Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

1e1bc1d081...e6.exe

windows7-x64

7

1e1bc1d081...e6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/02/2024, 00:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e1bc1d081c397d85fcef755f1ee83a9b2ae61c4ff857c9543f7e648f2583ce6.exe

  • Size

    33KB

  • MD5

    fb7888cf98a23e5765c04bc5aef7ebf0

  • SHA1

    7efbbeea2d8c75cecfdd63f62fe7298d16de4adc

  • SHA256

    1e1bc1d081c397d85fcef755f1ee83a9b2ae61c4ff857c9543f7e648f2583ce6

  • SHA512

    876f9d7b684eecc2a65197d5b9ea98f4ab4054a3c8a361b7970fbd860e34e6d002fc7f226c8ab8169b7d18fefe85565521df9699ef93889fdf80dc8728ef55ff

  • SSDEEP

    768:7AE1pQFJFKZj1PVs9Ag1vzbJtF04QJ0bOamJVUJv9H:7AEccx1aeg1v/FMJ0FuVu

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3460
      • C:\Users\Admin\AppData\Local\Temp\1e1bc1d081c397d85fcef755f1ee83a9b2ae61c4ff857c9543f7e648f2583ce6.exe
        "C:\Users\Admin\AppData\Local\Temp\1e1bc1d081c397d85fcef755f1ee83a9b2ae61c4ff857c9543f7e648f2583ce6.exe"
        2⤵
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:448
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:980
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:5112
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:2424

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          258KB

          MD5

          03bade9086ce1ad5e0bcd5d151b7707e

          SHA1

          593ab85917e16235daae2a703902ce400849c790

          SHA256

          3c0c33b4787cec8a3d32188c69e271f6f6d862a57a663b344bb1f7f661cf6337

          SHA512

          a6a367ff8dada642cf7d4cfb5c333bd617be6aed29089f0ff14581fa33ef1003a5adfb1fc1ec3bf977d8c7ea6ae764f6dbc45da75be263dfebcea9a57618b172

          Download Submit

        • C:\Program Files\dotnet\dotnet.exe
          Filesize

          172KB

          MD5

          81dceeb8f8c23550f5b8f1fe7460edb7

          SHA1

          29749400503f6b4264de341529bee6e1e92941cc

          SHA256

          9ac023b200731c2ba2d3a10003dc2e0f797ffdf7eab08e597026c34199c4ed50

          SHA512

          6d6845baebdd6751e07cd8dfff66123acb6f51454c506e5c364fa1b5f11b1f28d2659a387bc1516e8abfa1f39346413c475b256014481a3d080436521500ef46

          Download Submit

        • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
          Filesize

          488KB

          MD5

          de4f99d33c3138d156d2227d1b33c300

          SHA1

          539dffd0a2747a2476194ea4622ce811b777d2c9

          SHA256

          ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e

          SHA512

          4db6e5810373d94603df13bbac362ef5e0d76a5b5400aac1d3d132706058fd69b58b5423ecfd811efe2f925d91fdf137b5a009b6d22a0a8d5fbcf9e300d3b7e0

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-996941297-2279405024-2328152752-1000\_desktop.ini
          Filesize

          9B

          MD5

          656878f7f928e71d7f24b57fcc0f6261

          SHA1

          03d784e1d3d642f69b11963a421200e3c046e6e6

          SHA256

          fac18ac822bec04370e7632ba99c7434d4674099af7ba5260689b778a7e13f93

          SHA512

          6df81d09518887c18a145a5866582839e3c8c469111ed260916acf23b759845d3ff4416539f0cd03d74dd0379aea26b247ca14fd54ecf5544a63c7e76edec22c

          Download Submit

        • memory/2332-0-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2332-3-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2332-1016-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2332-5447-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download

        • memory/2332-8555-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

          Download