Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

5c77dc7476...92.exe

windows7-x64

7

5c77dc7476...92.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    25/05/2024, 04:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c77dc74765c0500f1023136ee097d938ef4da166a4874db26040e69dfeac992.exe

  • Size

    583KB

  • MD5

    3d13b844d2a2527640ed50d8da94b7b5

  • SHA1

    77566d99b9a2938fdabcb84172496ff62957ad5a

  • SHA256

    5c77dc74765c0500f1023136ee097d938ef4da166a4874db26040e69dfeac992

  • SHA512

    72c8328aa9adf34c0fbc70a08a89fdb807b5b8fd19f35658d2a63f1044545668a21e0f973bbdf25221da9a8e93ccc5c6db4786d0a4702873a631e5a54adeaf92

  • SSDEEP

    6144:mEKW+aezDE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0G:m9W+aB7a3iwbihym2g7XO3LWUQfh4Co

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\5c77dc74765c0500f1023136ee097d938ef4da166a4874db26040e69dfeac992.exe
        "C:\Users\Admin\AppData\Local\Temp\5c77dc74765c0500f1023136ee097d938ef4da166a4874db26040e69dfeac992.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1608
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2820
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2607.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2612
            • C:\Users\Admin\AppData\Local\Temp\5c77dc74765c0500f1023136ee097d938ef4da166a4874db26040e69dfeac992.exe
              "C:\Users\Admin\AppData\Local\Temp\5c77dc74765c0500f1023136ee097d938ef4da166a4874db26040e69dfeac992.exe"
              4⤵
              • Executes dropped EXE
              PID:2588
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2600
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2672
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2620
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2664
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2960

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            264KB

            MD5

            060347047d63427782c0376930785ff5

            SHA1

            d78f3c47a404c115d0d79a175447a47871fd605e

            SHA256

            5c5ac3fa6013be6c0602a7a6f8b24acb738e37366c43b67989091b9725adf51f

            SHA512

            9811f2721f76f6d874ac390c516a7a3d5037a82c785d0c35540353b0827ac2fe24d7f1e8be8e6ae7278b00be9aa30f4d5385076e82576b38d1c36df6b09693d2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a2607.bat
            Filesize

            722B

            MD5

            af0b6fb84b8854f29764e472de80061b

            SHA1

            4b6d13840fec22e3a599749ce76b096bef2f48a7

            SHA256

            e06e0835ce5d441553fc82ee8a7b4165606428c151d4b8c50a8f782a1cc271ab

            SHA512

            e6654c485f2f4e798693368e33213222aa31470f4d83cce8f164059cdac30e0a9e79542788e6c7ec58764e22491b0d1a067358e994eb97ebaa2b4c3ad9a7a287

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\5c77dc74765c0500f1023136ee097d938ef4da166a4874db26040e69dfeac992.exe.exe
            Filesize

            544KB

            MD5

            9a1dd1d96481d61934dcc2d568971d06

            SHA1

            f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

            SHA256

            8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

            SHA512

            7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            39KB

            MD5

            f7ebb3d79ef53cfda9bebd3a4b0e4e0a

            SHA1

            3670512f285d65e981e9d7592844c7c42e5d4773

            SHA256

            3c2d6a686dd3a04d7e3413afbe50663a259d1fefa0bb8dfa9568d4c87bf99ef5

            SHA512

            177035a8504c5f1456659715d33968e85b291e44aa89232e96c4c52a2b2156c80f6f5639802241a46d0849f8230c9212d7fc6977b96d5c09440217ba3bad2adb

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini
            Filesize

            9B

            MD5

            7619ead719f9163af9f64f79eeff7c36

            SHA1

            7b956c82fba1f4a0ea8b09ca2e39d89159e21b75

            SHA256

            da9af76d7e3938d1bd300436de0d394ef0453f260a69c94905084222eb3fbb45

            SHA512

            29dd3ef54766931036c2f0d755bb3fc89619e548c95658577930a5a748ac2b2855a9e5ee5601697ebbac8a7d435abd4c9e9e2255b0e455e267e0d95358fa86df

            Download Submit

          • memory/1192-27-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2056-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2056-17-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2600-19-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2600-31-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2600-3343-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2600-4175-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download