Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 06:17

General

  • Target

    57bfa721e69f4e1a59b6b0c14c0f1b60b5c67b1a2f90dcb14ff4c6f2d9ec9df4.exe

  • Size

    39KB

  • MD5

    47ec98bc87cb912543336ed8e6046f36

  • SHA1

    72ef5db4c258a4b74bfa2049178a007f4eed7731

  • SHA256

    57bfa721e69f4e1a59b6b0c14c0f1b60b5c67b1a2f90dcb14ff4c6f2d9ec9df4

  • SHA512

    e5f03aa980594cbca251eb2723514096ee8cc9b65327d37df3794cb6768666ca848a32d47d8992647cace51ba1f96fa38f9329da346148092230af3fe3f7b8e5

  • SSDEEP

    768:8J0eUHoO5RroZJ76739/dZVdfpULiAYXjPrN+8WEjrZMYjV8mp8w:8NFe+Zk7VJbwlYXjPrsqrZMYR5p8w

Score
7/10

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1176
      • C:\Users\Admin\AppData\Local\Temp\57bfa721e69f4e1a59b6b0c14c0f1b60b5c67b1a2f90dcb14ff4c6f2d9ec9df4.exe
        "C:\Users\Admin\AppData\Local\Temp\57bfa721e69f4e1a59b6b0c14c0f1b60b5c67b1a2f90dcb14ff4c6f2d9ec9df4.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2312
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2120
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:2548

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

          Filesize

          264KB

          MD5

          7e8d260b6f6d3e2ed90a45ad6e671cfd

          SHA1

          2f02e8344b8d67c341718f8a7cc1a6d823292f65

          SHA256

          7d6114b9b8de59192679b62096eff3ba7d218f77b481c0e48f04571da1836ae9

          SHA512

          2cf1c2894b0f6dd5c6d16af22ef36bd09cf357aba32150394cac1c40e19e31f8408e31fa5525561cbcf93eae996b2ca4778c95ff6439303981df3be212a7878e

        • C:\Program Files\7-Zip\7zFM.exe

          Filesize

          970KB

          MD5

          8b6dd5b749bb55cea9726e7a54a3a9fa

          SHA1

          4595746e85354eea17227c8c3c2bbc6add3b07f2

          SHA256

          88bcae3d86ba4619fa7aeb124ea55941e1a52deeef52dc2d6d68f762ef9bc5a6

          SHA512

          26851e07f88a0b4443c78410775b6a4c4b2110558a197ff64567871623fce57efe990c74727a0dd9250fa788fd1db0ca2c144b78d325b615913f8d36110dba48

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

          Filesize

          484KB

          MD5

          79d4fd1cb70f3844796aa1ea18a238e2

          SHA1

          78d207a7de2aeb85eefc185d894b0b7626e1e1f3

          SHA256

          ccaacc3965c1bdfce8cd1e934895a4563dddf082016e56846966c250bed87d5b

          SHA512

          7a0167cbce49f09ea39e490862b8c371eacf8ce3d74d6a6054e7f0e1df4b307019f5adee03603fcb9d4db2b17841cbc9cf129e9480d70b20c266fe82b3979b33

        • F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini

          Filesize

          8B

          MD5

          ec89b9cba2f5e7b9394fdd901d6c3977

          SHA1

          63b0db3abcd08b863a9a3944799b41efa264db40

          SHA256

          2b4efa4e113d3044c8e47f59a7b75225cc7736c2fa28f9e52949b9441f3d77ca

          SHA512

          901f7d44754e59fba0b1b90341927744f670463f4d18e2694617f74fe4e3f456e9088530bccc16e758fc67a23f91380a3655121ba911e8ff5173f3ac4cb0f1d2

        • memory/1176-3-0x0000000002210000-0x0000000002211000-memory.dmp

          Filesize

          4KB

        • memory/2020-0-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

        • memory/2020-7-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

        • memory/2020-1902-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

        • memory/2020-4056-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB