Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

12d15bb829...16.exe

windows7-x64

7

12d15bb829...16.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    24/04/2024, 19:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116.exe

  • Size

    156KB

  • MD5

    3fb7eac74e6998f4ad180de9b6379209

  • SHA1

    74d860e071eb0db89eaa92c4b81a218fe4ffe5d6

  • SHA256

    12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116

  • SHA512

    1ee6b41df5bf16c3d1bedffcb8aa00967aef8ea25a821d484e4f75932dd90075444f29fa3b4ba16e00635f0d0b5ade6a68b280f93f5d412daf064da2ed07d270

  • SSDEEP

    3072:84Ye+azbRPrlr9RXFHmZWXyaiedMbrN6pnoXPBsr5Zrt:Td+azbRZv5SNaPM4loo5Z5

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116.exe
        "C:\Users\Admin\AppData\Local\Temp\12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1304
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2280
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:320
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a15F1.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1796
            • C:\Users\Admin\AppData\Local\Temp\12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116.exe
              "C:\Users\Admin\AppData\Local\Temp\12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116.exe"
              4⤵
              • Executes dropped EXE
              PID:2648
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2384
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2268
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2680
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2560
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2116

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            264KB

            MD5

            32b6aa604bd02727e84d7952721f055a

            SHA1

            3cf3d7eb354b0dac52465fc69071e90a4412607c

            SHA256

            cf99dc814df2ed704b1676e80f7a219474ac8b95c64d28b84b206a6bf7ed9bca

            SHA512

            b1e1c29ce4589a5e30932c7543e1ea80b52faac234f352081a40d57e68ef385b563874ed5b142ed94c4accf889615b8c0678f43df50dca04195429014ce6df1e

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            484KB

            MD5

            79d4fd1cb70f3844796aa1ea18a238e2

            SHA1

            78d207a7de2aeb85eefc185d894b0b7626e1e1f3

            SHA256

            ccaacc3965c1bdfce8cd1e934895a4563dddf082016e56846966c250bed87d5b

            SHA512

            7a0167cbce49f09ea39e490862b8c371eacf8ce3d74d6a6054e7f0e1df4b307019f5adee03603fcb9d4db2b17841cbc9cf129e9480d70b20c266fe82b3979b33

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a15F1.bat
            Filesize

            722B

            MD5

            8b84a6acb5fd0e95919896d4d081504b

            SHA1

            4c210ea162768fb7db4054d1e5d60e79b612a7a2

            SHA256

            8f0f691713df5091a783d5e9ac927fcf6ccd5d33f8825be1a75007d4da62c8e1

            SHA512

            a036ea161f91757feedddf47553637059b862e9ae15c11eb1c6e4f47097ed5c728288c9e3cebb82c72cf5d436ccc8778230bbf9e8337815c6648e1d31f7cd0f4

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116.exe.exe
            Filesize

            116KB

            MD5

            14260726256d54de6ccb2eff1003c05c

            SHA1

            073c85b1d5dade530694ef00543698f16d39fd45

            SHA256

            3970359aee5c8cb9451c2c84ae6d4c859999a40ae955d8ade9abacba215a087a

            SHA512

            8bf2d18c0bc4cb42af52ff223199f3504caf73e99fd49dd489306d79364c57d2b5d61039d83cebf898aedc825ab52397613b498aa49b6714fb4fe485112b7d7d

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            39KB

            MD5

            3db42405aac4c2f3aee890c3c249f126

            SHA1

            8d92453ccd9af94d51702bfd28b191b295d1c4c8

            SHA256

            1f48a0595daf780a6e51817d85f7ca6c0d4257c1bb74682f3be2676ab1d0461d

            SHA512

            d555cd0ef14d2f3ef38282244ec1e674fdc3a73ea56e791d7795a78b465486dda3697cdbeab1d2c11e3ea1a000eabb7f92258ac93dfc7d43aa5b85f054ff11a7

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini
            Filesize

            9B

            MD5

            f29b71f66ac42a28a8d1e12a13d61861

            SHA1

            bd61fbc8b6eed4cae3fa29d7b950784258be10cd

            SHA256

            9a5e4ff44f8f5bb21798074ea03e493911b59680e37191522562dece826da1cf

            SHA512

            90c31cda60a9a63e3fa78e99f1104d1a9c9f811e11b62f75063b6007ae284c8c233b5d1235defab7ae0deec3b7892c85af9319219405c44d16fa29a3215f50e0

            Download Submit

          • memory/1208-28-0x0000000002F50000-0x0000000002F51000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1304-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1304-16-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1304-18-0x0000000000230000-0x000000000026D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2384-19-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2384-32-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2384-3320-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2384-4142-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download