Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

cdc4e9a97c...f1.exe

windows7-x64

7

cdc4e9a97c...f1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    05/01/2024, 19:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe

  • Size

    67KB

  • MD5

    5077127cd8e3f2ad3f4edc280324cf91

  • SHA1

    7b7bb040200537e015b1abf761b989303e31813e

  • SHA256

    cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1

  • SHA512

    94ab89aa75c491bd1053c076c78081c58d2fed4f57f9293c476a9eb18346ed6ed96f74ffe4814d36b2b93e18efb68bf27e750b02765dab17e8150b2b08105d3c

  • SSDEEP

    1536:hxDacx1aeg1vjrI9U/xvyyyZoEV0JuRUFyMOaHQ1l:hMf9kU0+k0JXXOeQ

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
    "C:\Users\Admin\AppData\Local\Temp\cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        3⤵
          PID:2540
      • C:\Windows\Logo1_.exe
        C:\Windows\Logo1_.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2880
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a15C2.bat
        2⤵
        • Deletes itself
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2016
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1384
      • C:\Windows\SysWOW64\net.exe
        net stop "Kingsoft AntiVirus Service"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
          2⤵
            PID:2608
        • C:\Users\Admin\AppData\Local\Temp\cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
          "C:\Users\Admin\AppData\Local\Temp\cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe"
          1⤵
          • Executes dropped EXE
          PID:2580
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
          1⤵
            PID:2492

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            d3adc69a0af918de8ca779119dc3824e

            SHA1

            1acd37dbe349ee094f20adedeead47187d449876

            SHA256

            331366057a460595eea4cd12de73bd9e2fcc6127487fc6a070b1d1c056700f9f

            SHA512

            346c88bf50e019ff7ebe812584dedba2b1dd13ac02e58f75c0e6c3834daf9c87000bf4f1bba0d2075edfaa24413cc11decf9dcddb05dcc7d9c72294186f1e733

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            44f2a0b82d8247e1cd5a12a40841f9a8

            SHA1

            f451bd8ba9098bb674624169aa40f0371ba67924

            SHA256

            056311169bf6ff9bf378a311dbd3c48697ccce39bedac8cb9ddb7da01384127d

            SHA512

            bd5f7bf6b83c70bd03416a4944f62fdafbcb7907c3321432c831e189e9d4f95a52faefa575de57209fa5c1523ebed5fde8831f6230fc6f23400bbd33e772c219

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3470981204-343661084-3367201002-1000\_desktop.ini
            Filesize

            8B

            MD5

            209b72362215bdaaf45b2d2388ee962c

            SHA1

            872a46c03b4ff1322f5dd750c7ac0a07e5113ca0

            SHA256

            56dc9a9a2aef97a2582545195a5ae52880339dff396cf5a749551379418aed62

            SHA512

            45e9bfd535948c288f7342c28cc31fa63331dddc3b2f38afeb6cc1547f1301c46c97f9925905ee4d0ca46bb2d5f40181b913cfeaf9763ae6a38debdd24db7cc9

            Download Submit

          • memory/628-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/628-18-0x0000000000540000-0x000000000057D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/628-15-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1384-28-0x0000000002E60000-0x0000000002E61000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1732-19-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1732-32-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1732-3279-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1732-4083-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download