Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

b2148e329a...ee.exe

windows7-x64

8

b2148e329a...ee.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2023, 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe

  • Size

    33KB

  • MD5

    2dbe6bbefc65c1ca0ee7171a08383336

  • SHA1

    68fb3d025158255f8be919c3587fcec8786879a7

  • SHA256

    b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee

  • SHA512

    4d642abe74c7acb964dbd99c57f8b598a9311cec2cb0bfbd8b4532c0a584e3d7eec82177783b7c1936224fb554527f604b1eba991fb046ae8393e450c44a800a

  • SSDEEP

    768:PwjhElOIEvzMXqtwp/lttaL7HP4wIncLRdR5kP78a0RJW/a:PoaYzMXqtGNttyUn01Q78a4R

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1264
      • C:\Users\Admin\AppData\Local\Temp\b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
        "C:\Users\Admin\AppData\Local\Temp\b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe"
        2⤵
        • Drops file in Drivers directory
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2304
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2080
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1164
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:2804

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          258KB

          MD5

          90d480c151060797b4d5a8bbbbf83460

          SHA1

          9c7f25f2c8bd05e64eced566d79d67e9a5cd78f9

          SHA256

          bb537850e2ec583f558e908dcf9808fdbf6c3d8f513c74d6deba756631b2c5b4

          SHA512

          4d1c2667a1f0bbfa37ad44c29d50176fb7afe6b5668fef91c3489a458d06dc5f10708ce658d94e0c490bd64aee9dad7595c942f60a74f3a796b844df6568f607

          Download Submit

        • C:\Program Files\7-Zip\7zG.exe
          Filesize

          601KB

          MD5

          ecf64f898c14da8f7bd3ff788f077a4d

          SHA1

          b83b03810521723571b6df5ba35b2b5742f947ca

          SHA256

          c54a820d7a8a5889984bea70862bf3c284332d56c0ccc1230abec98c27603e72

          SHA512

          93f865d25116e418f87e9e6efb85eb1121d188462108a704071d43292e67f48fd179830fd4b2a27ff88d05d66bf38561bde68f63bdf55b328a1d8af6268a4188

          Download Submit

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Filesize

          478KB

          MD5

          db98da017417f3bfea4d9a1a97b4a073

          SHA1

          f6e7d57d64df537b7de4e1b9ff2a1d3f092c02b6

          SHA256

          3a827199db204413824f3c15910bf406ae5d9a90511f6baadba95392222b2e37

          SHA512

          fcd8dd3d92092538483006815578f95ed754562e3b215dc9d5fc82ff321a29c459d52b5babe7d82213385b842c0df4e7afdf745364e4a6dab2306bc9ad4798f8

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3513876443-2771975297-1923446376-1000\_desktop.ini
          Filesize

          10B

          MD5

          81570c50286369016cef7a9f904c4b04

          SHA1

          b5758b23667cb35cad0adb23371b830fcee4f4e5

          SHA256

          b882f41a5c84d248a75714eaf215a9e363a49361b6a14beedb921ee3dfdb46a1

          SHA512

          0e6c479b0252e24635810b7d030cc9b5b17603ee20ccf62812446b8d15884521c6c7be65dfc0090bb1502e859fae27c2a63b3e58be714021f473a88407982162

          Download Submit

        • memory/1264-5-0x0000000002A40000-0x0000000002A41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2304-0-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2304-9-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2304-67-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2304-2915-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2304-4023-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download