Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

3b893a8c27...d8.exe

windows7-x64

7

3b893a8c27...d8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    155s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b893a8c2772b1f36a77320430e9908fdb3077a8fd61f8f8dc21cd846b863dd8.exe

  • Size

    2.8MB

  • MD5

    faf05f39c25cedd88c2cb19c6f5d0b96

  • SHA1

    84e52cb8dad24548627f34564a6b903786d4e742

  • SHA256

    3b893a8c2772b1f36a77320430e9908fdb3077a8fd61f8f8dc21cd846b863dd8

  • SHA512

    fdb12c779b30152401bdcd8d010710fe29c2b66e4881af90f023875756673de2e6e2a129cda1007911548eda69cf59cd8ae219d5bf44da7b588f3bfc1d3d8627

  • SSDEEP

    49152:9C6gLKJuMarhVnMFwTH8/giBiBcbk4ZxZ2DqFeVMhuxcPh:9Hd1XdhBiiMa7

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:536
      • C:\Users\Admin\AppData\Local\Temp\3b893a8c2772b1f36a77320430e9908fdb3077a8fd61f8f8dc21cd846b863dd8.exe
        "C:\Users\Admin\AppData\Local\Temp\3b893a8c2772b1f36a77320430e9908fdb3077a8fd61f8f8dc21cd846b863dd8.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:776
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3596
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3844
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB3F9.bat
            3⤵
              PID:3964
              • C:\Users\Admin\AppData\Local\Temp\3b893a8c2772b1f36a77320430e9908fdb3077a8fd61f8f8dc21cd846b863dd8.exe
                "C:\Users\Admin\AppData\Local\Temp\3b893a8c2772b1f36a77320430e9908fdb3077a8fd61f8f8dc21cd846b863dd8.exe"
                4⤵
                • Executes dropped EXE
                PID:1136
            • C:\Windows\Logo1_.exe
              C:\Windows\Logo1_.exe
              3⤵
              • Drops startup file
              • Executes dropped EXE
              • Enumerates connected drives
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:5052
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2040
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3080
                • C:\Windows\SysWOW64\net.exe
                  net stop "Kingsoft AntiVirus Service"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2732
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                    5⤵
                      PID:4920

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\7-Zip\7z.exe
              Filesize

              491KB

              MD5

              46ae7ad50bf5517fa0c4543e1e81b0a8

              SHA1

              8dabd82a87d38b1b7974bf091729765225086f7d

              SHA256

              e7b86a47bfa73d401c6be04d50eab08f10971d23ecb65c551067561161c6d91e

              SHA512

              66f562c97d0dd3e3fc1cb7a173528c04bdaa913852250f6a323341550f8cddbecb0d8e90a0994d1d10d217d848a7e9352260c463505976e805bc8af1e9316d52

              Download Submit

            • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
              Filesize

              478KB

              MD5

              6a7cc95aa1f89e674ceaaf0e47468f09

              SHA1

              a8f49c8c41db5f5aba73ae18aa8db02e7b628b1e

              SHA256

              5cf0a795012be80cd03b3032a945dbbba00126929f4a7dab4fa7e73b3c825ff6

              SHA512

              631814996b48d9d0dc6c4898c1813c1f9aa007102de18c9a30ae027c959831acceb76d732b25a207155f18b750045adb2f75fdfb33232b917b1395d94a73ca61

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$aB3F9.bat
              Filesize

              722B

              MD5

              f6014c8fe809414522dbda334d034e73

              SHA1

              cfb32da35534c1f1faa8214bc94929dee15fee40

              SHA256

              c8331fbeefb040959649d2a928413841213ac56642a9774f6b51bdd9d7b191ef

              SHA512

              54f2162557b0591dfe91e39b42450f101aa283d3dfcdd77d26079c49fd9a877216b01a78b8bd50ec0034917925c5210bdbe20776c3e14934178f4716ed10d4ba

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\3b893a8c2772b1f36a77320430e9908fdb3077a8fd61f8f8dc21cd846b863dd8.exe
              Filesize

              2.8MB

              MD5

              095092f4e746810c5829038d48afd55a

              SHA1

              246eb3d41194dddc826049bbafeb6fc522ec044a

              SHA256

              2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

              SHA512

              7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\3b893a8c2772b1f36a77320430e9908fdb3077a8fd61f8f8dc21cd846b863dd8.exe.exe
              Filesize

              2.8MB

              MD5

              095092f4e746810c5829038d48afd55a

              SHA1

              246eb3d41194dddc826049bbafeb6fc522ec044a

              SHA256

              2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

              SHA512

              7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              33KB

              MD5

              93c7e83acc68e02f68b2dc2c6dc904a9

              SHA1

              c505471fbc1e6884cd40dd319ad9f0be37814041

              SHA256

              951df8bd05592efb598d024d201df816305756441d740396e33f6afeee19f8b8

              SHA512

              78fbd979100c4ed8824a62cedf3e2d43b0bc6d7ea5378bc7c066cfdc1cab184ca99786e2e88c466c84af93c292eee777c6b10f5d7940b3637d8e46a32fda88af

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              33KB

              MD5

              93c7e83acc68e02f68b2dc2c6dc904a9

              SHA1

              c505471fbc1e6884cd40dd319ad9f0be37814041

              SHA256

              951df8bd05592efb598d024d201df816305756441d740396e33f6afeee19f8b8

              SHA512

              78fbd979100c4ed8824a62cedf3e2d43b0bc6d7ea5378bc7c066cfdc1cab184ca99786e2e88c466c84af93c292eee777c6b10f5d7940b3637d8e46a32fda88af

              Download Submit

            • C:\Windows\rundl132.exe
              Filesize

              33KB

              MD5

              93c7e83acc68e02f68b2dc2c6dc904a9

              SHA1

              c505471fbc1e6884cd40dd319ad9f0be37814041

              SHA256

              951df8bd05592efb598d024d201df816305756441d740396e33f6afeee19f8b8

              SHA512

              78fbd979100c4ed8824a62cedf3e2d43b0bc6d7ea5378bc7c066cfdc1cab184ca99786e2e88c466c84af93c292eee777c6b10f5d7940b3637d8e46a32fda88af

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-1574508946-349927670-1185736483-1000\_desktop.ini
              Filesize

              10B

              MD5

              a592e6708558f3dc0ad1608608da69c5

              SHA1

              69a1224ba3b2f2ab2f2ce8b8287809f3282d20d0

              SHA256

              24c83924da516d8acac4cdc96680306f1e34a8a54696bf5bf24106eeb562195a

              SHA512

              38724fff525de3d5b413bb962c2f81369068403f761f69d00f25cd03b5d8cb83603cd6d23c87faf458f157acf585ca4db031fe6640704a4158cb5ead56ce79f1

              Download Submit

            • memory/776-10-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/776-0-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/5052-1671-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/5052-130-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/5052-776-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/5052-936-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/5052-17-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/5052-2736-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/5052-4732-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/5052-5491-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/5052-8-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/5052-5820-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/5052-8262-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/5052-8324-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download