Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

39de4483e5...b5.exe

windows7-x64

7

39de4483e5...b5.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2024, 14:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39de4483e57a19f1bea4653eb9f31d8cf6b5450adf9dfa262cd00edee4fe38b5.exe

  • Size

    491KB

  • MD5

    c8b160531aa8d9f736d9ff319ceb61ce

  • SHA1

    754418ea63855b579c9aa67587aa87279ea3907e

  • SHA256

    39de4483e57a19f1bea4653eb9f31d8cf6b5450adf9dfa262cd00edee4fe38b5

  • SHA512

    ef9c345b35f6f91d1271a1382f3ba61b826d27e9d60cd1b1a2f1c97dda6a2afd1bde76ed71bb9cc8d5eeeb3947ada823f1c2a331cbb28f05d9271b3024e50e31

  • SSDEEP

    12288:t1quIf1gL5pRTcAkS/3hzN8qE43fm78V:t1q45jcAkSYqyE

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3432
      • C:\Users\Admin\AppData\Local\Temp\39de4483e57a19f1bea4653eb9f31d8cf6b5450adf9dfa262cd00edee4fe38b5.exe
        "C:\Users\Admin\AppData\Local\Temp\39de4483e57a19f1bea4653eb9f31d8cf6b5450adf9dfa262cd00edee4fe38b5.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:456
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1428
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2856
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a468E.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:5040
            • C:\Users\Admin\AppData\Local\Temp\39de4483e57a19f1bea4653eb9f31d8cf6b5450adf9dfa262cd00edee4fe38b5.exe
              "C:\Users\Admin\AppData\Local\Temp\39de4483e57a19f1bea4653eb9f31d8cf6b5450adf9dfa262cd00edee4fe38b5.exe"
              4⤵
              • Executes dropped EXE
              PID:3720
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4164
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3056
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4168
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4424
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3348

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
            Filesize

            251KB

            MD5

            eabcd538f504610ed542dc20ec7662e4

            SHA1

            7e2511244c6dd3d004d76aa6c41423e4890e9009

            SHA256

            d4d01768dd44f6b98cbff4b056f49c7a7121489fe389c8b7f7438d3716b6db8f

            SHA512

            d1b9ae56ccc39a29bbc9710a81f8a953ec2b579d64c8e3a64341d2b34920ea30729ec060e9281fa474f46746f798c473f819bf5a423bee6e0b879687cffcb897

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            524c3600812aaa423bc87534f4aa48ad

            SHA1

            a750d31821ce6f343e27ccb1eedc8ca818568cda

            SHA256

            52833632f6aaf7d36b01b63b7dc3943dcb6bf6e356cfcea7a88a57fd0237c8a5

            SHA512

            cef695a0605c7eb7546375607ed63e3f9740ea14babe2a017c2828d91dbfe03d3e1b5ef93adb7ebc24bc1f00f7dc04a91e203d55444ef9fc1e53c7790873bbdc

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            ab2cb63e497f09bfe8be14bcf0f680b1

            SHA1

            d116c92ed3c487a1dcde68e4e58e66a535627fe7

            SHA256

            c60d34a999168bdce718de1e1e2642d8903fde2c2359e4850ca852995bc62739

            SHA512

            f54fc6ad7bc41b97b6f600304f5e4cf7eddd733a018116282cf0b53c8b4a3b78b738011e70113420093320884099bc70908731e277e0369de0e7df67d146a21c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a468E.bat
            Filesize

            722B

            MD5

            c9726be5778895512b81ba21672d434c

            SHA1

            f5a0b65b289845fb0465ee7eb7d11d34ab29082f

            SHA256

            75705845aea538adce331011d9262a8c91c4ec8d02fbfd32c52ea21aa1cd6669

            SHA512

            832449d95db025488990f5d3deb1616662f61e1450bcf0569dff41541c196d3daa705a0ef71f73b8d48b3d8b49eb32ad0cf9c3128a163303d0cf2e014f50f66d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\39de4483e57a19f1bea4653eb9f31d8cf6b5450adf9dfa262cd00edee4fe38b5.exe.exe
            Filesize

            458KB

            MD5

            619f7135621b50fd1900ff24aade1524

            SHA1

            6c7ea8bbd435163ae3945cbef30ef6b9872a4591

            SHA256

            344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

            SHA512

            2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            e66ec81a55072abc67e5c48adc2f771c

            SHA1

            b7b45b11de92fafe2ccd0c5a0a1a1d24991eba5a

            SHA256

            6a9fa6177b7f71bfa63a0274a9832d18bfecbdc663bf23e1580203a5456b8a90

            SHA512

            097f9f98618b195a7af7814e7eddba5ce1c25bd3a0d7818e79b4dfda1d6d20b08b0f28dec64278015a62fd5a3bf7495ae2d65ccfa1c48fc7a30a6eb3d9cd8287

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3726321484-1950364574-433157660-1000\_desktop.ini
            Filesize

            8B

            MD5

            1b16d2dbd4281ce4e4e5729c608dcb0b

            SHA1

            851e624080ba5598edb808d4b30fe2d74999ce18

            SHA256

            c9e46fb51d0588ca1e48ca66731e11992770b9b74a982f9bdbb6ce5b5b75d549

            SHA512

            cd1c4cf7c7871cb48ce735226b25f689b340037e6c992441e566161de7fca7410762d1a0c2670ee4b6546f7ee854d3219e0e2315c3e0387d9bbe3f08076b5a59

            Download Submit

          • memory/456-10-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/456-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4164-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4164-5180-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4164-11-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4164-8729-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download