Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

c35269f717...82.exe

windows7-x64

8

c35269f717...82.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    05/05/2024, 14:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c35269f7174fca4d6c47d66f7ab60fc0f4f401b91caaca17b3c637fad3ed4c82.exe

  • Size

    33KB

  • MD5

    0d20f038ad62ff6b5fd30ce3ea460037

  • SHA1

    1a654b3d6703c1e9aab6f420ee722184179558b7

  • SHA256

    c35269f7174fca4d6c47d66f7ab60fc0f4f401b91caaca17b3c637fad3ed4c82

  • SHA512

    e15973fd11e948fffa2e93296070c4c90b459b869e2548e37d02add2a948f0a6b4aa84c35ee971eb994a5187f114dbccfce2efbbaf981afd1a0e47b2aa5f5689

  • SSDEEP

    768:PksElOIEvzMXqtwp/lttaL7HP4wIncLRdR5kP78a0RJW/a:PksaYzMXqtGNttyUn01Q78a4R

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\c35269f7174fca4d6c47d66f7ab60fc0f4f401b91caaca17b3c637fad3ed4c82.exe
        "C:\Users\Admin\AppData\Local\Temp\c35269f7174fca4d6c47d66f7ab60fc0f4f401b91caaca17b3c637fad3ed4c82.exe"
        2⤵
        • Drops file in Drivers directory
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2300
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1228
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2544
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1056
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:2600

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          258KB

          MD5

          edfa3e4e20077e1788efe171d6c9242c

          SHA1

          ba9a86931f220ab1dabd728bc8ad6aee8177cf62

          SHA256

          c15ebbc97462922e35823192f29c1c9a1437722a0d1a8b0e671b31566f8d5dd1

          SHA512

          747c45c4935caa88bf9a939aab3c663c3ab15e8d4c7bda41130921aa5ff66d8c28bcaef8f6b703b1c9ae6f41acd0d09c5ae4e41f9b6bd0bde7e5c156a9144fcb

          Download Submit

        • C:\Program Files\7-Zip\7zG.exe
          Filesize

          717KB

          MD5

          523ca570f0dbb91e42c5ee89b73919c5

          SHA1

          78edd98d4d409b901ad39b500c754b255241c293

          SHA256

          e2c648a85b070f7e3c06fe54baabc74d653d104c019708c617a997fd92fd5d40

          SHA512

          f76c9569f919d135a6c724905eff8cf36f80b512eeb87d0b80fa43fbef470e1c3c5ae848165dd45a4039f8204b4c27f33e61b4848c325d0549e431388f961cae

          Download Submit

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Filesize

          478KB

          MD5

          e93193856beaecee9905e2a6f36be17f

          SHA1

          d4c267ea34f28f048e29461656984aad70912eda

          SHA256

          1d345f4e09acdbc12e63ce90d0bd373b56d50a378f4603d8425f6df815e44a7b

          SHA512

          1fbe9c0e86ad98d6a2a7924badec0fffc69a7d0a4839e8af45d0aedf1e4e24a4a798df0ec5b8d0aa6e0e566c0c83a4030549bd32b9ac27406fc772d4a2ff5fc3

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini
          Filesize

          8B

          MD5

          1b16d2dbd4281ce4e4e5729c608dcb0b

          SHA1

          851e624080ba5598edb808d4b30fe2d74999ce18

          SHA256

          c9e46fb51d0588ca1e48ca66731e11992770b9b74a982f9bdbb6ce5b5b75d549

          SHA512

          cd1c4cf7c7871cb48ce735226b25f689b340037e6c992441e566161de7fca7410762d1a0c2670ee4b6546f7ee854d3219e0e2315c3e0387d9bbe3f08076b5a59

          Download Submit

        • memory/1208-5-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2300-0-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2300-9-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2300-3256-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2300-4078-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download