Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

a4354399ae...65.exe

windows7-x64

7

a4354399ae...65.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 02:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4354399aeac5bc87ae2213cef7e551c34eb603cc78d0fbbf1485924b036ff65.exe

  • Size

    70KB

  • MD5

    b7b8c6622d451a1ad91825f48ee3e1d2

  • SHA1

    bb0817a3885c7daee2809a600fd02fa86e5b339d

  • SHA256

    a4354399aeac5bc87ae2213cef7e551c34eb603cc78d0fbbf1485924b036ff65

  • SHA512

    5f5942797b50b5598b9152a868f173ced0b650456f8eed76b6033620c72e73538e8177158c2674a916ca140ae1882b09febc129596d0a84baaa0a672e93b595f

  • SSDEEP

    1536:Aie+Zk77RNH2iT919XKKkQeZriw+d9bHrkT5gUHz7FxtJ:Aie+aX3rX9DsrBkfkT5xHzD

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3352
      • C:\Users\Admin\AppData\Local\Temp\a4354399aeac5bc87ae2213cef7e551c34eb603cc78d0fbbf1485924b036ff65.exe
        "C:\Users\Admin\AppData\Local\Temp\a4354399aeac5bc87ae2213cef7e551c34eb603cc78d0fbbf1485924b036ff65.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3324
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2960
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2836
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4D26.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Users\Admin\AppData\Local\Temp\a4354399aeac5bc87ae2213cef7e551c34eb603cc78d0fbbf1485924b036ff65.exe
              "C:\Users\Admin\AppData\Local\Temp\a4354399aeac5bc87ae2213cef7e551c34eb603cc78d0fbbf1485924b036ff65.exe"
              4⤵
              • Executes dropped EXE
              PID:3144
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4580
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4832
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:5096
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2184
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3756

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            650c508b3fe23bd58f4378d98516f537

            SHA1

            bbecc4f218f0dc1b01d124f074d4af10583d9c78

            SHA256

            de9a43a0018b4ee76f16019df0c554abacea852d07b7d37a86fc70f34f299d5b

            SHA512

            f93fb27574087b82f5ebd36f064b0efc34ee5c2e3c3774c0d4892af95a63e1c1178617fa93d5e152532e9e90b2867e7d1a5872b03de1147f149baff0db9145cb

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            c13829dbc1ac12f05d12e1dbad982e30

            SHA1

            960baf69ff0079d77cd7f7a9e69d6fd806d20783

            SHA256

            86d5ce82c71e2c3c86b994d4e0ed1ba15106dbf9b1319d3d8270794346c63d5d

            SHA512

            73bc97687a97d6ca378c2b0b76d3a1443f761ebdb603e373ead6a2b979ce416a329509261e89707afb3cca6fd8dbc27a07ee7ee28ef1936d47aa12d9e434a11b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a4D26.bat
            Filesize

            722B

            MD5

            fb6b8572d2c2b6ef9dcf6794ad9a1a8b

            SHA1

            ae4eca84e5e8b0bda2cbfcfd9cf52c05e237e744

            SHA256

            1465723890fb68165c0172c34ed4e32159e4c0d20b4dd1f194f42c514d715f1a

            SHA512

            07e824901c619a0297eb880361990b0dd613d45a8e79635ebd2164c8bc91ec640839bc403c0137116a7ac67a068cc44621310949b3f4cec09cc471759a050962

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\a4354399aeac5bc87ae2213cef7e551c34eb603cc78d0fbbf1485924b036ff65.exe.exe
            Filesize

            36KB

            MD5

            9f498971cbe636662f3d210747d619e1

            SHA1

            44b8e2732fa1e2f204fc70eaa1cb406616250085

            SHA256

            8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

            SHA512

            b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            db0109967be916a106fce9383d019fde

            SHA1

            eac68b8e0b6d46d781cf04145401f9292b09b164

            SHA256

            a942172e30917abd01969f3be6ad254b877d04dfeb5c642bab2d0a9d0eaa28fa

            SHA512

            c2f1254cfc812c3bcf7b9196cde3cb14f184e211f9d75d74cb38f8638a5ef438af3301779203eb0ed06ad02b7c06de3fa03f956b0537901e3c971cf9433ade6f

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\_desktop.ini
            Filesize

            9B

            MD5

            4d28283e4d415600ffc2f8fda6d8c91e

            SHA1

            053dcb8d5d84b75459bc82d8740ee4684d680016

            SHA256

            b855effeaf01610130d3f38de35bc7f98bfc6643d98d4198af18534f048e8df7

            SHA512

            73a758cd5e5ac48d62dd89719be604214895e0cc9a10ff7464a6cf9161a37fd27d15dd2d2565f18198b381ac6442bcb36f38614df7b1176061a83616517a7edb

            Download Submit

          • memory/3324-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/3324-9-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4580-11-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4580-18-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4580-5220-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4580-8692-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download