Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

a65f123243...c3.exe

windows7-x64

7

a65f123243...c3.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    152s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/02/2024, 15:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a65f123243d3b3f1a67fe7e1c1e8b13f139d9bdadfacf102bc8760cc33b243c3.exe

  • Size

    93KB

  • MD5

    97517e1998bd7e881101a01efe0b4c68

  • SHA1

    79b7b6159779aa9d4e09e55d08e5bbefbceac788

  • SHA256

    a65f123243d3b3f1a67fe7e1c1e8b13f139d9bdadfacf102bc8760cc33b243c3

  • SHA512

    7d0ddb4e6bbaf2aac5d8de86c2c269ffa5effd4cdcc2b8ce49f48ed2182413a90fa62205daf6815064e52ca6d5f2758719ea6783e0cd9ba555594ad8b84d1634

  • SSDEEP

    1536:cAsxN92ppTSahtA3AWHB0UxMkzOt7HcvJGt5AdHIOWnToIf12Z9:cfNIv7MwWhAWJGSCTBf12Z9

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3512
      • C:\Users\Admin\AppData\Local\Temp\a65f123243d3b3f1a67fe7e1c1e8b13f139d9bdadfacf102bc8760cc33b243c3.exe
        "C:\Users\Admin\AppData\Local\Temp\a65f123243d3b3f1a67fe7e1c1e8b13f139d9bdadfacf102bc8760cc33b243c3.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3760
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1852
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4520
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAA9.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4532
            • C:\Users\Admin\AppData\Local\Temp\a65f123243d3b3f1a67fe7e1c1e8b13f139d9bdadfacf102bc8760cc33b243c3.exe
              "C:\Users\Admin\AppData\Local\Temp\a65f123243d3b3f1a67fe7e1c1e8b13f139d9bdadfacf102bc8760cc33b243c3.exe"
              4⤵
              • Executes dropped EXE
              PID:2196
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4708
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4616
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4592
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4360
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4664

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            20cef2186133a343a70d5d5d4feef3a3

            SHA1

            4844bc3596fa52272bb96cc418f2754b9e33fb17

            SHA256

            a56a482a19e754be811a156bce1a2951aa5ce0765aca04261ede8179ad9e33db

            SHA512

            023fb969db382c783bbcf9b6fa8e88603caeac25b7802da432a98a5d4a686893e97de785d918341767b389f39ebfaf5111b42fe283802402fe0fe04e1b2eac54

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            b698943451b4bbe37d8df2a597b4b70d

            SHA1

            bdf9b7fb5e8e45e127a1f3a90a595ef986edaf56

            SHA256

            7a022236fa929cbb877ca4c83411e76b86d0c2fe7ab9a0462835b7dbde009cd7

            SHA512

            624f121d4b70ba590afb16a3015e89b2e5f62a991fc95dc3c844a513312a06683c761f38934cb2733ebdd9b3b8404f2ec3665dbd5528a0e0205b9806b133f819

            Download Submit

          • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
            Filesize

            488KB

            MD5

            ee67e995cc720bdea9ad5bd16b0ff7bf

            SHA1

            8779525e9576a51cd6441b6c35e5e38690c94f34

            SHA256

            ef3bfd992ca033aacbe64d6a949a4dc94a3ee19fa7349298541faf08298b1d98

            SHA512

            e1aebdd145ea7415867ff44e71a8e3f730f2c8712ca3c79289cc00231fbdb7b03c000d069ac60eb5cd62eff6079cf4fd4595a6016a4c98ea19051767366e4524

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aAA9.bat
            Filesize

            721B

            MD5

            6533da746ac9de5cc70ad331c782e89b

            SHA1

            7d58585d163534c2378d11993850fce6fb3a55bc

            SHA256

            ccd67625b2d2edebe2b23ba379153a4ca60344cbd141ea4bd20751e24ce27065

            SHA512

            f5e15af833770bac5c584bd7a3a576ccca2e8af881b8a71c977a2d804c5f46ae63395dd520778e0dc4d6d23f2aed4edbe7e67e684181d277938224fc3c1b91da

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\a65f123243d3b3f1a67fe7e1c1e8b13f139d9bdadfacf102bc8760cc33b243c3.exe.exe
            Filesize

            60KB

            MD5

            ed0fde686788caec4f2cb1ec9c31680c

            SHA1

            81ae63b87eaa9fa5637835d2122c50953ae19d34

            SHA256

            e362670f93cdd952335b1a41e5529f184f2022ea4d41817a9781b150b062511c

            SHA512

            d90d5e74a9be23816a93490ed30c0aae9f7f038a42bd14aa2ce78e95967b4aabd848f006f00ade619c9976755658d45aa0f5b6d5babbbb2d59a6ed3a3a12ac6b

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            74de944429af39f54ac31888ee07b892

            SHA1

            7c05f329379c5a396dbdf1e3857f59734eeaaf07

            SHA256

            22a484df9625b0a17e2e7b65945360f0b031ec1bea68fb96d3553d07ab354f52

            SHA512

            d4a8d643b207e1742071a11b05b3044c0750849f767ecbecb5e957d1df1bc95a312a0a595c7c34cc8a09523ef25deac47fddb4801735bcff6087879ef8d10fd7

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3844919115-497234255-166257750-1000\_desktop.ini
            Filesize

            9B

            MD5

            62b5f4cbf35e0811170865d2c1b514b0

            SHA1

            eb9ab8cea4d5052efe5126141140269f2fc29e7b

            SHA256

            0c2b516efab7a741c31502cb6f7828de32cd4feb088b683d651225489f183bb3

            SHA512

            4632536c26324e72b20e87d53546ea1d012bc1f3457ce5d8e1b33dd3eebc41ad5e4a3d3f6a3a542d7ce103f95ca5a5a1973c6c036980f1e8860c6c5d93c5696f

            Download Submit

          • memory/3760-0-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/3760-10-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4708-17-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4708-8-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4708-422-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4708-2676-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4708-5367-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4708-7758-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4708-8392-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download