Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

ce471a2920...e9.exe

windows7-x64

7

ce471a2920...e9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/05/2024, 07:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce471a29207d1640e021564b8fbc17028fed2a2a366418a88d8130562bb74ee9.exe

  • Size

    264KB

  • MD5

    8dcdd16a6ea39934e2345b7075aa3f27

  • SHA1

    36e3e536bb16b8e5c9a3219bf7e394ed72cefe93

  • SHA256

    ce471a29207d1640e021564b8fbc17028fed2a2a366418a88d8130562bb74ee9

  • SHA512

    16e021244c4db1d69911d2fe50e958c1f725d08dd9e7b4f8d7f80bb26d3bd53d1ff7fb18e9dcb94b3382516bc80e0eff331c915619821e2ec12d2b131a43cf8e

  • SSDEEP

    6144:W+azbRZvTgiC4bXqsTk90qC1AOb7eswf1Px++fD8PJ:W+azbv8itXqsTkiR7twRx+gD8PJ

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3452
      • C:\Users\Admin\AppData\Local\Temp\ce471a29207d1640e021564b8fbc17028fed2a2a366418a88d8130562bb74ee9.exe
        "C:\Users\Admin\AppData\Local\Temp\ce471a29207d1640e021564b8fbc17028fed2a2a366418a88d8130562bb74ee9.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1208
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4632
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1188
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7A8F.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1844
            • C:\Users\Admin\AppData\Local\Temp\ce471a29207d1640e021564b8fbc17028fed2a2a366418a88d8130562bb74ee9.exe
              "C:\Users\Admin\AppData\Local\Temp\ce471a29207d1640e021564b8fbc17028fed2a2a366418a88d8130562bb74ee9.exe"
              4⤵
              • Executes dropped EXE
              PID:1988
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4912
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3860
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:900
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2888
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4232

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            583KB

            MD5

            195dec0b5f3ed72db970a50dc8be425a

            SHA1

            1304e1acf8a887fff62f8cff99b0bdd553cf22d7

            SHA256

            28a6c39648e2aa6a9e8791504bb7ae8adb2d40d4304d9358b32fd7d7cf1aa1d1

            SHA512

            d96bb26e543957d0d7c5700c96e167967b2bc002252468a6530544c227acc092e278943dfda09e5ae6ce52c317906f748d0f07375d1c6e22179ff569e394b740

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            649KB

            MD5

            e4b4c486987a76abb8a18c33b36514b5

            SHA1

            1c83216295cfc852c1a35198e31d8d385efd373a

            SHA256

            30f0474b455caa56bfb989bfcc04bb4db00f81857c28657f3fecf1dbcc6eb5dc

            SHA512

            f8532180a32b17153626d9879a93159132b2e10708e81aec83c995a8e9b642d5b6ccdd1db676c92302bdd5bb97726e670876490e97d65b27865ea7e72c8c4515

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a7A8F.bat
            Filesize

            722B

            MD5

            c38ccd92fce731abd40013d9b7a2908f

            SHA1

            069eaf309d7f7371fb6af217bf764b73c42edd2a

            SHA256

            a701990e1ebc5a02c8fec30dbd8aa0295727076fee65b9236e9ba9ae85f1b5dd

            SHA512

            8555cbba7757bb64435f1cfeb19925f212fbc2cbc096dd6dedce67ca965e1aa028c098907767454e873544061041abed9fd8abcee9b16d661f120957ef912eac

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ce471a29207d1640e021564b8fbc17028fed2a2a366418a88d8130562bb74ee9.exe.exe
            Filesize

            224KB

            MD5

            d4b257c01bbaa68d15d8368475a4e227

            SHA1

            fafae083a882e163cfa8c77258baaab891c17df2

            SHA256

            dd6dd981c7f1a6673dc8cc3a0fe1fc8a54e059a9fdb0545b0dc9258299c0c546

            SHA512

            167494ecb32196e8e199d7d14a1c0498eee45ab8e8862e5441539fa569313bb602b9e979935c7cc5ba39300e54e8bdbdf2f502e4ea24b5e8339fd2c3685ca502

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            39KB

            MD5

            b358a6cac10ccc8c0ba6d33b809eb77a

            SHA1

            4b662ed65f5af865bf40925e0aacafc9a6e3a2cb

            SHA256

            b4c9ed18a1f2124fcc393b4779ebd601b36eba3bc6acaa565c532bab3aec694d

            SHA512

            a7d8b81673b74bafc0251a4a291b15774807612b566b7b5909369f964d08ce9e5671fab5ba5da0e1b479b4838d04d159ca7231da47f3b8d19b1d3b88ce6e85c1

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-4018855536-2201274732-320770143-1000\_desktop.ini
            Filesize

            8B

            MD5

            35a8ee2041a708d5071bff39818311c3

            SHA1

            31114ee16a39b8ada4130a94c1c36ed74a563d2a

            SHA256

            b2405b086204a9155a2dabf58717e53695089ece5d0af208cb960473ba350f8b

            SHA512

            f17fa8c794a47b0134ac4d8e83010e8dce1a0f2ab74a400c571d6470737e386f4eb1351be6c5b153dc063c49d333b69ddf67871d2e0ffb3c02d243be0015f1f0

            Download Submit

          • memory/1208-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1208-10-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4912-11-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4912-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4912-3236-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4912-8736-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download