Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

fe4431fa53...89.exe

windows7-x64

7

fe4431fa53...89.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    156s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2023, 15:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe4431fa5399ae196c0704ba9fd17c537c17fa10d3ab1f03de93b14187366289.exe

  • Size

    205KB

  • MD5

    8dfccea5352f1cbaa222be3a97295a04

  • SHA1

    9fa21ee3307dbf70beef9ea2591b1296911076e6

  • SHA256

    fe4431fa5399ae196c0704ba9fd17c537c17fa10d3ab1f03de93b14187366289

  • SHA512

    fd11aee0246f6456d1994bf56d4992ee9b45f33149b625afeee7dd0d505fbf9c8cea48eb3e6c9a7836bd1e8d055bdddcd1931b2ac5bf564ce036192a82d6dbb7

  • SSDEEP

    3072:KLe9e+ay7hlZQuV94G2mxtZZVl1dbzxtJB3Stk3MAsasMASY49b/EUe:a+ag3VlLbzxtJB3StqMBasMtF/9

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3292
      • C:\Users\Admin\AppData\Local\Temp\fe4431fa5399ae196c0704ba9fd17c537c17fa10d3ab1f03de93b14187366289.exe
        "C:\Users\Admin\AppData\Local\Temp\fe4431fa5399ae196c0704ba9fd17c537c17fa10d3ab1f03de93b14187366289.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3056
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5020
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1304
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a144E.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4288
            • C:\Users\Admin\AppData\Local\Temp\fe4431fa5399ae196c0704ba9fd17c537c17fa10d3ab1f03de93b14187366289.exe
              "C:\Users\Admin\AppData\Local\Temp\fe4431fa5399ae196c0704ba9fd17c537c17fa10d3ab1f03de93b14187366289.exe"
              4⤵
              • Executes dropped EXE
              PID:1988
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4484
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2356
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2684
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3576
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3992

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            51b4f29d8825bd236efcf815393c5456

            SHA1

            a2122d7e87d69d3a7695ff8f26a33fb8c388ad8e

            SHA256

            5a2621204f714473e1749c17a1dc19ae693009cbe68a25ddb0923df9b9d0d7ed

            SHA512

            0e11f9781f332255016567d599c444ed784ced58091d034547646273bdc5f21c71bc1e125ae138e30cbfa7202e557152f629a7700ecd8543aee75cbf84023220

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            491KB

            MD5

            fed08aef33778b8ce0323f8defa25fab

            SHA1

            71d9cbe9659290f07f921c5369612caeb613cad7

            SHA256

            8911b5eafcb57a92f9ae0c91a6c823955f91baf51e23d2ec204104e16297bb86

            SHA512

            fa308728c7a4de360bf93434eaf031dd46f7ff7a4649e6070b09beda5fdc7b04e6d6b7c2290149ddbac05c64b4489546869ecd58a63a49afb764da689f6800b6

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            477KB

            MD5

            e51ebd598953336c3e9723c561316b29

            SHA1

            62c6d722e609183d949dc73731b453e7abb52c5a

            SHA256

            5e51232e5175d937e474c66b0e662b43a71432be7c5cbddc71615424385a62e2

            SHA512

            b42567b0a7114d28c6d400b835f7154fc8f6b0bac1ff6da79d66027cea550676e849614aaf4cc5002acfa123476246d68976f0396c24906009d09a72d79ae9ac

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a144E.bat
            Filesize

            722B

            MD5

            625f2fa879a1a041e4c37226b805d8df

            SHA1

            e8fd35447ef4ccf3d8a94fbda46ef2e60fc49ac6

            SHA256

            61c4f14e9f2dacd2fb881172d8a34bdc542a32120921f3f924c6c2b88f17d269

            SHA512

            0b1bb41d2abe2f89d65f523ecb106abc5114bb35ae6c70702622f7e35cbca33bb0c90db112c9966b54a42ee36e99f5a2bc99e6930eca7f3594173c21489ba97e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\fe4431fa5399ae196c0704ba9fd17c537c17fa10d3ab1f03de93b14187366289.exe
            Filesize

            172KB

            MD5

            39b89cf25d3f4c7a2f880e06b30b4f65

            SHA1

            3b1072078c39ab50f35f2fbabc35c2710b0a7cba

            SHA256

            cf785245b09cc9f4fce024ba1e76e822a0ddbc03a0463397b0f45a80980f4c07

            SHA512

            625b4be3fa64ccde093ad26e2bf92e53a821b337c6ca03f2c8faab4584127df9489fafae42254ffec1ba553f0275e166da99e3ec49cde2a719e97499b9340db4

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\fe4431fa5399ae196c0704ba9fd17c537c17fa10d3ab1f03de93b14187366289.exe.exe
            Filesize

            172KB

            MD5

            39b89cf25d3f4c7a2f880e06b30b4f65

            SHA1

            3b1072078c39ab50f35f2fbabc35c2710b0a7cba

            SHA256

            cf785245b09cc9f4fce024ba1e76e822a0ddbc03a0463397b0f45a80980f4c07

            SHA512

            625b4be3fa64ccde093ad26e2bf92e53a821b337c6ca03f2c8faab4584127df9489fafae42254ffec1ba553f0275e166da99e3ec49cde2a719e97499b9340db4

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            73a05d5388def9405415e6cd7390df4d

            SHA1

            2e10cc2222fc689c769b8b038d00ea26864a27df

            SHA256

            0ada5eed7317cc425ba228162d217403a47d541776b43326289ffcb6e1a2b62d

            SHA512

            8a022de23eb39987b0b881ead96fff79f5c707d7e82e4c3725c90930cf49020cda19f588604494ef1ba580be4f172f15b07baefd2f0ef52a6248c06f43f6fd4f

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            73a05d5388def9405415e6cd7390df4d

            SHA1

            2e10cc2222fc689c769b8b038d00ea26864a27df

            SHA256

            0ada5eed7317cc425ba228162d217403a47d541776b43326289ffcb6e1a2b62d

            SHA512

            8a022de23eb39987b0b881ead96fff79f5c707d7e82e4c3725c90930cf49020cda19f588604494ef1ba580be4f172f15b07baefd2f0ef52a6248c06f43f6fd4f

            Download Submit

          • C:\Windows\rundl132.exe
            Filesize

            33KB

            MD5

            73a05d5388def9405415e6cd7390df4d

            SHA1

            2e10cc2222fc689c769b8b038d00ea26864a27df

            SHA256

            0ada5eed7317cc425ba228162d217403a47d541776b43326289ffcb6e1a2b62d

            SHA512

            8a022de23eb39987b0b881ead96fff79f5c707d7e82e4c3725c90930cf49020cda19f588604494ef1ba580be4f172f15b07baefd2f0ef52a6248c06f43f6fd4f

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3125601242-331447593-1512828465-1000\_desktop.ini
            Filesize

            10B

            MD5

            66a297bdfb8bca17fc70dc7aade38f80

            SHA1

            c131517df089bd22d314c2ad490b391e599e409c

            SHA256

            20b72f923ff58cec359f33b5443b5bc5f5c638b719b6df50a73313c23a434ff7

            SHA512

            c329a6351d692301d88ed2e94afde11919aa2b11b851ae662eed9a8468a61e4e14d1cf0487baf4424047f76bfc1c66b7402794f787638e0bd0da01d03cc25509

            Download Submit

          • memory/3056-10-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/3056-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4484-17-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4484-328-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4484-1380-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4484-3944-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4484-8-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4484-5698-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4484-8225-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download