Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

49f6629071...61.exe

windows7-x64

9

49f6629071...61.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    169s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2024, 22:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49f6629071e229186053aefe4bac4a61.exe

  • Size

    110KB

  • MD5

    49f6629071e229186053aefe4bac4a61

  • SHA1

    142be03ac427778c423da93dd05a785357b761d2

  • SHA256

    8e84de521675caf2e21d6d3874d85f12b3062f444b6be36393ff5c0784ea6d41

  • SHA512

    3fdf76ce1c235f4f2f2727ecb49292d76cba5a412a2e62ee849e6345da700a0f18d2ae5a9d8abce272e77d9e5bd2b038e2a13da8a601725c4f0d84dff16eb8ac

  • SSDEEP

    3072:G3+BaOaaFoFims/PZYuuVIaAJyTZ+sKPv:9BaOBoKCeyT8

Score
9/10
persistenceransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (175) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\49f6629071e229186053aefe4bac4a61.exe
        "C:\Users\Admin\AppData\Local\Temp\49f6629071e229186053aefe4bac4a61.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2308
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2744
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2892
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC590.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2624
            • C:\Users\Admin\AppData\Local\Temp\49f6629071e229186053aefe4bac4a61.exe
              "C:\Users\Admin\AppData\Local\Temp\49f6629071e229186053aefe4bac4a61.exe"
              4⤵
              • Executes dropped EXE
              PID:2604
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Adds Run key to start application
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2916
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2632
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2664
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1460
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2280

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$aC590.bat
            Filesize

            530B

            MD5

            67288c51ee58f1bb9a4250f592883dee

            SHA1

            a3c46e55b093aeb5051b5373238f90a29db07e46

            SHA256

            3f8bc2a41426075dc959257e91fbb3187bbf3c62ea6436213254973cf005780c

            SHA512

            2fca2e3afb8dc089e979574c9cee42c833c395796769239629f63566a671ce4de3bcedb5e072a86ca1df8987e08351c01a5a3acb01da15525536770bbb709cc6

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            58KB

            MD5

            2e8204b925e702dabc11b988a3f60896

            SHA1

            36bb3f97fcceeb1ae009cb8a31f112ee4e0685f5

            SHA256

            e63ee3bd70268ceed0ec6635f11b7b4abd0dc1effe8d3ce21755eaafaf096a6a

            SHA512

            8bd2bab90b539f9505dc6830749a484e17fef91fc7b330905c72cb97dc0ca54964f72e641148f5130e9058b66b167898a37a4721c1be5da00d14865734d0fd8d

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            832B

            MD5

            7e3a0edd0c6cd8316f4b6c159d5167a1

            SHA1

            753428b4736ffb2c9e3eb50f89255b212768c55a

            SHA256

            1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

            SHA512

            9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

            Download Submit

          • \Users\Admin\AppData\Local\Temp\49f6629071e229186053aefe4bac4a61.exe
            Filesize

            52KB

            MD5

            3c5daa92b200992806dd0673d629e4bc

            SHA1

            cf29a14d69b90558b3fd0ced977ead9453ed1165

            SHA256

            ce3fca3f56fb0f478a466576d97d0d257d8c6a517b9be89f493c2a902beaf6a6

            SHA512

            13ea73879715f12aee71607b9331030c65812acd37eff56894ae3a1b763e2f0feaef6a09b63b5523f3a8b3d85572dcea703deb1b08aa18da435ae854b49b37e3

            Download Submit

          • memory/1208-32-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2308-1-0x0000000000020000-0x0000000000021000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2308-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2308-2-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2308-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2916-20-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2916-23-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2916-36-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2916-37-0x0000000000020000-0x0000000000021000-memory.dmp

            Filesize

            4KB

            Download