Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

39de4483e5...b5.exe

windows7-x64

7

39de4483e5...b5.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/05/2024, 14:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39de4483e57a19f1bea4653eb9f31d8cf6b5450adf9dfa262cd00edee4fe38b5.exe

  • Size

    491KB

  • MD5

    c8b160531aa8d9f736d9ff319ceb61ce

  • SHA1

    754418ea63855b579c9aa67587aa87279ea3907e

  • SHA256

    39de4483e57a19f1bea4653eb9f31d8cf6b5450adf9dfa262cd00edee4fe38b5

  • SHA512

    ef9c345b35f6f91d1271a1382f3ba61b826d27e9d60cd1b1a2f1c97dda6a2afd1bde76ed71bb9cc8d5eeeb3947ada823f1c2a331cbb28f05d9271b3024e50e31

  • SSDEEP

    12288:t1quIf1gL5pRTcAkS/3hzN8qE43fm78V:t1q45jcAkSYqyE

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1324
      • C:\Users\Admin\AppData\Local\Temp\39de4483e57a19f1bea4653eb9f31d8cf6b5450adf9dfa262cd00edee4fe38b5.exe
        "C:\Users\Admin\AppData\Local\Temp\39de4483e57a19f1bea4653eb9f31d8cf6b5450adf9dfa262cd00edee4fe38b5.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2832
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2908
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9DD5.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2984
            • C:\Users\Admin\AppData\Local\Temp\39de4483e57a19f1bea4653eb9f31d8cf6b5450adf9dfa262cd00edee4fe38b5.exe
              "C:\Users\Admin\AppData\Local\Temp\39de4483e57a19f1bea4653eb9f31d8cf6b5450adf9dfa262cd00edee4fe38b5.exe"
              4⤵
              • Executes dropped EXE
              PID:2524
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2472
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2488
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2608
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2448
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2384

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            6569ba6a19dcf267363ead3e7d709a6e

            SHA1

            2e3a72272fb2b4a849f2fc443fe6bb0f17b03f9c

            SHA256

            da43031a617d4143466e60d648f6da2625e2f203ef46b255bfdc77ea4ed695ec

            SHA512

            83f15ab1ba1c44af699b980c830b775289e9b382e3142fd1392206372d20be555d7c40b7a3f8e5fda9d4d7fe508a7fe45cffe5b3929d7e31d9f3af7ce39942eb

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            cc0ad68e66fa1c78c1e3b0ed71a55263

            SHA1

            38ce29b51fde2a8fd1d3c663c5c98d8b18b38007

            SHA256

            536f02a2008e2e11502a3a3b573b641e5b377acd0f72ab2099a89adacec2fc1d

            SHA512

            59cfd05a61703d30dd0d454ba89c4f3453943d1d9664e7f8d13886561238863d7ff6fa33a7966518420b085a72a59c407add0f29265f8fd5fefb22f0eb159b91

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a9DD5.bat
            Filesize

            722B

            MD5

            0f9b7cd29b460e496d6f1f15c02217fc

            SHA1

            a89851a5cafb7dfd86cef954c7ee01c0a29a3a76

            SHA256

            0e7bf632169527549195394626ae9b23952a015213efc6566896b7a62002a3e3

            SHA512

            f586861948629b71a868bc249c9ce20bd53f571a6bb3bc435152250dec548b9e1dbba17bf4148db43d0078793c80785581ec53bc5965dbb6f5e874e8e92e9311

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\39de4483e57a19f1bea4653eb9f31d8cf6b5450adf9dfa262cd00edee4fe38b5.exe.exe
            Filesize

            458KB

            MD5

            619f7135621b50fd1900ff24aade1524

            SHA1

            6c7ea8bbd435163ae3945cbef30ef6b9872a4591

            SHA256

            344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

            SHA512

            2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            e66ec81a55072abc67e5c48adc2f771c

            SHA1

            b7b45b11de92fafe2ccd0c5a0a1a1d24991eba5a

            SHA256

            6a9fa6177b7f71bfa63a0274a9832d18bfecbdc663bf23e1580203a5456b8a90

            SHA512

            097f9f98618b195a7af7814e7eddba5ce1c25bd3a0d7818e79b4dfda1d6d20b08b0f28dec64278015a62fd5a3bf7495ae2d65ccfa1c48fc7a30a6eb3d9cd8287

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini
            Filesize

            8B

            MD5

            1b16d2dbd4281ce4e4e5729c608dcb0b

            SHA1

            851e624080ba5598edb808d4b30fe2d74999ce18

            SHA256

            c9e46fb51d0588ca1e48ca66731e11992770b9b74a982f9bdbb6ce5b5b75d549

            SHA512

            cd1c4cf7c7871cb48ce735226b25f689b340037e6c992441e566161de7fca7410762d1a0c2670ee4b6546f7ee854d3219e0e2315c3e0387d9bbe3f08076b5a59

            Download Submit

          • memory/1324-28-0x00000000025F0000-0x00000000025F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2472-32-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2472-1792-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2472-19-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2472-3292-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2472-4042-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2956-16-0x00000000002B0000-0x00000000002ED000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2956-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2956-17-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download