Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

1014072485...df.exe

windows7-x64

7

1014072485...df.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 05:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1014072485c91f77713e68258bf794df.exe

  • Size

    563KB

  • MD5

    1014072485c91f77713e68258bf794df

  • SHA1

    3ba18050f2d3f882a5a0bbf1866542b0730a47f2

  • SHA256

    e8a3fbef6f12cf9a7e499c990bd3ebf5b305c8c7c1aafc7090ffaa9972ffb685

  • SHA512

    4879e702d13e94398a0b0d033b53a89f9418e313369e7e04e324f6605186a981e2611a2a8d82774398b783b5c2ee8d9d9221300cbf6d78a371db1f7b7e0c4f66

  • SSDEEP

    12288:YwX5pxng9W3aOs7ZAl+JcecUDwt4lhKX6OC0puOtOCRJ3:YUpO0ajiAcecUDw+39I

Score
7/10
adwarediscoverystealer

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 27 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1014072485c91f77713e68258bf794df.exe
    "C:\Users\Admin\AppData\Local\Temp\1014072485c91f77713e68258bf794df.exe"
    1⤵
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Program Files (x86)\CloudWeb\cloudweb_svc.ex_
      "C:\Program Files (x86)\CloudWeb\cloudweb_svc.ex_" /stop
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:3004
    • C:\Program Files (x86)\CloudWeb\cloudweb_svc.ex_
      "C:\Program Files (x86)\CloudWeb\cloudweb_svc.ex_" /u
      2⤵
      • Executes dropped EXE
      PID:2704
    • C:\Program Files (x86)\CloudWeb\cloudweb_svc.exe
      "C:\Program Files (x86)\CloudWeb\cloudweb_svc.exe" /i
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      PID:2568
    • C:\Program Files (x86)\CloudWeb\cloudweb_svc.exe
      "C:\Program Files (x86)\CloudWeb\cloudweb_svc.exe" /start
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      PID:2488
  • C:\Program Files (x86)\CloudWeb\cloudweb_svc.exe
    "C:\Program Files (x86)\CloudWeb\cloudweb_svc.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    PID:1316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\CloudWeb\CloudWeb_run.exe
    Filesize

    127KB

    MD5

    e8f26315c9e6e98ea8db67c6960e8060

    SHA1

    1d358e4fd9706aaf08014866631e2d4c85c43343

    SHA256

    1c942e596a377afbf25ace076952555b1af74e7f5b2126322ae8ebf2447e052b

    SHA512

    b90cf5ff58cc5499bc0e1a6e2e721136b69769ff821873b684aa74d6fd38d18e60c4cdce0b50967f7f0a0dc2a53b21d6bb3b286d1ae85ee69a320d4812939b10

    Download Submit

  • C:\Program Files (x86)\CloudWeb\Log\cloudweb_up_20240101.txt
    Filesize

    231B

    MD5

    72bc9e621c7fb5b64b99f78b6749cd50

    SHA1

    9c200879f86d4276aa5bc1644d07e9f5c7883cfc

    SHA256

    7aa5edb8c7470e3d39b9a55c387a1e41ec67453b9c8b4af849d9178c96bce117

    SHA512

    0860d421d3951aeecbec0b619682149f303a29567ff3e0af46083cb229a8987f0edfe98bdda9e519557445a2feeeb7f5657c66930304e8e990734ac9ccad34dd

    Download Submit

  • C:\Program Files (x86)\CloudWeb\Log\cloudweb_up_20240101.txt
    Filesize

    305B

    MD5

    80f5399f0fe87155463bdcf5cdc311d9

    SHA1

    2c07956cd91f67e8d0ec9ecd85a4760a24aa05bf

    SHA256

    a9f66f404a35c40da652b0daec9d96cb7cbdc5c02b9e928a850cee46b02a0d99

    SHA512

    4ff5e456551bcd6d3b298243aa551ade5fcd811229223f9493fae88a0daebadddbb1f5186fe312f54b7d837315a14c4adbfd71ed8432f7262d46902064a171e6

    Download Submit

  • C:\Program Files (x86)\CloudWeb\Log\cloudweb_up_20240101.txt
    Filesize

    379B

    MD5

    fd15e86a52ba02ed7bdc68f8262745a4

    SHA1

    9c1868a9fb423126c4649c5c3eb7d4a0cc788b04

    SHA256

    9df3df8f90e5607fd703420caa0f33891cb39bfd115d008574d4e82550c21ec9

    SHA512

    b6f0e622772b93bef01960bbf842121da3be097f7cd6c2c39044ba1a3bd1318f24258c9b6624c84b31c22078d03f2a39da65e79a6f0b40f9f4aee63bfbcb0d31

    Download Submit

  • \Program Files (x86)\CloudWeb\CloudWeb_2_61.dll
    Filesize

    123KB

    MD5

    f4253f1090546ac03240a6874192fc4c

    SHA1

    6cf7317b589103e82adfbf3758a1b86691e064cf

    SHA256

    dbe10fbff62d027c6805241262da673494c76bdeb65dc8d7801d914371cfdefd

    SHA512

    29e40ea61c602e955b21909a227ce07b6d076fd526173f990ef261e4250c1e9e66b11949e27c7ea564dba19cde89460da475919b1e07ca09e1662bd7039591ed

    Download Submit

  • \Program Files (x86)\CloudWeb\CloudWeb_mime_2_61.dll
    Filesize

    211KB

    MD5

    519ef5dfaa216b5ef8eda0b044882a31

    SHA1

    a82bf144770ab9ab1bd705839d59ddd3df93dea2

    SHA256

    7df5ea5b776e2efac5f57656e22135f3e63feeb7d84fca1063cbaa0a3ef01fd6

    SHA512

    91dfc0d869b828d1cce48ba0a13fb78579c48368f124397313bcf84d6e193466dbc6a783a8950d24630058b40ce4713855489d9c81c418be1390c648e54344e6

    Download Submit

  • \Program Files (x86)\CloudWeb\CloudWeb_tb_2_61.dll
    Filesize

    127KB

    MD5

    b9c2144c743bea7f56ff8306d131b767

    SHA1

    414212011d97d798448b465c637c4ee812a0741a

    SHA256

    297f880b5f44e420e504f814b5d5b6d0a384b30ab51731cde9954769dde59a5a

    SHA512

    9914e0dd894098554c5d8dc085e036c671fce06da4290d1f3ffd9f2abc62ecbde89f685366a1d031c88384fbcb18f08d900eb64b63b2bb17ab734364bf043866

    Download Submit

  • \Program Files (x86)\CloudWeb\cloudweb_svc.ex_
    Filesize

    103KB

    MD5

    3acfb38c7afaa829b27d1bd853f4c4a0

    SHA1

    9e4bdb7d11be5a08cbb0c83d310208af0ea11943

    SHA256

    caf4d9741a12b48c30030d4f8e50e7ba86772d23c89d6d87719441ff3411a9ba

    SHA512

    74468e9264cb3947a47b302021843c4f934c0b7d718a40ff9b9a68e0d9c5c514276ff45386890cc649357bbfd706a3808fff750026376135086d6044ad4c7f70

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nst58FA.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nst58FA.tmp\nsProcess.dll
    Filesize

    4KB

    MD5

    8f4ac52cb2f7143f29f114add12452ad

    SHA1

    29dc25f5d69bf129d608b83821c8ec8ab8c8edb3

    SHA256

    b214d73aea95191f7363ad93cdc12b6fbd50a3a54b0aa891b3d45bc4b7b2aa04

    SHA512

    2f9e2c7450557c2b88a12d3a3b4ab999c9f2a4df0d39dcd795b307b89855387bc96fc6d4fb51de8f33de0780e08a3b15fdad43daeaf7373cca71b01d7afdaf0c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\~nsis\CloudWeb_nad_2_61.dll
    Filesize

    515KB

    MD5

    10e0f8f45b687dcc8a2dd2c8910008e0

    SHA1

    1b6dce882ec2710570e2cfc0dc6d297bee9b5333

    SHA256

    bed0defadc0b8febb9b198fafd1bcbcab989b92ca0e55cdb2752193ed6000b62

    SHA512

    2375b3b265c9b4bff97c609622f4cdf3b16da41b04ea0905b8b92ed7e7eb94eb1c4069dbbba55b274a0e877fb4985bfe0839bcffca2186e7a8f88916b9923cec

    Download Submit

  • memory/2848-39-0x00000000003E0000-0x00000000003FF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2848-46-0x0000000002890000-0x0000000002914000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2848-43-0x00000000003E0000-0x0000000000400000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2848-7-0x00000000023F0000-0x0000000002474000-memory.dmp

    Filesize

    528KB

    Download