Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2024, 19:05

General

  • Target

    e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe

  • Size

    62KB

  • MD5

    b448a4ed020d6d8280086c0a7c1c9431

  • SHA1

    954dc1dab428145a82e4c85e1b94fa1adddf58b6

  • SHA256

    e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee

  • SHA512

    46b0af3e5f1102d62cde17bc6ea893a704e6abea3ef8cd354d2feb7e28fe401515ac73f00fb0f311b1fc23fef2f87a7cbc57aa5d4e932720a8ea5c84554173b4

  • SSDEEP

    1536:4uue+Zk77RNtMy/tgTM/OqxPAq9khDRGadegghOgmgk:4Ze+aX3tM6gT9oL9k9dehhOgo

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
        "C:\Users\Admin\AppData\Local\Temp\e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2940
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2352
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3064
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a10B3.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2880
            • C:\Users\Admin\AppData\Local\Temp\e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
              "C:\Users\Admin\AppData\Local\Temp\e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe"
              4⤵
              • Executes dropped EXE
              PID:2632
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2020
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2584
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2736
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2600
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2828

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

            Filesize

            477KB

            MD5

            49d515b044bbad65c9307b89dd66e79a

            SHA1

            d0edd7c63488d72b6ba185eee80e63df89df6966

            SHA256

            c696990b3d0f156f8e572201d9ac44dd5a79c95235c9b84c2a8ffcd098789ebe

            SHA512

            aedd7b238961a154477d8704082691ab64a75f4c3bbb584ce55b62845b46b94dd2e39a1eb8939398f662db6cc504da9af788c054a4d054e683d02fcbad0d5d84

          • C:\Users\Admin\AppData\Local\Temp\$$a10B3.bat

            Filesize

            722B

            MD5

            0e43c1a131bcb8bbf77cf9c6f2a84d66

            SHA1

            76599178d81a22ad6bb38014d3cc8b1531393974

            SHA256

            7dff88aa35d24134c375d3e2fa011912809ade0112e870bd064702d1b8ad74bb

            SHA512

            688e29c57feb2c855042b84318a11800ead2a03a14120827950478ffe2648a77a4b40f03c355b94d3c4ede24ad38b4b7c02805023bd55cd9b6805f266c43268b

          • C:\Users\Admin\AppData\Local\Temp\e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe.exe

            Filesize

            29KB

            MD5

            0cac659cc68e68ed44223ddb7343275a

            SHA1

            cb75dd7034e31eb575668f7c69b7d990653c0248

            SHA256

            7c32fe8ec1851e273763a2742a67a1f9c09a3725c9eaec76e22fcfc92dda7c88

            SHA512

            1c0c3b170bed3a3cbd7821dfa008e776df675f620afe85905f84f7d86b68b487206af0c6acf8207ae346b8ae7deb71a756128cb5c199bf648952d2c582aa9023

          • C:\Windows\Logo1_.exe

            Filesize

            33KB

            MD5

            1eb46052207e9bdf5c8cc6aa7dcccf89

            SHA1

            37ed03cd7c2ccade09093134c6a2b6099d450227

            SHA256

            db79ee7697ddc2795271dd97e4910c9343f58758e913ba19df70e7a481555cda

            SHA512

            f4b0fdfebbbc9fa25563f2da3d6171cde29306ff5ac5ac024c05da231b3150c11dd52021162ba8f13926f6defa611968628bd776b9f4f8660c995915b43c9eca

          • F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini

            Filesize

            9B

            MD5

            a7058e06d084fd947f7dddc2897ebb22

            SHA1

            400bcc9cc3cbab99b910b4696cc0163ba8713226

            SHA256

            da0976fbb0588170763cb9b0d9b3ce23b0ff3e7cc146ecf1840a40e7655f1287

            SHA512

            4921df984df8d792e9cde40d30fd19e315b2af1b034966c6fc397ef92e3cb25cfa258400758277e9ec01b5609f3041ba42c8e5911b79eff5a08843a91ad9c9c9

          • memory/1204-28-0x0000000002D60000-0x0000000002D61000-memory.dmp

            Filesize

            4KB

          • memory/2020-32-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/2020-20-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/2020-3319-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/2020-4142-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/2940-12-0x00000000005D0000-0x000000000060F000-memory.dmp

            Filesize

            252KB

          • memory/2940-16-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/2940-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/2940-17-0x00000000005D0000-0x000000000060F000-memory.dmp

            Filesize

            252KB