Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

4a1525c6c0...a8.exe

windows7-x64

7

4a1525c6c0...a8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    155s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/04/2024, 18:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a1525c6c0c41e79f0ad44ff4d54e4dd2408358c99d77ac80d53d5134c2384a8.exe

  • Size

    169KB

  • MD5

    d87d6facaf717caddf9e05d153ba3c92

  • SHA1

    52a6c747fd184bb09b2a76e534555173d3127ce9

  • SHA256

    4a1525c6c0c41e79f0ad44ff4d54e4dd2408358c99d77ac80d53d5134c2384a8

  • SHA512

    e5bcd1335967f0f6d2454c24619d1c8119a17b584340829925cc2ea5f239c1c0b8741729b422e23fa1ab49e4952911ab56786f7743a41d063f3d063ec7edc6ed

  • SSDEEP

    3072:8GYe+azbRPrlr9RXFcQekqnwLD9m0WjfuRRfEdj4E3f90bC:td+azbRZvSQek9if1Vv+W

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3240
      • C:\Users\Admin\AppData\Local\Temp\4a1525c6c0c41e79f0ad44ff4d54e4dd2408358c99d77ac80d53d5134c2384a8.exe
        "C:\Users\Admin\AppData\Local\Temp\4a1525c6c0c41e79f0ad44ff4d54e4dd2408358c99d77ac80d53d5134c2384a8.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:228
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4492
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3272
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDF5.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1796
            • C:\Users\Admin\AppData\Local\Temp\4a1525c6c0c41e79f0ad44ff4d54e4dd2408358c99d77ac80d53d5134c2384a8.exe
              "C:\Users\Admin\AppData\Local\Temp\4a1525c6c0c41e79f0ad44ff4d54e4dd2408358c99d77ac80d53d5134c2384a8.exe"
              4⤵
              • Executes dropped EXE
              PID:3660
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4940
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1548
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2932
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:456
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3596
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3708 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:376

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
              Filesize

              264KB

              MD5

              ab6e14fd3b3b82a74d70dd03d0a8e116

              SHA1

              e8263c09ed7968ab04e1459ad46041ccdd9ff5e9

              SHA256

              03dda7016a22dd98411b67875e2fe461c960b068fbcb019579d8392530b41571

              SHA512

              851e9288ba102d5eabd34d887b70a883307bce31ccb4c7eeaf2b3010cb6bb9435a9c0261bfdafb4a0bf4046b6bc7928cbfb62599269a9c197ec2f83efaf258e8

              Download Submit

            • C:\Program Files\7-Zip\7z.exe
              Filesize

              583KB

              MD5

              612c71f176cbb3a987994ef9d580f372

              SHA1

              ab77fb255f0b3da4d50e3cdbf649c87188373a62

              SHA256

              6ad09d061abc19754e50e37200a4c935dda0d4a33b03f4ff9c16bf58bf8f1be2

              SHA512

              57a5d59e2b2892b17d769053ffc44957b7a119c43bab4528f9ea744b7df146dd0db25c82420e97515811c8a3e0dd8b6caf90b100a3a3dc2fb0fb0fe42cadbd9e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$aDF5.bat
              Filesize

              721B

              MD5

              a37443db62ea7f85c6a6550d5b6769f4

              SHA1

              e473985e95049a2049cd4c6721435ab95559e4cb

              SHA256

              d53ef7886f75b97c2a05e575ae83f605c89cbc12b0b0f35a058d0c7687980d68

              SHA512

              015513c4ffd3a13a132a3c58a09b951931c94e63159534ae32c57d11d4a483604355b750aa4f5f079157e9f3b9f7d0f92ca5f58694717a192f75080504da036c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\4a1525c6c0c41e79f0ad44ff4d54e4dd2408358c99d77ac80d53d5134c2384a8.exe.exe
              Filesize

              129KB

              MD5

              11111df26aba5a177fbd3ff2821a9e5d

              SHA1

              dba82329673e02dd99adbeb2d20538d10b6f484a

              SHA256

              25e0e882cca2fc89942924ae208abf9059fe3f8bd87a16f788f8aad1f61521df

              SHA512

              4d814017ce21b06208b5cd6814d40e801283a41216ea27986a88af50d2d61d23e9c54c0aafe6a8c509a94d156c59fb3dc8f46b902bcbc5acd185a712d31b2034

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              39KB

              MD5

              bc43e3c481e7fbe3ee697f9017cf4c1b

              SHA1

              6a76534a3a4bd72437b06bdccf1475846d7a308d

              SHA256

              c33f277a3cea2a938fc05fda7bf9b9a0ae89474eaacf6b0b6223e07eb4ec3b6a

              SHA512

              e5c2f3485b7573a6638f6d5ea2907371efc68b35655739e8e0c8f841de9c2d302b246eacb9627912cee5dd7ab0a9f7f652e73eb7d1925ddde20bb92e29310ce1

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini
              Filesize

              9B

              MD5

              f29b71f66ac42a28a8d1e12a13d61861

              SHA1

              bd61fbc8b6eed4cae3fa29d7b950784258be10cd

              SHA256

              9a5e4ff44f8f5bb21798074ea03e493911b59680e37191522562dece826da1cf

              SHA512

              90c31cda60a9a63e3fa78e99f1104d1a9c9f811e11b62f75063b6007ae284c8c233b5d1235defab7ae0deec3b7892c85af9319219405c44d16fa29a3215f50e0

              Download Submit

            • memory/228-10-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/228-0-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4940-2008-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4940-345-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4940-8-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4940-3293-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4940-17-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4940-5213-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4940-6494-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4940-8719-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4940-8818-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download