Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

1e1bc1d081...e6.exe

windows7-x64

7

1e1bc1d081...e6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12/02/2024, 00:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e1bc1d081c397d85fcef755f1ee83a9b2ae61c4ff857c9543f7e648f2583ce6.exe

  • Size

    33KB

  • MD5

    fb7888cf98a23e5765c04bc5aef7ebf0

  • SHA1

    7efbbeea2d8c75cecfdd63f62fe7298d16de4adc

  • SHA256

    1e1bc1d081c397d85fcef755f1ee83a9b2ae61c4ff857c9543f7e648f2583ce6

  • SHA512

    876f9d7b684eecc2a65197d5b9ea98f4ab4054a3c8a361b7970fbd860e34e6d002fc7f226c8ab8169b7d18fefe85565521df9699ef93889fdf80dc8728ef55ff

  • SSDEEP

    768:7AE1pQFJFKZj1PVs9Ag1vzbJtF04QJ0bOamJVUJv9H:7AEccx1aeg1v/FMJ0FuVu

Score
7/10
spywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1244
      • C:\Users\Admin\AppData\Local\Temp\1e1bc1d081c397d85fcef755f1ee83a9b2ae61c4ff857c9543f7e648f2583ce6.exe
        "C:\Users\Admin\AppData\Local\Temp\1e1bc1d081c397d85fcef755f1ee83a9b2ae61c4ff857c9543f7e648f2583ce6.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2980
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3004
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2200
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1892
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:2168

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          258KB

          MD5

          03bade9086ce1ad5e0bcd5d151b7707e

          SHA1

          593ab85917e16235daae2a703902ce400849c790

          SHA256

          3c0c33b4787cec8a3d32188c69e271f6f6d862a57a663b344bb1f7f661cf6337

          SHA512

          a6a367ff8dada642cf7d4cfb5c333bd617be6aed29089f0ff14581fa33ef1003a5adfb1fc1ec3bf977d8c7ea6ae764f6dbc45da75be263dfebcea9a57618b172

          Download Submit

        • C:\Program Files\7-Zip\7zG.exe
          Filesize

          717KB

          MD5

          5a82a2f6e90e87c0dc226aa8be0ebc2d

          SHA1

          ec50ffe313c7f96c451b4583e78c900599805572

          SHA256

          714c1dd7e5e816d74e690b2f9c784242b32704f59ef02c94ff54ec2b54731b84

          SHA512

          cd42e1b0581ec6ce8f339fb0eab6fb3be5ed9bde417b719e94760362361880feb458609c70a6acca041cceb36403e028661da82d958b0e89f12724f1171d3c34

          Download Submit

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Filesize

          478KB

          MD5

          28959031896021bc7ca9f579de2cc456

          SHA1

          3577f294e56af20384c17c2e6b30043d3fb467ce

          SHA256

          f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec

          SHA512

          8ccc791701cbf875cff76feb50e78391fdc4375e0bd78c59111a657059e2f4c8c91b8603755bd5cfc1feb1abcc98b3eda6e3f810de8e8d60eb35090eecb21020

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-1603059206-2004189698-4139800220-1000\_desktop.ini
          Filesize

          9B

          MD5

          656878f7f928e71d7f24b57fcc0f6261

          SHA1

          03d784e1d3d642f69b11963a421200e3c046e6e6

          SHA256

          fac18ac822bec04370e7632ba99c7434d4674099af7ba5260689b778a7e13f93

          SHA512

          6df81d09518887c18a145a5866582839e3c8c469111ed260916acf23b759845d3ff4416539f0cd03d74dd0379aea26b247ca14fd54ecf5544a63c7e76edec22c

          Download Submit

        • memory/1244-3-0x0000000002960000-0x0000000002961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2980-0-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2980-7-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2980-1771-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2980-4016-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download