Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

ce471a2920...e9.exe

windows7-x64

7

ce471a2920...e9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01/05/2024, 07:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce471a29207d1640e021564b8fbc17028fed2a2a366418a88d8130562bb74ee9.exe

  • Size

    264KB

  • MD5

    8dcdd16a6ea39934e2345b7075aa3f27

  • SHA1

    36e3e536bb16b8e5c9a3219bf7e394ed72cefe93

  • SHA256

    ce471a29207d1640e021564b8fbc17028fed2a2a366418a88d8130562bb74ee9

  • SHA512

    16e021244c4db1d69911d2fe50e958c1f725d08dd9e7b4f8d7f80bb26d3bd53d1ff7fb18e9dcb94b3382516bc80e0eff331c915619821e2ec12d2b131a43cf8e

  • SSDEEP

    6144:W+azbRZvTgiC4bXqsTk90qC1AOb7eswf1Px++fD8PJ:W+azbv8itXqsTkiR7twRx+gD8PJ

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\ce471a29207d1640e021564b8fbc17028fed2a2a366418a88d8130562bb74ee9.exe
        "C:\Users\Admin\AppData\Local\Temp\ce471a29207d1640e021564b8fbc17028fed2a2a366418a88d8130562bb74ee9.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2236
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1212
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a16BC.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2584
            • C:\Users\Admin\AppData\Local\Temp\ce471a29207d1640e021564b8fbc17028fed2a2a366418a88d8130562bb74ee9.exe
              "C:\Users\Admin\AppData\Local\Temp\ce471a29207d1640e021564b8fbc17028fed2a2a366418a88d8130562bb74ee9.exe"
              4⤵
              • Executes dropped EXE
              PID:2756
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2116
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2732
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2600
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2808
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2656

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            484KB

            MD5

            79d4fd1cb70f3844796aa1ea18a238e2

            SHA1

            78d207a7de2aeb85eefc185d894b0b7626e1e1f3

            SHA256

            ccaacc3965c1bdfce8cd1e934895a4563dddf082016e56846966c250bed87d5b

            SHA512

            7a0167cbce49f09ea39e490862b8c371eacf8ce3d74d6a6054e7f0e1df4b307019f5adee03603fcb9d4db2b17841cbc9cf129e9480d70b20c266fe82b3979b33

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a16BC.bat
            Filesize

            722B

            MD5

            d75277ddf112eecafd119af5a923744c

            SHA1

            15fab825485f85de6ad1684d09023991e7dcb8dc

            SHA256

            dd3cc8fc05d2910175c46b4f584b6f6ce9dddf895cb57fb9a3578ab64716d2b5

            SHA512

            0d11a68db898c31c106543d8299987ea026a0fab740d16d96c973ae5d3d8fc0c7eb799c65188fd12c812727b37704a30ad7d4ae983e8ebabe551003e4e5aafbf

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ce471a29207d1640e021564b8fbc17028fed2a2a366418a88d8130562bb74ee9.exe.exe
            Filesize

            224KB

            MD5

            d4b257c01bbaa68d15d8368475a4e227

            SHA1

            fafae083a882e163cfa8c77258baaab891c17df2

            SHA256

            dd6dd981c7f1a6673dc8cc3a0fe1fc8a54e059a9fdb0545b0dc9258299c0c546

            SHA512

            167494ecb32196e8e199d7d14a1c0498eee45ab8e8862e5441539fa569313bb602b9e979935c7cc5ba39300e54e8bdbdf2f502e4ea24b5e8339fd2c3685ca502

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            39KB

            MD5

            b358a6cac10ccc8c0ba6d33b809eb77a

            SHA1

            4b662ed65f5af865bf40925e0aacafc9a6e3a2cb

            SHA256

            b4c9ed18a1f2124fcc393b4779ebd601b36eba3bc6acaa565c532bab3aec694d

            SHA512

            a7d8b81673b74bafc0251a4a291b15774807612b566b7b5909369f964d08ce9e5671fab5ba5da0e1b479b4838d04d159ca7231da47f3b8d19b1d3b88ce6e85c1

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini
            Filesize

            8B

            MD5

            35a8ee2041a708d5071bff39818311c3

            SHA1

            31114ee16a39b8ada4130a94c1c36ed74a563d2a

            SHA256

            b2405b086204a9155a2dabf58717e53695089ece5d0af208cb960473ba350f8b

            SHA512

            f17fa8c794a47b0134ac4d8e83010e8dce1a0f2ab74a400c571d6470737e386f4eb1351be6c5b153dc063c49d333b69ddf67871d2e0ffb3c02d243be0015f1f0

            Download Submit

          • memory/1204-27-0x0000000002E80000-0x0000000002E81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1724-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1724-16-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2116-19-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2116-30-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2116-3321-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2116-4142-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download