Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

b8ca31703c...71.exe

windows7-x64

7

b8ca31703c...71.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 14:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b8ca31703c834baf0e7c0d3d0f16f28710ebd7101407e5003acea8539c660871.exe

  • Size

    98KB

  • MD5

    8e969a1f2381657f18de466ba4f9ecc0

  • SHA1

    b95798444a7ad167dfa21ec01f4191c434d622a8

  • SHA256

    b8ca31703c834baf0e7c0d3d0f16f28710ebd7101407e5003acea8539c660871

  • SHA512

    a38bd87d16f5ba768f714b07c7c574c1774f0542151fc3d0872665894a7d4c5d16bbde2b262132d9b32a80a41a6b325e400ffa0beab339e5047c420fa851c61e

  • SSDEEP

    1536:gLPQsrz8haFpmqr76/Y3WLpQQwFxV7qjh3rmKPNIwW:gLPN8QFda/2hAjZqMNId

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3548
      • C:\Users\Admin\AppData\Local\Temp\b8ca31703c834baf0e7c0d3d0f16f28710ebd7101407e5003acea8539c660871.exe
        "C:\Users\Admin\AppData\Local\Temp\b8ca31703c834baf0e7c0d3d0f16f28710ebd7101407e5003acea8539c660871.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4528
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4252
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a45A4.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4668
            • C:\Users\Admin\AppData\Local\Temp\b8ca31703c834baf0e7c0d3d0f16f28710ebd7101407e5003acea8539c660871.exe
              "C:\Users\Admin\AppData\Local\Temp\b8ca31703c834baf0e7c0d3d0f16f28710ebd7101407e5003acea8539c660871.exe"
              4⤵
              • Executes dropped EXE
              PID:2704
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3884
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3740
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2880
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4284
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1444

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            265KB

            MD5

            144a07f0eb9ee08baff92603553bb51b

            SHA1

            0cf1b6d320f8f167584209cd250c1d2e8fb31aaf

            SHA256

            796386a95ca9b7bd73cdeeb4a5974272cb2aee380a9176213e7f90930ada8506

            SHA512

            712139a7c7ba2f695d3a96440ea855505ad7b80b05657e1c31f1254168de57a2d688f21333751fe9fa4f3a6d439a506214894358aa0578a807ade561fa5050ae

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            584KB

            MD5

            71bf6bdc8615ef7c5de0df63604695eb

            SHA1

            70441d785313ea209b9028cd12e34c0f1bc4cc4f

            SHA256

            1337ca183f3b289a2d7919a1b00f6aa195bbeb5038123ba7aa281fee198936ee

            SHA512

            0a1b1768e02621d916f88df3b3b2c2e1c9688eb8b874e47864a4f0a3ee23c9d673f1ef92f40e24735392df26bc4f06b3abfeb6e36c95268fa98f1404715c7e5f

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            650KB

            MD5

            c0651f5f5ed8c9967b91a89a86cc4dc4

            SHA1

            6866b91667021c6cc7fd680451a5ea183dce3cd1

            SHA256

            d09336ea46c4c6e8b83dff2aa4bd31d9e993bcd572e6b274449adc5f9e51627d

            SHA512

            1cf7354f1b204415fd099c1fdaeecda5f0daec86948cee48da433d847d0ce94fee7fcf2365675868e82450891244b04902d730d6b0e0dfb5c29df1cd4b5d8ad6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a45A4.bat
            Filesize

            722B

            MD5

            00bfc285b588f3beec73766f73662e51

            SHA1

            fccbe3a47332fda1874c2aed5f9ba0f16d6090b6

            SHA256

            8245e9f05f7e495786edf6c97d4cd9e0c98e5ef3e528a4a01b8e0483583f8f58

            SHA512

            ed0d14fa38352112cd84b08096083c568644bce77f2cb202e1753e8568e8a4897eff4bc02f1a31ced4ee938632ed90dbcac7981b7b07904517ebed5b5a3c3661

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\b8ca31703c834baf0e7c0d3d0f16f28710ebd7101407e5003acea8539c660871.exe.exe
            Filesize

            57KB

            MD5

            fa71e60855b37c3c26d9ebbb52a0c3de

            SHA1

            e608fea1cd4d5a34d7a86ca4e64d1db67f539f29

            SHA256

            5122bb9ce0e46f847cf1920c4e2fcead16b3101f6f03d3225e92a5f80a2f1c1c

            SHA512

            1b8cc9b37c24c9a5661e26cfb162fd1cb6419a4beb472bf100f4fbb61dfe9c353e8d3502af3d9a55d44a5f07dc0bf49412d5ca0d0d20fe466e3156ad1a88886b

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            40KB

            MD5

            ee15a6a567557bb41533caabe57892ef

            SHA1

            9507149eb9a8a36be2fddca32ffc2ee56b1c0712

            SHA256

            2e77a08e9801594b1f91a8467a15f4e3078d4a9804e3a25567ac0f6a594f6eb1

            SHA512

            41c4fcfc250209b1bf9e3d4d99030ff558a46089083ef92b23f924e7c6de8d9a2dcc8013957183bf544bdff2fa3ddfd5198511c2f19989f2736bef73a8adc9e4

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-540404634-651139247-2967210625-1000\_desktop.ini
            Filesize

            8B

            MD5

            ec89b9cba2f5e7b9394fdd901d6c3977

            SHA1

            63b0db3abcd08b863a9a3944799b41efa264db40

            SHA256

            2b4efa4e113d3044c8e47f59a7b75225cc7736c2fa28f9e52949b9441f3d77ca

            SHA512

            901f7d44754e59fba0b1b90341927744f670463f4d18e2694617f74fe4e3f456e9088530bccc16e758fc67a23f91380a3655121ba911e8ff5173f3ac4cb0f1d2

            Download Submit

          • memory/2820-11-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2820-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/3884-18-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/3884-3600-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/3884-9-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/3884-8703-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download