Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

694739d5ed...6e.exe

windows7-x64

7

694739d5ed...6e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2024, 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe

  • Size

    178KB

  • MD5

    e9cdf2209cc3d95e7a141b0b80844cf7

  • SHA1

    88871f53f6391ddee0fe2b8996ed25849105e3d3

  • SHA256

    694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e

  • SHA512

    62fa554c6b4862be18346ce77f91f9b838baf3cb57043ec81b80f7b152e8eba9113927e76ca2375ac7b15a83cc8a216c0d90889d1e80b878ae78b8878b3565a7

  • SSDEEP

    3072:47e+aX3tM6gT9ov1Gny0is1iygSw01IZ1ymklBF5TjZqMNl:3+aX3u6gT9ocR3gSZ1IZ1yjrvl

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1384
      • C:\Users\Admin\AppData\Local\Temp\694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
        "C:\Users\Admin\AppData\Local\Temp\694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1712
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1956
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2124
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a52F0.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2640
            • C:\Users\Admin\AppData\Local\Temp\694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
              "C:\Users\Admin\AppData\Local\Temp\694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe"
              4⤵
              • Executes dropped EXE
              PID:2592
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2604
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2412
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2064
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2544
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2460

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            6329333b400828394f1806aa1670367f

            SHA1

            59e41436c41f1dd6cd8242df2cbeaf04e7b864a6

            SHA256

            fa69d50d5373451478641062a25ee6d509247d2ee18f2505c54048695f2363b9

            SHA512

            6fc5cd02230ee989d00c67356080affb387a36600d96ef6666c15a90d914964c8780a198d63831a570a04d850fbe87b7567866940cf4affb3cf1458053fb870d

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            477KB

            MD5

            49d515b044bbad65c9307b89dd66e79a

            SHA1

            d0edd7c63488d72b6ba185eee80e63df89df6966

            SHA256

            c696990b3d0f156f8e572201d9ac44dd5a79c95235c9b84c2a8ffcd098789ebe

            SHA512

            aedd7b238961a154477d8704082691ab64a75f4c3bbb584ce55b62845b46b94dd2e39a1eb8939398f662db6cc504da9af788c054a4d054e683d02fcbad0d5d84

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a52F0.bat
            Filesize

            722B

            MD5

            70da681a4e527bf5d4a2704ec7b5a55c

            SHA1

            c8a6a7a4bf1cc8b4e33b8e5fd55b6a3d67984971

            SHA256

            a990e666c34cf659c24aca80a70e549174ee2c0460fb4502a903321ba42c76fa

            SHA512

            632cc9689e597aeb71d95890d2f6efe971537bc55823f2fbad14d80bb308b1be0a18bd4541f5ab06d065fe1fecf5b8511079f56f7f8fa1bea419ee533d5a7282

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe.exe
            Filesize

            145KB

            MD5

            f0003bbe2ddbc6a86bcd8bb3e59a459e

            SHA1

            72a13c7a33c9262cc60037aeaf120f54a21cdeb6

            SHA256

            6b3875c773db867834fe34c0efe43263908cfd264b77336f4c99977927650914

            SHA512

            7603900304bfd5f31e6165554a30d2dcbaa62d2d60debf55e9e7fb4c8c3d9f86a78725beb435ff9c85bd57562d538d527645cbe5dfbcb73efa9b2c5e600ab7a7

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            8d5b24a731c86a9a1d648e167662785c

            SHA1

            88ad95a57fa097fde78785d2166b2e601704455f

            SHA256

            7bbf74b55580006eac528539f928998942ff4038dcca81adc29c3ea2b47f0d98

            SHA512

            d603a5e3a80c2a66d79316561673f0f704ac15a7afb7df24356af7e75f06a94e295ffff449da7ac3fd1ce642fcc2a289e2eecefc0895065c7e6d31016dd03755

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-778096762-2241304387-192235952-1000\_desktop.ini
            Filesize

            9B

            MD5

            a7058e06d084fd947f7dddc2897ebb22

            SHA1

            400bcc9cc3cbab99b910b4696cc0163ba8713226

            SHA256

            da0976fbb0588170763cb9b0d9b3ce23b0ff3e7cc146ecf1840a40e7655f1287

            SHA512

            4921df984df8d792e9cde40d30fd19e315b2af1b034966c6fc397ef92e3cb25cfa258400758277e9ec01b5609f3041ba42c8e5911b79eff5a08843a91ad9c9c9

            Download Submit

          • memory/1384-27-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1712-16-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1712-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1712-15-0x00000000005D0000-0x000000000060F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2604-19-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2604-1264-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2604-413-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2604-31-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2604-3320-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2604-3353-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2604-3396-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2604-4083-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download