Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

49f6629071...61.exe

windows7-x64

9

49f6629071...61.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    169s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2024, 22:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49f6629071e229186053aefe4bac4a61.exe

  • Size

    110KB

  • MD5

    49f6629071e229186053aefe4bac4a61

  • SHA1

    142be03ac427778c423da93dd05a785357b761d2

  • SHA256

    8e84de521675caf2e21d6d3874d85f12b3062f444b6be36393ff5c0784ea6d41

  • SHA512

    3fdf76ce1c235f4f2f2727ecb49292d76cba5a412a2e62ee849e6345da700a0f18d2ae5a9d8abce272e77d9e5bd2b038e2a13da8a601725c4f0d84dff16eb8ac

  • SSDEEP

    3072:G3+BaOaaFoFims/PZYuuVIaAJyTZ+sKPv:9BaOBoKCeyT8

Score
9/10
persistenceransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (175) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\49f6629071e229186053aefe4bac4a61.exe
        "C:\Users\Admin\AppData\Local\Temp\49f6629071e229186053aefe4bac4a61.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2308
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2744
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2892
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC590.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2624
            • C:\Users\Admin\AppData\Local\Temp\49f6629071e229186053aefe4bac4a61.exe
              "C:\Users\Admin\AppData\Local\Temp\49f6629071e229186053aefe4bac4a61.exe"
              4⤵
              • Executes dropped EXE
              PID:2604
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Adds Run key to start application
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2916
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2632
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2664
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1460
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2280

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$aC590.bat
            Filesize

            530B

            MD5

            67288c51ee58f1bb9a4250f592883dee

            SHA1

            a3c46e55b093aeb5051b5373238f90a29db07e46

            SHA256

            3f8bc2a41426075dc959257e91fbb3187bbf3c62ea6436213254973cf005780c

            SHA512

            2fca2e3afb8dc089e979574c9cee42c833c395796769239629f63566a671ce4de3bcedb5e072a86ca1df8987e08351c01a5a3acb01da15525536770bbb709cc6

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            58KB

            MD5

            2e8204b925e702dabc11b988a3f60896

            SHA1

            36bb3f97fcceeb1ae009cb8a31f112ee4e0685f5

            SHA256

            e63ee3bd70268ceed0ec6635f11b7b4abd0dc1effe8d3ce21755eaafaf096a6a

            SHA512

            8bd2bab90b539f9505dc6830749a484e17fef91fc7b330905c72cb97dc0ca54964f72e641148f5130e9058b66b167898a37a4721c1be5da00d14865734d0fd8d

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            832B

            MD5

            7e3a0edd0c6cd8316f4b6c159d5167a1

            SHA1

            753428b4736ffb2c9e3eb50f89255b212768c55a

            SHA256

            1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

            SHA512

            9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

            Download Submit

          • \Users\Admin\AppData\Local\Temp\49f6629071e229186053aefe4bac4a61.exe
            Filesize

            52KB

            MD5

            3c5daa92b200992806dd0673d629e4bc

            SHA1

            cf29a14d69b90558b3fd0ced977ead9453ed1165

            SHA256

            ce3fca3f56fb0f478a466576d97d0d257d8c6a517b9be89f493c2a902beaf6a6

            SHA512

            13ea73879715f12aee71607b9331030c65812acd37eff56894ae3a1b763e2f0feaef6a09b63b5523f3a8b3d85572dcea703deb1b08aa18da435ae854b49b37e3

            Download Submit

          • memory/1208-32-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2308-1-0x0000000000020000-0x0000000000021000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2308-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2308-2-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2308-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2916-20-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2916-23-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2916-36-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2916-37-0x0000000000020000-0x0000000000021000-memory.dmp

            Filesize

            4KB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.