Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 06:17

General

  • Target

    57bfa721e69f4e1a59b6b0c14c0f1b60b5c67b1a2f90dcb14ff4c6f2d9ec9df4.exe

  • Size

    39KB

  • MD5

    47ec98bc87cb912543336ed8e6046f36

  • SHA1

    72ef5db4c258a4b74bfa2049178a007f4eed7731

  • SHA256

    57bfa721e69f4e1a59b6b0c14c0f1b60b5c67b1a2f90dcb14ff4c6f2d9ec9df4

  • SHA512

    e5f03aa980594cbca251eb2723514096ee8cc9b65327d37df3794cb6768666ca848a32d47d8992647cace51ba1f96fa38f9329da346148092230af3fe3f7b8e5

  • SSDEEP

    768:8J0eUHoO5RroZJ76739/dZVdfpULiAYXjPrN+8WEjrZMYjV8mp8w:8NFe+Zk7VJbwlYXjPrsqrZMYR5p8w

Score
7/10

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3500
      • C:\Users\Admin\AppData\Local\Temp\57bfa721e69f4e1a59b6b0c14c0f1b60b5c67b1a2f90dcb14ff4c6f2d9ec9df4.exe
        "C:\Users\Admin\AppData\Local\Temp\57bfa721e69f4e1a59b6b0c14c0f1b60b5c67b1a2f90dcb14ff4c6f2d9ec9df4.exe"
        2⤵
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1164
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2012
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3888
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2204
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:4068

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

          Filesize

          257KB

          MD5

          700b9e9d560c8da74ec37ef515f4ef35

          SHA1

          640da02b51ed5662386409e1c6d8df2268b2dec8

          SHA256

          e8cd802872fcd5501549e60bfc366a2b4905a2e890efb36f4ccc41ab5ccb1d55

          SHA512

          782da744c4201f43a8fd84f37cceec60146b8b86711016fa28f1bdd0190e167bdbb9a47ee210e725571d328f2c9c97771ba78b8b49be78f3d590793021ba89da

        • C:\Program Files\7-Zip\7zG.exe

          Filesize

          723KB

          MD5

          b87530d273fc6a39d507d8a7f37b834e

          SHA1

          c1ed4fe0bd7c96cc3df56cde66639fe6b9f7ec3c

          SHA256

          7ca7b4a9091ce7bb2cf953c29f09fd0370cb20faf6119bc8d56c4a33f7cd195f

          SHA512

          22a09585d776fb46e1f66d2843e5a41ac89cd188a14f508d5bfe8914523610e9c42d0fdb0ffcbb353fbfcfc142391b7e8374f1f64f62cd0f587a0f70217a326d

        • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

          Filesize

          649KB

          MD5

          e4b4c486987a76abb8a18c33b36514b5

          SHA1

          1c83216295cfc852c1a35198e31d8d385efd373a

          SHA256

          30f0474b455caa56bfb989bfcc04bb4db00f81857c28657f3fecf1dbcc6eb5dc

          SHA512

          f8532180a32b17153626d9879a93159132b2e10708e81aec83c995a8e9b642d5b6ccdd1db676c92302bdd5bb97726e670876490e97d65b27865ea7e72c8c4515

        • F:\$RECYCLE.BIN\S-1-5-21-2818691465-3043947619-2475182763-1000\_desktop.ini

          Filesize

          8B

          MD5

          ec89b9cba2f5e7b9394fdd901d6c3977

          SHA1

          63b0db3abcd08b863a9a3944799b41efa264db40

          SHA256

          2b4efa4e113d3044c8e47f59a7b75225cc7736c2fa28f9e52949b9441f3d77ca

          SHA512

          901f7d44754e59fba0b1b90341927744f670463f4d18e2694617f74fe4e3f456e9088530bccc16e758fc67a23f91380a3655121ba911e8ff5173f3ac4cb0f1d2

        • memory/1164-0-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

        • memory/1164-3-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

        • memory/1164-5212-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB

        • memory/1164-8762-0x0000000000400000-0x000000000043D000-memory.dmp

          Filesize

          244KB