Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

4e0ecb99b4...9e.exe

windows7-x64

7

4e0ecb99b4...9e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/04/2024, 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe

  • Size

    717KB

  • MD5

    947fb0a70bedead559e53be801302d4b

  • SHA1

    f3768e716d67384870ed06c1cca9911166f2f2d6

  • SHA256

    4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e

  • SHA512

    7da4830f680a307ec75785c6f6cf82b09f5cdca52e631dc86252db2bd0c8668880bb628d4b2434ef13944af90f46e34ab94853b9d6db856b33763a3fca6b1832

  • SSDEEP

    12288:A+agfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:ABMLOS2opPIXV

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:1176
    • C:\Users\Admin\AppData\Local\Temp\4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
      "C:\Users\Admin\AppData\Local\Temp\4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\SysWOW64\net.exe
        net stop "Kingsoft AntiVirus Service"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2100
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
          4⤵
            PID:2836
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a117E.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\Users\Admin\AppData\Local\Temp\4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
            "C:\Users\Admin\AppData\Local\Temp\4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe"
            4⤵
            • Executes dropped EXE
            PID:2508
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2620
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2556
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:2724
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2676
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2416

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          258KB

          MD5

          ec71a61715110767626fe1094063291b

          SHA1

          1fd433c484e987ad74fb6dd5026e94eba029f62f

          SHA256

          e737572195b0c4d8df6f1211e324b97191d66ba2b409cfaa2dd07fd5b96a87f4

          SHA512

          61df3880ff6b71b5b2c522678a1ee69011a9387158e3956f6dd8db8e2c76113772fcf2b9979e27ee84d659925d3d44382d9d5da171dcdfb8a3b21c8034297d6f

          Download Submit

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Filesize

          478KB

          MD5

          f5cd7b35ea5f0009cdb5355dbc356066

          SHA1

          c06af0b31cdebdc4e31d57f448acb174e5be44b7

          SHA256

          472ce6c84e17f672782a003fa17f8d412c85a25675f83d16b1a1fb7bfc085f6d

          SHA512

          89573e495959ad60f4a4079248f3cfb6991b8c700223538a269d7553baaacd6de837f26cfe1a4f6a6c0940b8d758406ae2d9e85f2e5738371c9025ea699a7d28

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\$$a117E.bat
          Filesize

          722B

          MD5

          bb434c45f3153c83565715d52abeea35

          SHA1

          c3561cd7c9652813a44b6df266ebca6ad813bdbd

          SHA256

          950ef3e8fd03dc29051d61960b3a08822c2641a75f461e73ae088dac3e21c992

          SHA512

          c91eb8efa6c1a684383e015813f07032da3d742832ffbf7046ddc2de6828fc57dd72cc3d2ed4264edd3b5f6db09e3d1660ed6d10b6227f27362bd501b171a021

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe.exe
          Filesize

          684KB

          MD5

          50f289df0c19484e970849aac4e6f977

          SHA1

          3dc77c8830836ab844975eb002149b66da2e10be

          SHA256

          b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

          SHA512

          877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

          Download Submit

        • C:\Windows\Logo1_.exe
          Filesize

          33KB

          MD5

          c4ec2631f0913b349423b6d2bd687a6b

          SHA1

          9b9ae1664a063db7e1bd53073f6f1c3a62fa0e55

          SHA256

          cdaed7acb956972ce40a95412620150fcf1428c34a8ddbd0e9f0742df0d885bb

          SHA512

          a8ba683aa3c9d607d7ef9c3ec28a924b23be85a90e5334eb2a9f6edb8117442a818608c44f010b2bdaec052319fcc6436b5628408f4ebb82d207196df1729e86

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini
          Filesize

          8B

          MD5

          eb2b82f341fdb4eae25ceb49373ed303

          SHA1

          cf7db5d16d0cdb9abd32cb4fe1e343e2296142b0

          SHA256

          8a35cc496890b7089f69f59dd7dd7fed74622e8ff18cf9f99d49c94aa5888c5a

          SHA512

          895d5f91dcdf77750063ec0b0112b643597bfcc87ddaa30f07864adeadf185ce062ead7699d964bd05135dcf034ca4028165ec95ab2e17b549c5faf2236f8982

          Download Submit

        • memory/1176-29-0x00000000029F0000-0x00000000029F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2012-0-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/2012-15-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/2620-33-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/2620-18-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/2620-3320-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/2620-4143-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download