Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

04686cb8e9...63.exe

windows7-x64

9

04686cb8e9...63.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/04/2024, 18:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04686cb8e9efa4dd4f138f8192558b275b29cfe5b9e8f82edf5681b57a669963.exe

  • Size

    1.6MB

  • MD5

    05c27c72c9f8df2173c0736e5497cafd

  • SHA1

    ed933acdb5d0f2c21c507637095ec76e37b48f4d

  • SHA256

    04686cb8e9efa4dd4f138f8192558b275b29cfe5b9e8f82edf5681b57a669963

  • SHA512

    53a490eb56c107b39c92c971df2265f761196d676b436a6e5dc4f5c86c3a3d80cb0b66e6a8d5a7fc1ae2d010d589c58f3f03d1dede6d6ab9efb22d6fc22e9df6

  • SSDEEP

    49152:5YsWYuqKoKOhsTC9Kc/R4IA1SA4UlfZk57cxJQ:WsWYZKoKOhg4//RVAxLfWVmy

Score
9/10
persistencespywarestealer

Malware Config

Signatures

  • Detects executables containing possible sandbox analysis VM usernames 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04686cb8e9efa4dd4f138f8192558b275b29cfe5b9e8f82edf5681b57a669963.exe
    "C:\Users\Admin\AppData\Local\Temp\04686cb8e9efa4dd4f138f8192558b275b29cfe5b9e8f82edf5681b57a669963.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Users\Admin\AppData\Local\Temp\04686cb8e9efa4dd4f138f8192558b275b29cfe5b9e8f82edf5681b57a669963.exe
      "C:\Users\Admin\AppData\Local\Temp\04686cb8e9efa4dd4f138f8192558b275b29cfe5b9e8f82edf5681b57a669963.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Users\Admin\AppData\Local\Temp\04686cb8e9efa4dd4f138f8192558b275b29cfe5b9e8f82edf5681b57a669963.exe
        "C:\Users\Admin\AppData\Local\Temp\04686cb8e9efa4dd4f138f8192558b275b29cfe5b9e8f82edf5681b57a669963.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Sidebar\Shared Gadgets\beast [bangbus] .zip.exe
    Filesize

    778KB

    MD5

    b6462765d9a325e05c535a30b991cc7c

    SHA1

    3cc2b107a5cdd9cc0d367b9a3a2e9df3dd29855c

    SHA256

    e51f58687b597e657ede5b7eaa87e8b87b0bd4d750a5c28b493a1484ea67203c

    SHA512

    e83511a2e60c83ac33ab372fd5053e481eb487a7de8f0aa68b70e6c632b718dd8e0e3c2a6d83c0969518e85e82c3337d698e086694e63407aff0699ceaf45adf

    Download Submit

  • C:\debug.txt
    Filesize

    183B

    MD5

    ab71c46ede2489357c3c1eb856c74df8

    SHA1

    dbffc4bdc1b99b6fd7302079ab99a483cdfdf017

    SHA256

    3352874490b36eebde3c104b469a86d79beefe5347fd7a71fdcc0de0eea3c3c1

    SHA512

    b51b31b56bf32dd39c88ffd74c22ca4c2339073c29535351ddac3f4359f3d3383bae0d8e27407ab5dfa8fdb09ea7a7fa95b73cf2294c1739abc7d1ad473a9aea

    Download Submit