ac9b4cc10a661b80286addb0370df39ef8327a5ab73f7b795a80f8191ac7

              Download Submit

            • C:\Program Files\7-Zip\7z.exe
              Filesize

              491KB

              MD5

              6d9bdfea8c3d164ff5a67f5a022ff1f4

              SHA1

              3ecfcd1fd7ff5c85d243ce2c9218ddd9d799d983

              SHA256

              d26cf7173e56cbc5dd91402ef4b5f11f257c32595ef5569945452878780c983a

              SHA512

              1814f5f8991cf6fe35e7912190db3c98a29e561764d50c3ae43ecf28df314c8a926fd2ff9440bfd73574cf5f0020cd8b24fd341aaba77f0c5d8bcf7eb7d2f838

              Download Submit

            • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
              Filesize

              478KB

              MD5

              72c34333e3dbd45b5766d444f1d55b09

              SHA1

              434ba6612e225de1883f1259e237dd2d451898c6

              SHA256

              cb0ce66f231069c917c9038ef008e456213a0766d89ec65b369243a9668e9080

              SHA512

              b52d0e80b16fe4db8cf7a0bc9bd0adf26dbac25ea68ae754dcde17f146cc494ee1a0c0b97f20236d840f7e286be0e3e5eab342f694af8876edef93b240c16fe8

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$a93D4.bat
              Filesize

              722B

              MD5

              22454f4a16a8920ac5dfb7327c8b2e9c

              SHA1

              6999e3e5632b4d38c213f1fe769c2c83712111be

              SHA256

              62326005f7da9cc033cd65e506c94073ea2c6af74b54b4ebef2ec128645c2389

              SHA512

              3185176fb803c4eac3e2192bc090a3d7f54000c3c1fa1d48802d0a080bcecd771899291e3a3d3c064015fc81f440d258d5f810c8a1393012d0b6a8ccc04e30d1

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\426b18d6ef1280bc4c2d4746c58aa6b4d80ca198ca53d6bc8b5d509067cbb018.exe
              Filesize

              2.8MB

              MD5

              095092f4e746810c5829038d48afd55a

              SHA1

              246eb3d41194dddc826049bbafeb6fc522ec044a

              SHA256

              2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

              SHA512

              7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\426b18d6ef1280bc4c2d4746c58aa6b4d80ca198ca53d6bc8b5d509067cbb018.exe.exe
              Filesize

              2.8MB

              MD5

              095092f4e746810c5829038d48afd55a

              SHA1

              246eb3d41194dddc826049bbafeb6fc522ec044a

              SHA256

              2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

              SHA512

              7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              33KB

              MD5

              0b6156999b5b4bfd7c933e0272c7d732

              SHA1

              c828379a55ade751d43929827ae928773ee7da29

              SHA256

              7bc8d0e4ec426448c34caa6c599b7d93a37263ac7e783dc7adae46aa04305cbd

              SHA512

              0e32d0a67572b5f5619ea4ddac07ecd12d2bbac1b442a4af3d87992439a2e443557383f1545020b5650e6a1225d0f0c8aec12e2889fe0d8e852720ceed12dd5f

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              33KB

              MD5

              0b6156999b5b4bfd7c933e0272c7d732

              SHA1

              c828379a55ade751d43929827ae928773ee7da29

              SHA256

              7bc8d0e4ec426448c34caa6c599b7d93a37263ac7e783dc7adae46aa04305cbd

              SHA512

              0e32d0a67572b5f5619ea4ddac07ecd12d2bbac1b442a4af3d87992439a2e443557383f1545020b5650e6a1225d0f0c8aec12e2889fe0d8e852720ceed12dd5f

              Download Submit

            • C:\Windows\rundl132.exe
              Filesize

              33KB

              MD5

              0b6156999b5b4bfd7c933e0272c7d732

              SHA1

              c828379a55ade751d43929827ae928773ee7da29

              SHA256

              7bc8d0e4ec426448c34caa6c599b7d93a37263ac7e783dc7adae46aa04305cbd

              SHA512

              0e32d0a67572b5f5619ea4ddac07ecd12d2bbac1b442a4af3d87992439a2e443557383f1545020b5650e6a1225d0f0c8aec12e2889fe0d8e852720ceed12dd5f

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-919254492-3979293997-764407192-1000\_desktop.ini
              Filesize

              9B

              MD5

              872506f1dadcc0cedd1e9dee11f54da4

              SHA1

              d1e87145ed1d918f10ae4e93ccdbb994bc906ed5

              SHA256

              a0049e98811438481e150df54f7b555026746c943cb03106677bf75b4e412104

              SHA512

              6cf3aeeed18e66a16ed653a5c33133ec8d5fb58cf42aab9e712cf473233e506d4f14692dff04b7c20847718e5c344ec2651e57d2ae7a034610b07679b786344c

              Download Submit

            • memory/2516-0-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/2516-10-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/3052-17-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/3052-1475-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/3052-4967-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/3052-9-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/3052-8691-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download