Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

ed3ad6c04b...11.exe

windows7-x64

7

ed3ad6c04b...11.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2024, 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed3ad6c04b7778bf946fe1a0cea7b00a82542c7cb9687e562741248ea7657411.exe

  • Size

    577KB

  • MD5

    5ac4056f9d0b3bd588671434ead1c17f

  • SHA1

    9d3e0e6c41fe202d78ac7adc0c26c0a5d27b5d9c

  • SHA256

    ed3ad6c04b7778bf946fe1a0cea7b00a82542c7cb9687e562741248ea7657411

  • SHA512

    12955c0c491b2f4b5343ba8d64ac9c08eaa77cb5b84929b36fd9efde7e241dd1553d3175fb39d1f4f9a9cb9e1242f501df3943788977fb06b0d30871ba5330d2

  • SSDEEP

    6144:A+aX3LdE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHk:A+ai7a3iwbihym2g7XO3LWUQfh4Co

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3448
      • C:\Users\Admin\AppData\Local\Temp\ed3ad6c04b7778bf946fe1a0cea7b00a82542c7cb9687e562741248ea7657411.exe
        "C:\Users\Admin\AppData\Local\Temp\ed3ad6c04b7778bf946fe1a0cea7b00a82542c7cb9687e562741248ea7657411.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2424
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:812
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4440
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a31CE.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4996
            • C:\Users\Admin\AppData\Local\Temp\ed3ad6c04b7778bf946fe1a0cea7b00a82542c7cb9687e562741248ea7657411.exe
              "C:\Users\Admin\AppData\Local\Temp\ed3ad6c04b7778bf946fe1a0cea7b00a82542c7cb9687e562741248ea7657411.exe"
              4⤵
              • Executes dropped EXE
              PID:3252
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4068
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4584
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2332
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:5064
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1904

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            ec71a61715110767626fe1094063291b

            SHA1

            1fd433c484e987ad74fb6dd5026e94eba029f62f

            SHA256

            e737572195b0c4d8df6f1211e324b97191d66ba2b409cfaa2dd07fd5b96a87f4

            SHA512

            61df3880ff6b71b5b2c522678a1ee69011a9387158e3956f6dd8db8e2c76113772fcf2b9979e27ee84d659925d3d44382d9d5da171dcdfb8a3b21c8034297d6f

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            5ac4056f9d0b3bd588671434ead1c17f

            SHA1

            9d3e0e6c41fe202d78ac7adc0c26c0a5d27b5d9c

            SHA256

            ed3ad6c04b7778bf946fe1a0cea7b00a82542c7cb9687e562741248ea7657411

            SHA512

            12955c0c491b2f4b5343ba8d64ac9c08eaa77cb5b84929b36fd9efde7e241dd1553d3175fb39d1f4f9a9cb9e1242f501df3943788977fb06b0d30871ba5330d2

            Download Submit

          • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
            Filesize

            488KB

            MD5

            629c52705e4b56528fd0a9bd0ef3b26b

            SHA1

            8195ef6b90f8893c88887c763bf399cde1787b26

            SHA256

            4d1c2cdbf0684ef3ea3fc7123812b007687ded0a679275e5ea50f1d936a6fe3d

            SHA512

            0ea13e8f6c5d3b8e28a002c672f20d626e1ae1f8fb0162690961b2b94b49c6590f20ae50dd018f41b1947161ac62e63fa56b1e2aca5ee7335c3d9b7747817e0f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a31CE.bat
            Filesize

            722B

            MD5

            48630d9c5cd63b080c8077fd3d83f1d7

            SHA1

            f7ca4ce2c0c1071aec58e57a62d523d5901dd8f4

            SHA256

            7ff8f9e75039301917b7bbbc04d36933b27084e556b42e4a3eebe15438c148e6

            SHA512

            cfaf4ade5daba26f14a698c006ab4f27283b75758937393f8e9c65426f8448525f557773e42caa7a0e8a0217ed9fa7b62c3ff6a3ade1a0b0b5a2734e7caabb9d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ed3ad6c04b7778bf946fe1a0cea7b00a82542c7cb9687e562741248ea7657411.exe.exe
            Filesize

            544KB

            MD5

            9a1dd1d96481d61934dcc2d568971d06

            SHA1

            f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

            SHA256

            8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

            SHA512

            7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            c4ec2631f0913b349423b6d2bd687a6b

            SHA1

            9b9ae1664a063db7e1bd53073f6f1c3a62fa0e55

            SHA256

            cdaed7acb956972ce40a95412620150fcf1428c34a8ddbd0e9f0742df0d885bb

            SHA512

            a8ba683aa3c9d607d7ef9c3ec28a924b23be85a90e5334eb2a9f6edb8117442a818608c44f010b2bdaec052319fcc6436b5628408f4ebb82d207196df1729e86

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-399997616-3400990511-967324271-1000\_desktop.ini
            Filesize

            8B

            MD5

            eb2b82f341fdb4eae25ceb49373ed303

            SHA1

            cf7db5d16d0cdb9abd32cb4fe1e343e2296142b0

            SHA256

            8a35cc496890b7089f69f59dd7dd7fed74622e8ff18cf9f99d49c94aa5888c5a

            SHA512

            895d5f91dcdf77750063ec0b0112b643597bfcc87ddaa30f07864adeadf185ce062ead7699d964bd05135dcf034ca4028165ec95ab2e17b549c5faf2236f8982

            Download Submit

          • memory/2424-9-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2424-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4068-17-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4068-2150-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4068-10-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4068-8658-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download