Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

17ed23ca5f...0d.exe

windows7-x64

7

17ed23ca5f...0d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    03/05/2024, 18:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17ed23ca5fae59814a518fecadcb203822d63bcf78f333d77c30395da999340d.exe

  • Size

    70KB

  • MD5

    9844f26c45f21499d4913c310a485245

  • SHA1

    aadb779a5ba654305a7091f4f91d504d116d39e7

  • SHA256

    17ed23ca5fae59814a518fecadcb203822d63bcf78f333d77c30395da999340d

  • SHA512

    ec34d16e0cebd1f9e319a8d67bb316fc0811cd2473bb1a5c6c7fda8332a4bebc8a6f06da3473ff277ca8cbdb760325f6e5770f7691e5594eb7fbf41789a2551c

  • SSDEEP

    1536:Ig8Ze+Zk77RNzLiTOPriw+d9bHrkT5gUHz7FxtJ:Igae+aX3zvPrBkfkT5xHzD

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1136
      • C:\Users\Admin\AppData\Local\Temp\17ed23ca5fae59814a518fecadcb203822d63bcf78f333d77c30395da999340d.exe
        "C:\Users\Admin\AppData\Local\Temp\17ed23ca5fae59814a518fecadcb203822d63bcf78f333d77c30395da999340d.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2588
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2976
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1D7F.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2728
            • C:\Users\Admin\AppData\Local\Temp\17ed23ca5fae59814a518fecadcb203822d63bcf78f333d77c30395da999340d.exe
              "C:\Users\Admin\AppData\Local\Temp\17ed23ca5fae59814a518fecadcb203822d63bcf78f333d77c30395da999340d.exe"
              4⤵
              • Executes dropped EXE
              PID:2424
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2552
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2556
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1680
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2564
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2396

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            81a0e302bbfd88e0fa1e7a21dec03386

            SHA1

            423f9191a497994c2fb959806c9ad0ef5b678d0c

            SHA256

            8f8b833c8ee99eb2bdcf44ae370ed5505681331b52adc56815d96a263e60cbe7

            SHA512

            b4b05481f1026a2aff43ae42416c943902f87ddab8941fab5c8f4875956fcc67e8ce66acb4a7e98d705769b75c01beb0a9be279b29c8a2e9dfe5ae96bb742d00

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            58e981aa689693f5695bae5cb00cfa39

            SHA1

            d8d4575dd3f2aaed503388aae63b3a947f7a7e82

            SHA256

            0947128e04349f2829e54dad392e85b448539782dfcc666e382b361e9489a488

            SHA512

            e41d12ba89eac143445597ddbc7bab2945b273acc26a49ea7982864be31ae3c3ec6838b3f237b6285e8c1ba6cd15161736bcb88a75dde093f9a1916e7c938661

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a1D7F.bat
            Filesize

            722B

            MD5

            10f528ca48b29ca3d98cba665cafd675

            SHA1

            f7882c8edd422b8767723abb1f5d5ee3eabf112a

            SHA256

            760243388e8057ef845f109ec1884ebd4a3e78346c33a816c7768252d17caa9a

            SHA512

            bdb80487414dd960d105b166e8e48cbf6093f4d836acd954a2f64b6e0dfa276587bcb38f2797939408c8e284e298a3aac666d179f9e2fabd5d165cab16bf614a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\17ed23ca5fae59814a518fecadcb203822d63bcf78f333d77c30395da999340d.exe.exe
            Filesize

            36KB

            MD5

            9f498971cbe636662f3d210747d619e1

            SHA1

            44b8e2732fa1e2f204fc70eaa1cb406616250085

            SHA256

            8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

            SHA512

            b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            420f125d677f0bf19d6130ea59dfb694

            SHA1

            c26ae0c439982374d7ed6db90761cdb1d4f2f617

            SHA256

            4784cbb5bf5947b0729e72958deb0c4f12222523aee7f3c19856e16f9e2068d2

            SHA512

            23cc499e39b347ecd15b6ba5eafd3455295bcf0508b14e65c24928cb9e6d90d5c324ae3687186b954d4549dccce2087f08fda10bbf1205b19df74ef6b1a773ee

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini
            Filesize

            8B

            MD5

            0282826728a8bfe9c3f290391e4f323c

            SHA1

            ab69946ecc2824015e04a669b8434e8eb2a658aa

            SHA256

            0c3ddb95f5308286721e2d55c16a3170674b54fc8d17c1f02bee1b6850ce2ee9

            SHA512

            fde2cb3a9b14fa79fdb7615c094a85aee3baf100511872c0b3986349edefe5a2dc4513929587852c1672e9632c8a6c95284fab82397133dec597bb8fe618fb0e

            Download Submit

          • memory/1136-27-0x0000000002D20000-0x0000000002D21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1992-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/1992-16-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2552-18-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2552-31-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2552-3318-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2552-4141-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download