Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

323ddab5b4...c1.exe

windows7-x64

7

323ddab5b4...c1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/05/2024, 14:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe

  • Size

    491KB

  • MD5

    90e617b3cb538bdbebb67d1acb928fd2

  • SHA1

    1d21aa75aef945020c81a487e85f11b42a5780e1

  • SHA256

    323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1

  • SHA512

    b5c2b80566046eabfee7e64f4773db78674a3abae013ecbfaff9ccbeb418a4f65e06553cd541ce6585cdc5ee956f41775d171161c5a9a0833f7d3d486bfa32bd

  • SSDEEP

    12288:IKI1quIf1gL5pRTcAkS/3hzN8qE43fm78V:DI1q45jcAkSYqyE

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
        "C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2356
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:296
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a23E5.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2584
            • C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
              "C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe"
              4⤵
              • Executes dropped EXE
              PID:2872
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2632
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2592
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2748
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2608
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2172

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            22f843576d7f955e6adfc871b32f1c4e

            SHA1

            0f619c169809e25776e5662048ef43b75105c749

            SHA256

            4743495c4403ccae771b3e2b4f9bca13336c3df8a7adda3b912f06b5e509f88a

            SHA512

            dc3f8688869ab9f35ad02f8b7c217fa93fc6dbe00a13a4a81e7b725b6dcaa8080c4731ffb165f070889f08b43e0a365e58955682c46623b85a0b4aca644b9fbf

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a23E5.bat
            Filesize

            722B

            MD5

            8a837b19547ab7b009015713bacf0b90

            SHA1

            34931f938851bf54fe98cc02342001e8f1f801cf

            SHA256

            54d01304e70c29d55c818708ba51e67de687b25d6ce100682aaf515e3224b924

            SHA512

            0bd5e3c2f9c68d7d0894a39b443229f7b6e7dba93b357a2d8fcd83e50ccf4e9d90354fd588b3ac0735a31e8c1020c4203ed6aef806a276a29108b6ebd3b4adb2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe.exe
            Filesize

            458KB

            MD5

            619f7135621b50fd1900ff24aade1524

            SHA1

            6c7ea8bbd435163ae3945cbef30ef6b9872a4591

            SHA256

            344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

            SHA512

            2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            dbaeead00c5f2c719ea726ce5d681465

            SHA1

            d9bb3c9a2747bb4625f265d46f48722ef88271c7

            SHA256

            ccb9ee55ad02f5fda55d5b0e8c06e4071fe895b47d622ebc24a79d7c87d3e1a8

            SHA512

            1526d4e26278f1225a07fdf935de1d7364638af5b77473d2ec97316edf53cc89c4482c496d4b9c7009ee9d969429e9251057a1664ceb0ebda1aef16c703ffa95

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini
            Filesize

            8B

            MD5

            1b16d2dbd4281ce4e4e5729c608dcb0b

            SHA1

            851e624080ba5598edb808d4b30fe2d74999ce18

            SHA256

            c9e46fb51d0588ca1e48ca66731e11992770b9b74a982f9bdbb6ce5b5b75d549

            SHA512

            cd1c4cf7c7871cb48ce735226b25f689b340037e6c992441e566161de7fca7410762d1a0c2670ee4b6546f7ee854d3219e0e2315c3e0387d9bbe3f08076b5a59

            Download Submit

          • memory/1196-27-0x0000000002E10000-0x0000000002E11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1628-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1628-17-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2632-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2632-31-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2632-3068-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2632-4101-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download