Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/04/2024, 12:14

General

  • Target

    7db6e7b89825e97a70ffddd87caf6a9b6296134a89388986ea4867359903f260.exe

  • Size

    39KB

  • MD5

    0c66c78eb026971356126503c6366615

  • SHA1

    0a6ff1ba641cbda042328329393fff95e356f94b

  • SHA256

    7db6e7b89825e97a70ffddd87caf6a9b6296134a89388986ea4867359903f260

  • SHA512

    b5a781cf4eda3414c0c0ba6f1db084f5d19d7df625c587bef83867d1f6bec8a0e96789015acb15adc5b7572fcd203458a26d5a1a00aa6702fc77eb3b08f20495

  • SSDEEP

    768:8bjeUHoO5RroZJ76739/dZVdfpULiAYXjPrN+8WEjrZMYjV8mp8w:8mFe+Zk7VJbwlYXjPrsqrZMYR5p8w

Score
7/10

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3496
      • C:\Users\Admin\AppData\Local\Temp\7db6e7b89825e97a70ffddd87caf6a9b6296134a89388986ea4867359903f260.exe
        "C:\Users\Admin\AppData\Local\Temp\7db6e7b89825e97a70ffddd87caf6a9b6296134a89388986ea4867359903f260.exe"
        2⤵
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4500
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4740
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:880
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:368
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:4320

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

          Filesize

          264KB

          MD5

          82aff40c160a0a881bf7a0fa4b647957

          SHA1

          dee101a59ad91bf0065dafb0fd680c339c110c17

          SHA256

          c0025a5dc9fd03e01f08941e4163078e5ce9adc3401c1e1da6441c27cdf0d0a3

          SHA512

          de32bf34a53fa0c80ba3b1277ff42f708fba5414f6d281baada7bf1268d4cebf09c3fca613b73962ba112c22ba6690689a0c2727d63e2a8adbe0868ba2ec6ce5

        • C:\Program Files\7-Zip\Uninstall.exe

          Filesize

          54KB

          MD5

          23e43de89c189055e59e2d0658af929b

          SHA1

          8e23046e9685433d372b5075940b532ab9a954c7

          SHA256

          52a3e30c60b647f56a62f8e2a614969aba7c14077a09e81bcda4e4fdb0bd8152

          SHA512

          71ae2b26857f8db6d9986f3231ebb790307296bb625446ca05103a30a054683e8f117344b528d7ebddbb12aa133e48857403347b938cc3793659117e732b3628

        • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

          Filesize

          649KB

          MD5

          e4b4c486987a76abb8a18c33b36514b5

          SHA1

          1c83216295cfc852c1a35198e31d8d385efd373a

          SHA256

          30f0474b455caa56bfb989bfcc04bb4db00f81857c28657f3fecf1dbcc6eb5dc

          SHA512

          f8532180a32b17153626d9879a93159132b2e10708e81aec83c995a8e9b642d5b6ccdd1db676c92302bdd5bb97726e670876490e97d65b27865ea7e72c8c4515

        • F:\$RECYCLE.BIN\S-1-5-21-2288054676-1871194608-3559553667-1000\_desktop.ini

          Filesize

          9B

          MD5

          c59aab012a570d8b20f60efcafb272be

          SHA1

          709df64d9a23340c6bc42f2bf8dfdca512bff2e0

          SHA256

          8a349242c7461f8fccc029421cd051ef8f140a8e3738d348a2354a3d5b9de220

          SHA512

          8c3f67dc02beaca59f0deaa4d8e33bc385b19df02d2a8b905b47148e21919f7d059f3883f02dad25a0d11dc807343390114753a7918171720d8cd72e84239e17

        • memory/4500-0-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

        • memory/4500-3-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

        • memory/4500-3915-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

        • memory/4500-8697-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB