Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

ef3c3bc144...dd.exe

windows7-x64

7

ef3c3bc144...dd.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/04/2024, 21:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef3c3bc144e2b0a45b439fedd02afdef60163054a340492019cad2b5dccd4edd.exe

  • Size

    393KB

  • MD5

    b8464e043c9ba29f5b70fdaadf00922b

  • SHA1

    828d5c2072b34fd1b9a5988a303f354474d6fc1c

  • SHA256

    ef3c3bc144e2b0a45b439fedd02afdef60163054a340492019cad2b5dccd4edd

  • SHA512

    1b0ae871b17fee5381a047eefbdac50437a57fda1de6ada6e76c8fe13ce316f2a77a61c5d3e40e99af8616afa5534f31ebd5b2341e1e30fdcfda944fc5dd279f

  • SSDEEP

    6144:D+a0P2zPVz7jUBs8hqcBCi6dbfra4erJlt9A+xX1oOAisEIWmGeNkfGuYF1moHXG:D+aZahVy41

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3548
      • C:\Users\Admin\AppData\Local\Temp\ef3c3bc144e2b0a45b439fedd02afdef60163054a340492019cad2b5dccd4edd.exe
        "C:\Users\Admin\AppData\Local\Temp\ef3c3bc144e2b0a45b439fedd02afdef60163054a340492019cad2b5dccd4edd.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4500
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4100
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3152
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7BA8.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4728
            • C:\Users\Admin\AppData\Local\Temp\ef3c3bc144e2b0a45b439fedd02afdef60163054a340492019cad2b5dccd4edd.exe
              "C:\Users\Admin\AppData\Local\Temp\ef3c3bc144e2b0a45b439fedd02afdef60163054a340492019cad2b5dccd4edd.exe"
              4⤵
              • Executes dropped EXE
              PID:4120
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4556
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2876
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1760
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2768
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2368

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            f1ff0cfb99f6b0bf2a9e1de01f1ec6c2

            SHA1

            487ec0860993efcb76858a15e85372df2987750d

            SHA256

            bb358cb0d1d27f1977fc528b2706cc7dacebb059c6f13a894cf390aeeb2f72e0

            SHA512

            4eb05b18d762707e7c7632dd7c9b1858d9498c36998d23fd2b71ee37a5f09d8641db6397aae98d9c55aa4a5ed03189fdfbae2b50095ae5ccd88f75c361d739b4

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            15d25b3b67de24e76c378e5626b6f653

            SHA1

            3136830b143b37acf71d360b3cb0d9453ad74c37

            SHA256

            04823ec5e49ff658303130cc666b6e5945b11dd45ca9d6722b6551ee7ad700fa

            SHA512

            6fb72bc62cb5521dbea5adc6b65aad723539f91b097f140cceb6bfa411d2b7a0c49224f0d4406e48d88439258a9f30dfacff640ba61551182a8e859bba08da05

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            3cb4c47324c118a345b7c0674675d736

            SHA1

            a24a927dae79e823df3d0dd6c2c466bf68166c1e

            SHA256

            a9c3670846d466ffb24498376e95cf8661cf42765953e6d3bbb3d4b096c1d87e

            SHA512

            1b65197f62207b5c0333133aec500e6b90d4e8f24f93287f70b89e45081e644b2582b014a0a55169bdd582fa3b35564504a92c658036e3f2e0a3cca98771d7c6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a7BA8.bat
            Filesize

            722B

            MD5

            02aadb4511d8b3fb577adbf023fbdc1b

            SHA1

            0248d09e6f85dc836e7306a570c9730a7646ab7d

            SHA256

            62e149d95d97285ce8398c94dc01ef7660a72c8e7ac644bd8b5f6c1687e8519e

            SHA512

            e339d67baa794d009fb62b4b75bf80c0b0cb159d2bcdcf711e2d90b1e3bd75556fbbcc9eef77027de4babd79af0f4eb908b19d029f9407777c800603f75eff56

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ef3c3bc144e2b0a45b439fedd02afdef60163054a340492019cad2b5dccd4edd.exe.exe
            Filesize

            360KB

            MD5

            5fbd45261a2de3bb42f489e825a9a935

            SHA1

            ff388f6e9efe651ec62c4152c1739783e7899293

            SHA256

            9e63701598199d5c47217e23b44d0e3ec5d53f5419166b1b6c68a7e9e8fc47a4

            SHA512

            7f22b1995a07016adb342c551454d602bfbe511525139aee8581b62116608e9e278fd81c26382f1333c7eccded4474196e73c093bb5cbf8e8f203e865024c058

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            02c56be1db3c03dbaf50330e686d3c74

            SHA1

            c38374d6d8db6163f21b27fb353778f94e3cd1e9

            SHA256

            98ce89e1c74b56f7336b4cfab30d0280e56f9dbef29a8c38ac7540e22df4b5b5

            SHA512

            c4ee4590c268296541f3031b16570d9fdd3d6bd85fa3cc2c2a4f5594bfd4888eee7749d2eb3a44cafe38a9cfa777ee82b58d9d0bf5c7682c2f8d02bdbba54ef4

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-355664440-2199602304-1223909400-1000\_desktop.ini
            Filesize

            9B

            MD5

            a4e284afce5c2e93b509543e6064da82

            SHA1

            77a7ae3e38b05410dcf335f8abe1df4d7f0b141c

            SHA256

            f4460d1a85b2980fa2b8d329adda0fd330f8157d7afc2d7b1bad62453ff1dfe8

            SHA512

            8f2147ca54c96b0b05bf69a7919b5bf54b20036ba8336f6ba379c2abb0d31139a91d315130040ef1d06450dd624d8a8661396eb082407b8f7455be4d61351821

            Download Submit

          • memory/4500-8-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4500-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4556-17-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4556-3229-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4556-10-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4556-8737-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download