Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

14482b66be...1f.exe

windows7-x64

7

14482b66be...1f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    152s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2023, 03:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14482b66be2080c441eb83af76a9672f7bc15a2721a39d7f67fbcc52909f871f.exe

  • Size

    56KB

  • MD5

    4d63ccaed3ecd4bd820452add3e0bb1d

  • SHA1

    41752761a308bb0519054c595d6eb031fbbacb03

  • SHA256

    14482b66be2080c441eb83af76a9672f7bc15a2721a39d7f67fbcc52909f871f

  • SHA512

    23b4dd037077f3e5cc87c088dcefe459fa3b1af418fa946f80006004e5c1816e913db29775aa7650d71ec94cab63e38e09c70ff204ab2f00855a2830f7eac230

  • SSDEEP

    768:FfO5RroZJ76739sBWstDcVgNdb7Vis/LZ+jZ508M7A+eK+OJfZFd/bhifLGWrL0:Ffe+Zk781FNdbk+0Z50deK+UfZ/XWrI

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:536
      • C:\Users\Admin\AppData\Local\Temp\14482b66be2080c441eb83af76a9672f7bc15a2721a39d7f67fbcc52909f871f.exe
        "C:\Users\Admin\AppData\Local\Temp\14482b66be2080c441eb83af76a9672f7bc15a2721a39d7f67fbcc52909f871f.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2088
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:408
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1688
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA4D6.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3572
            • C:\Users\Admin\AppData\Local\Temp\14482b66be2080c441eb83af76a9672f7bc15a2721a39d7f67fbcc52909f871f.exe
              "C:\Users\Admin\AppData\Local\Temp\14482b66be2080c441eb83af76a9672f7bc15a2721a39d7f67fbcc52909f871f.exe"
              4⤵
              • Executes dropped EXE
              PID:3536
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1852
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2808
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4756
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1972
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4512

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            491KB

            MD5

            6cb5e2d7fae95e75bc0ac3f7de38ff0b

            SHA1

            a294e6336c5b824094cfe41fb40c21f5641d8f00

            SHA256

            e8f2a984b2700edb48c37f14fda9974ae6b0901c926905b8afe85fcbfa27775a

            SHA512

            517aacf03bd8dea67eaf1757ae136f773d025637f3c25a9d9d0269f44e669d08f6722bc8e8fbd96df3e07e33321cff258d5ed331158860fc2fa2e19ce9ce5423

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            3eeec7dea3ac1162b9162456af69866a

            SHA1

            16c2834b9be250dc811786852a09b76283db9b91

            SHA256

            ab9c92e5c7ef90f6832d510478e4b6c1fef1e24ab6ca2410068e0d4f806a0f69

            SHA512

            ec4eb8441c1d64b7fde03bb4da57e562553b3db6a70096507b79c4c5be406b97ff8662cd8b14b7faef125b0ecfeda1d7d8b33a723305969ff5005c40987a37ab

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aA4D6.bat
            Filesize

            722B

            MD5

            874d7c6562630f1eeaa0ebbf2ac2caac

            SHA1

            3b4a1b2a6c1856a8f10869890226fbaa998b0874

            SHA256

            f659196c19039ffb236279a910430f2f58b1ae562bf358fe86cc04390cfd7bca

            SHA512

            c38647ffd97d5a555a8ce329d663f2ee5b3a0a4fb6709972f645eae0fddb651215c66042f06e36d92677b200d6c698ea5d0e8135e96bb233543f53288c75d4e0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\14482b66be2080c441eb83af76a9672f7bc15a2721a39d7f67fbcc52909f871f.exe
            Filesize

            22KB

            MD5

            b2f7631fe9ac1f6eb4f276bd7259626c

            SHA1

            ca1147287b78e3a15d30654a47b37c9aba2b4767

            SHA256

            23a59a0acd84d07313d6ea78fcf7f629ecdc93ae0c32574c73ef1a467f2831b5

            SHA512

            aa7e3e9ea219d64c1f9dbca0095968087574dea92e466139c2c8a19d03c1341b53191077504fc07366ceb6bd46323b8f95c454b7a0103e27c939622b0e0a0f6e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\14482b66be2080c441eb83af76a9672f7bc15a2721a39d7f67fbcc52909f871f.exe.exe
            Filesize

            22KB

            MD5

            b2f7631fe9ac1f6eb4f276bd7259626c

            SHA1

            ca1147287b78e3a15d30654a47b37c9aba2b4767

            SHA256

            23a59a0acd84d07313d6ea78fcf7f629ecdc93ae0c32574c73ef1a467f2831b5

            SHA512

            aa7e3e9ea219d64c1f9dbca0095968087574dea92e466139c2c8a19d03c1341b53191077504fc07366ceb6bd46323b8f95c454b7a0103e27c939622b0e0a0f6e

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            ac18cf46cd062dd8834115ffeb3e5711

            SHA1

            116a851b3641bbe862e51bbb8ed4c256f9c25827

            SHA256

            d120864b53f5b38df0175ba505f004222d39f138025411c3481db0d7b48b7b24

            SHA512

            78b93c12df9c562751d95b805257e2fc86a4edf8fc10b0e04f89207d81528c3cb1e29973c38cc1945624e190db24854a645329cd1eb18bd2d24672edab3c0a36

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            ac18cf46cd062dd8834115ffeb3e5711

            SHA1

            116a851b3641bbe862e51bbb8ed4c256f9c25827

            SHA256

            d120864b53f5b38df0175ba505f004222d39f138025411c3481db0d7b48b7b24

            SHA512

            78b93c12df9c562751d95b805257e2fc86a4edf8fc10b0e04f89207d81528c3cb1e29973c38cc1945624e190db24854a645329cd1eb18bd2d24672edab3c0a36

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            ac18cf46cd062dd8834115ffeb3e5711

            SHA1

            116a851b3641bbe862e51bbb8ed4c256f9c25827

            SHA256

            d120864b53f5b38df0175ba505f004222d39f138025411c3481db0d7b48b7b24

            SHA512

            78b93c12df9c562751d95b805257e2fc86a4edf8fc10b0e04f89207d81528c3cb1e29973c38cc1945624e190db24854a645329cd1eb18bd2d24672edab3c0a36

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-1574508946-349927670-1185736483-1000\_desktop.ini
            Filesize

            10B

            MD5

            64a8745f77935c35c66f3aeeddf5d47d

            SHA1

            1214a584f661cb008b494ce6278289f8cf406810

            SHA256

            7841de37b0bf8c995d0b903bef18bd4159f94d9c2a35c91b06dabe8198c6c63a

            SHA512

            807b8f5512f868d0a2b1a10889164f787aa07b4309511326f4755d1121e666ec30dfb444a0565a5a7426cbd45b41d49d6429c9baf63a0bd3948b85b57841af3b

            Download Submit

          • memory/1852-4027-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1852-17-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1852-152-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1852-957-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1852-1830-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1852-10-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1852-5655-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1852-7616-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1852-8343-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2088-11-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2088-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download