Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

12d15bb829...16.exe

windows7-x64

7

12d15bb829...16.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    160s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/04/2024, 19:26 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116.exe

  • Size

    156KB

  • MD5

    3fb7eac74e6998f4ad180de9b6379209

  • SHA1

    74d860e071eb0db89eaa92c4b81a218fe4ffe5d6

  • SHA256

    12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116

  • SHA512

    1ee6b41df5bf16c3d1bedffcb8aa00967aef8ea25a821d484e4f75932dd90075444f29fa3b4ba16e00635f0d0b5ade6a68b280f93f5d412daf064da2ed07d270

  • SSDEEP

    3072:84Ye+azbRPrlr9RXFHmZWXyaiedMbrN6pnoXPBsr5Zrt:Td+azbRZv5SNaPM4loo5Z5

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3300
      • C:\Users\Admin\AppData\Local\Temp\12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116.exe
        "C:\Users\Admin\AppData\Local\Temp\12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4976
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4576
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3532
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a47A3.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3484
            • C:\Users\Admin\AppData\Local\Temp\12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116.exe
              "C:\Users\Admin\AppData\Local\Temp\12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116.exe"
              4⤵
              • Executes dropped EXE
              PID:4436
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4812
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4028
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:5044
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4780
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2436
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:3844

            Network

            • flag-us
              DNS
              228.249.119.40.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              228.249.119.40.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              0.205.248.87.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              0.205.248.87.in-addr.arpa
              IN PTR
              Response
              0.205.248.87.in-addr.arpa
              IN PTR
              https-87-248-205-0lgwllnwnet
            • flag-us
              DNS
              138.32.126.40.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              138.32.126.40.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              157.123.68.40.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              157.123.68.40.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              198.187.3.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              198.187.3.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              140.71.91.104.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              140.71.91.104.in-addr.arpa
              IN PTR
              Response
              140.71.91.104.in-addr.arpa
              IN PTR
              a104-91-71-140deploystaticakamaitechnologiescom
            • flag-us
              DNS
              217.106.137.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              217.106.137.52.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              22.236.111.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              22.236.111.52.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              249.197.17.2.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              249.197.17.2.in-addr.arpa
              IN PTR
              Response
              249.197.17.2.in-addr.arpa
              IN PTR
              a2-17-197-249deploystaticakamaitechnologiescom
            • flag-us
              DNS
              174.117.168.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              174.117.168.52.in-addr.arpa
              IN PTR
              Response
            No results found
            • 8.8.8.8:53
              228.249.119.40.in-addr.arpa
              dns
              73 B
               159 B
               1
              1

              DNS Request

              228.249.119.40.in-addr.arpa

            • 8.8.8.8:53
              0.205.248.87.in-addr.arpa
              dns
              71 B
               116 B
               1
              1

              DNS Request

              0.205.248.87.in-addr.arpa

            • 8.8.8.8:53
              138.32.126.40.in-addr.arpa
              dns
              72 B
               158 B
               1
              1

              DNS Request

              138.32.126.40.in-addr.arpa

            • 8.8.8.8:53
              157.123.68.40.in-addr.arpa
              dns
              72 B
               146 B
               1
              1

              DNS Request

              157.123.68.40.in-addr.arpa

            • 8.8.8.8:53
              198.187.3.20.in-addr.arpa
              dns
              71 B
               157 B
               1
              1

              DNS Request

              198.187.3.20.in-addr.arpa

            • 8.8.8.8:53
              140.71.91.104.in-addr.arpa
              dns
              72 B
               137 B
               1
              1

              DNS Request

              140.71.91.104.in-addr.arpa

            • 8.8.8.8:53
              217.106.137.52.in-addr.arpa
              dns
              73 B
               147 B
               1
              1

              DNS Request

              217.106.137.52.in-addr.arpa

            • 8.8.8.8:53
              22.236.111.52.in-addr.arpa
              dns
              72 B
               158 B
               1
              1

              DNS Request

              22.236.111.52.in-addr.arpa

            • 8.8.8.8:53
              249.197.17.2.in-addr.arpa
              dns
              71 B
               135 B
               1
              1

              DNS Request

              249.197.17.2.in-addr.arpa

            • 8.8.8.8:53
              174.117.168.52.in-addr.arpa
              dns
              73 B
               147 B
               1
              1

              DNS Request

              174.117.168.52.in-addr.arpa

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
              Filesize

              264KB

              MD5

              32b6aa604bd02727e84d7952721f055a

              SHA1

              3cf3d7eb354b0dac52465fc69071e90a4412607c

              SHA256

              cf99dc814df2ed704b1676e80f7a219474ac8b95c64d28b84b206a6bf7ed9bca

              SHA512

              b1e1c29ce4589a5e30932c7543e1ea80b52faac234f352081a40d57e68ef385b563874ed5b142ed94c4accf889615b8c0678f43df50dca04195429014ce6df1e

              Download Submit

            • C:\Program Files\7-Zip\7z.exe
              Filesize

              583KB

              MD5

              0f94052219e229be47ace8002caf43a7

              SHA1

              dc1b614692dcda7611ea11c89af3f93b9ebeeb5f

              SHA256

              f31750dc176b3562111fa441d4bf540f330caa9ff264f2009911a951c8d32358

              SHA512

              045be9d58d79f26e3ef90aaeed60f31f36055bb8ce03c365d8fc1f52d30e7db7880cb1daf42bc60ffdd4dd6dc01ede18b3f977cefc935eede27685d777e54960

              Download Submit

            • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
              Filesize

              494KB

              MD5

              1b817b54adfc26cf7040cf6cf292d1da

              SHA1

              2f0ab6c15c9e98b86ef9ec7018244ee9b30a8e9c

              SHA256

              d3009c1cc3dea487478340c9c95eb10bff9d668b8307610ccca19ad865bfb08e

              SHA512

              08bcdaae2b2272453aa74669e2b95b221e588ad75421e936454c167155d58e3afa6ca1a5f2a5457130907b4df51217634bcddb18d7427bd4051124e84d280b74

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$a47A3.bat
              Filesize

              722B

              MD5

              6a1daeb532daf41e1fc06be793a69d34

              SHA1

              557908b39d6dc1198a4e14ea60513bea8eab820b

              SHA256

              48e91cf50e1e02cbc7f1f3a5ae8b5b7e4d338c9501c8be3e8183bbaa93101d9b

              SHA512

              6a2d40e8782d5cc6f33bfb71a81a147baa03a0eabdc81ae26037fd4697b0d98c507ceeb710aedbfb0d633c37adc785dab6c8a27de83afaa8b3f6f5f4f9fd7846

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\12d15bb829e4d2d2f0bf0e123650c21f74f0e7bd7a606aa09f1b5d02a5941116.exe.exe
              Filesize

              116KB

              MD5

              14260726256d54de6ccb2eff1003c05c

              SHA1

              073c85b1d5dade530694ef00543698f16d39fd45

              SHA256

              3970359aee5c8cb9451c2c84ae6d4c859999a40ae955d8ade9abacba215a087a

              SHA512

              8bf2d18c0bc4cb42af52ff223199f3504caf73e99fd49dd489306d79364c57d2b5d61039d83cebf898aedc825ab52397613b498aa49b6714fb4fe485112b7d7d

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              39KB

              MD5

              3db42405aac4c2f3aee890c3c249f126

              SHA1

              8d92453ccd9af94d51702bfd28b191b295d1c4c8

              SHA256

              1f48a0595daf780a6e51817d85f7ca6c0d4257c1bb74682f3be2676ab1d0461d

              SHA512

              d555cd0ef14d2f3ef38282244ec1e674fdc3a73ea56e791d7795a78b465486dda3697cdbeab1d2c11e3ea1a000eabb7f92258ac93dfc7d43aa5b85f054ff11a7

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini
              Filesize

              9B

              MD5

              f29b71f66ac42a28a8d1e12a13d61861

              SHA1

              bd61fbc8b6eed4cae3fa29d7b950784258be10cd

              SHA256

              9a5e4ff44f8f5bb21798074ea03e493911b59680e37191522562dece826da1cf

              SHA512

              90c31cda60a9a63e3fa78e99f1104d1a9c9f811e11b62f75063b6007ae284c8c233b5d1235defab7ae0deec3b7892c85af9319219405c44d16fa29a3215f50e0

              Download Submit

            • memory/4812-66-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-1728-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-11-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-7320-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-190-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-421-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-874-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-18-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-2471-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-4004-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4812-5549-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4976-9-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4976-1-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4976-0-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.