Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

e8e38d6039...b3.exe

windows7-x64

7

e8e38d6039...b3.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2023, 09:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8e38d603907283850682453149864e35c207fe161689f3a5a905043a158c6b3.exe

  • Size

    39KB

  • MD5

    349babe461eb601756f45846bdac9367

  • SHA1

    c9b3b6a3ff64f7248f0be157a4a8a68be78abb15

  • SHA256

    e8e38d603907283850682453149864e35c207fe161689f3a5a905043a158c6b3

  • SHA512

    10e8973adbec3c51e4b5ad09c3858fc26e46dd1149b6a740096c6246517bde41c7a7fbf0b5c04ae09c3c787cd900c5fb532e784f593f0d5dffaf212087c5f09a

  • SSDEEP

    768:8PL49svO5RroZJ76739/dZVdfpULiAYXjPrN+8WEjrZMYjV8mp8w:8Pve+Zk7VJbwlYXjPrsqrZMYR5p8w

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3328
      • C:\Users\Admin\AppData\Local\Temp\e8e38d603907283850682453149864e35c207fe161689f3a5a905043a158c6b3.exe
        "C:\Users\Admin\AppData\Local\Temp\e8e38d603907283850682453149864e35c207fe161689f3a5a905043a158c6b3.exe"
        2⤵
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1092
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4316
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4556
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4552
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:3504

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          264KB

          MD5

          ed9e440a0da16922767eb10da17063bd

          SHA1

          23286db11962453099bb42fda8f135fedd9063fc

          SHA256

          1ee771bc21e70954f35c0f3e1fc7df2a65aa3a1dedc747b435f92c58235efdd8

          SHA512

          6c61a8c3ce559976bb6b34fce97cbce05c793ecd5283c663c9f142ce06b1e436a02ebffd710404306bb2f87ee216c66a2a5c1f3f1a2aef96fc3f5e6fccb2e185

          Download Submit

        • C:\Program Files\Google\Chrome\Application\chrome.exe
          Filesize

          2.8MB

          MD5

          eee4a7bda19606e8da29f300b91d0b1d

          SHA1

          69fed79bfb540408ad6bb71c5187a557c1e92fd2

          SHA256

          230794272843574ddd2fab5719c6a47705e660c03596c2254a88ace3d9ef5091

          SHA512

          a729faabcd1d56243ccb9b0ff9a5cbf538c45b6750f528adffa06346f8369feea1ec09cf66addfa3d16237342345886fe007fe2e84d18ff8a462562147c2e957

          Download Submit

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Filesize

          484KB

          MD5

          e1d44503bd78f76397106dd8751c33da

          SHA1

          adb60486590c24d54f43ca6b7ec7fd8d64ff16fe

          SHA256

          792791d8023b6fe39fb3f7519f0c31ee22a4accb61f6b824143a2d066ef32c44

          SHA512

          a7cf931af36db667493710b50898eed4fa34cafa48686cb2c4ac6f1248d7b4907dacbd6f2df7d699b521d13304d70fb078b80305d8a815c0a566b502c42e739d

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3125601242-331447593-1512828465-1000\_desktop.ini
          Filesize

          10B

          MD5

          1ac6500de33f973231298e1a1e1e7b38

          SHA1

          ab3a765fb39e758f638f6b49a841300ec61ff961

          SHA256

          f1e760f9e9b5eaeaa02cb5ca5dfc3ef6a19147a66053ed02ac52b7e2ce05a050

          SHA512

          25253907de7da7ecca0a76dfd1fb864992bc6bc092f29efb789ec2ad4d70aba377e0e28b4f64f602818ba9aefa83dc3454f07c58efdb90f38e0831354ce53f37

          Download Submit

        • memory/1092-0-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1092-3-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1092-125-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1092-1682-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1092-5037-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1092-7068-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/1092-8200-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download