Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

fc49ee4702...9d.exe

windows7-x64

7

fc49ee4702...9d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2023, 03:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc49ee4702a7c9d95dfaea0a014e3ff6cc678baa96361159fc459f016dfcba9d.exe

  • Size

    370KB

  • MD5

    42578f059b473b2a62e141ab2a1a6ad4

  • SHA1

    20f774b65ab478e5c661f3cb321b4ade47d4c7ae

  • SHA256

    fc49ee4702a7c9d95dfaea0a014e3ff6cc678baa96361159fc459f016dfcba9d

  • SHA512

    c797307fa268f857769b1158ec23a702be0c9f470cc521f01874fab87525eaf3d3f5190514995d73611cecb94a416a24de31998904f160084211dadf1bd5bd48

  • SSDEEP

    6144:ZMp6t4DREcMZ5vVCiiKrao9afJu3YYtWGaVoRiS6hxH5AgPaxA:ZMp6+FuvVCiisao9Ii3aViKHye

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 5 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3104
      • C:\Users\Admin\AppData\Local\Temp\fc49ee4702a7c9d95dfaea0a014e3ff6cc678baa96361159fc459f016dfcba9d.exe
        "C:\Users\Admin\AppData\Local\Temp\fc49ee4702a7c9d95dfaea0a014e3ff6cc678baa96361159fc459f016dfcba9d.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4876
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:388
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2368
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a1E03.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3660
            • C:\Users\Admin\AppData\Local\Temp\fc49ee4702a7c9d95dfaea0a014e3ff6cc678baa96361159fc459f016dfcba9d.exe
              "C:\Users\Admin\AppData\Local\Temp\fc49ee4702a7c9d95dfaea0a014e3ff6cc678baa96361159fc459f016dfcba9d.exe"
              4⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of SetWindowsHookEx
              PID:864
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1128
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2988
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4644
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2316
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2196
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
            1⤵
              PID:2852

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
              Filesize

              258KB

              MD5

              45290af4beb107e9ebb9999a1ccfc37e

              SHA1

              bd6b220540c28369a94650f32b14113caa7a9ad1

              SHA256

              7c83414415b603bcc3ed8392831761f624af314c2a02c9fbce76975d249f6b78

              SHA512

              43eb9868b2ae38b874ae9613fd48cc3a9418b37f21b89372e0ed5d682a495c343dbf880b3f69edc3230de59fb7152bb368560506ada5fc861432d8efa9a92d10

              Download Submit

            • C:\Program Files\7-Zip\7z.exe
              Filesize

              491KB

              MD5

              950c6b4ae533d9181054af057e663952

              SHA1

              9f1ae5ca9d7c2e7b40228dfa64d34179abdd0e5b

              SHA256

              0aa52bd85261909f345746395c7121aa491b8cd2c415bd7db3d672dc15bc4906

              SHA512

              bacc2b657366eb9d3c5e1c2998c35222a0cc37705f204abc73d0bdfec6fb79350d679c467b379e57146e5c9ba41e9981a5ab0e6082af5df16de071bbc906d812

              Download Submit

            • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
              Filesize

              478KB

              MD5

              559621f69b938488a7d98cf123a29640

              SHA1

              3dfe808fdf654a30ae778341d2d44302cde46baf

              SHA256

              f5c2bfa4c8aa4885bc29c15f3e8253eda4737f73d312ae074b6438ce522d79f8

              SHA512

              75f4f69ad33898c2edbaf00bd6387d629d04131e36fb3d45e04c4bf9d31517435fca8a92a36b3674fdca768dacff46797d8738dc4162e113c43bb26c3389c9ce

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$a1E03.bat
              Filesize

              722B

              MD5

              7d454a00e6d702d9869ff78edaaf6231

              SHA1

              63a71195b1300a09d71cc46debf92e2fd7619413

              SHA256

              108919c92d38a60706e6dc2a280a18397af769ae5b5b16393f7cbd10ac1b9a49

              SHA512

              ab28270948dd2616dc637196f0762bd33a920918fa80c517c19cf156d1ec7d5e7ade7bc3ad25883cd1e7ec10c3d0562f023b15d28ae30c1bbcae0aed3829462d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\fc49ee4702a7c9d95dfaea0a014e3ff6cc678baa96361159fc459f016dfcba9d.exe
              Filesize

              337KB

              MD5

              383dcbf7e816408a7bcc0a2c41634356

              SHA1

              8179e5d4f88995a92110e4341be44335fa6636f6

              SHA256

              1a4bd956c34459258c85ca9c81dc547d2ef3e276c1f5d07f93902b4a8c74586e

              SHA512

              8b0b5015fc9100d58d73c1b331318f4568cf16529205b127c4ff473df95a8f0a52d5271cc4b66640630ed633449eccdf025166781b67834cc04d8ce23d79554a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\fc49ee4702a7c9d95dfaea0a014e3ff6cc678baa96361159fc459f016dfcba9d.exe.exe
              Filesize

              337KB

              MD5

              383dcbf7e816408a7bcc0a2c41634356

              SHA1

              8179e5d4f88995a92110e4341be44335fa6636f6

              SHA256

              1a4bd956c34459258c85ca9c81dc547d2ef3e276c1f5d07f93902b4a8c74586e

              SHA512

              8b0b5015fc9100d58d73c1b331318f4568cf16529205b127c4ff473df95a8f0a52d5271cc4b66640630ed633449eccdf025166781b67834cc04d8ce23d79554a

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              33KB

              MD5

              d4b910e72a18fa251db1ac00a3c27f62

              SHA1

              0fca93f82c67f8ee1fc564d47c3ed49b99c94222

              SHA256

              25d35297b7a17ad1411a81b7d3ac69808777adcd309bda2fdcc0fc300eda1dab

              SHA512

              42c49403938d951dcefc4eb4e04361c3f749517d07216c149efd1b2ec1f68e94e4b640c52e7c7bdcd5f06737bf988530acc71f79f568461d0549e09d92cfd521

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              33KB

              MD5

              d4b910e72a18fa251db1ac00a3c27f62

              SHA1

              0fca93f82c67f8ee1fc564d47c3ed49b99c94222

              SHA256

              25d35297b7a17ad1411a81b7d3ac69808777adcd309bda2fdcc0fc300eda1dab

              SHA512

              42c49403938d951dcefc4eb4e04361c3f749517d07216c149efd1b2ec1f68e94e4b640c52e7c7bdcd5f06737bf988530acc71f79f568461d0549e09d92cfd521

              Download Submit

            • C:\Windows\rundl132.exe
              Filesize

              33KB

              MD5

              d4b910e72a18fa251db1ac00a3c27f62

              SHA1

              0fca93f82c67f8ee1fc564d47c3ed49b99c94222

              SHA256

              25d35297b7a17ad1411a81b7d3ac69808777adcd309bda2fdcc0fc300eda1dab

              SHA512

              42c49403938d951dcefc4eb4e04361c3f749517d07216c149efd1b2ec1f68e94e4b640c52e7c7bdcd5f06737bf988530acc71f79f568461d0549e09d92cfd521

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-1141987721-3945596982-3297311814-1000\_desktop.ini
              Filesize

              10B

              MD5

              64a8745f77935c35c66f3aeeddf5d47d

              SHA1

              1214a584f661cb008b494ce6278289f8cf406810

              SHA256

              7841de37b0bf8c995d0b903bef18bd4159f94d9c2a35c91b06dabe8198c6c63a

              SHA512

              807b8f5512f868d0a2b1a10889164f787aa07b4309511326f4755d1121e666ec30dfb444a0565a5a7426cbd45b41d49d6429c9baf63a0bd3948b85b57841af3b

              Download Submit

            • memory/1128-8-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1128-17-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1128-1053-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1128-2617-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1128-5583-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1128-8660-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4876-0-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4876-10-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download