Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

5c77dc7476...92.exe

windows7-x64

7

5c77dc7476...92.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2024, 04:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c77dc74765c0500f1023136ee097d938ef4da166a4874db26040e69dfeac992.exe

  • Size

    583KB

  • MD5

    3d13b844d2a2527640ed50d8da94b7b5

  • SHA1

    77566d99b9a2938fdabcb84172496ff62957ad5a

  • SHA256

    5c77dc74765c0500f1023136ee097d938ef4da166a4874db26040e69dfeac992

  • SHA512

    72c8328aa9adf34c0fbc70a08a89fdb807b5b8fd19f35658d2a63f1044545668a21e0f973bbdf25221da9a8e93ccc5c6db4786d0a4702873a631e5a54adeaf92

  • SSDEEP

    6144:mEKW+aezDE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0G:m9W+aB7a3iwbihym2g7XO3LWUQfh4Co

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3516
      • C:\Users\Admin\AppData\Local\Temp\5c77dc74765c0500f1023136ee097d938ef4da166a4874db26040e69dfeac992.exe
        "C:\Users\Admin\AppData\Local\Temp\5c77dc74765c0500f1023136ee097d938ef4da166a4874db26040e69dfeac992.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4444
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4268
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3E8F.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2824
            • C:\Users\Admin\AppData\Local\Temp\5c77dc74765c0500f1023136ee097d938ef4da166a4874db26040e69dfeac992.exe
              "C:\Users\Admin\AppData\Local\Temp\5c77dc74765c0500f1023136ee097d938ef4da166a4874db26040e69dfeac992.exe"
              4⤵
              • Executes dropped EXE
              PID:4692
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:5076
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3116
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2724
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1744
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:4440

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            264KB

            MD5

            060347047d63427782c0376930785ff5

            SHA1

            d78f3c47a404c115d0d79a175447a47871fd605e

            SHA256

            5c5ac3fa6013be6c0602a7a6f8b24acb738e37366c43b67989091b9725adf51f

            SHA512

            9811f2721f76f6d874ac390c516a7a3d5037a82c785d0c35540353b0827ac2fe24d7f1e8be8e6ae7278b00be9aa30f4d5385076e82576b38d1c36df6b09693d2

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            583KB

            MD5

            3d13b844d2a2527640ed50d8da94b7b5

            SHA1

            77566d99b9a2938fdabcb84172496ff62957ad5a

            SHA256

            5c77dc74765c0500f1023136ee097d938ef4da166a4874db26040e69dfeac992

            SHA512

            72c8328aa9adf34c0fbc70a08a89fdb807b5b8fd19f35658d2a63f1044545668a21e0f973bbdf25221da9a8e93ccc5c6db4786d0a4702873a631e5a54adeaf92

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a3E8F.bat
            Filesize

            722B

            MD5

            037e756bcb1f373f0767ea4b93acdc73

            SHA1

            b9935ee0d9b7bf74c474ae7c2ae2c75d9e370ef3

            SHA256

            2a791c3628c6d7f249cfb7146e65085a39786fa5209dbdb876ff4f3f43bf4437

            SHA512

            b9026ff9a01e4c5fa807e820e15f84618de39f153252d368597419fa63737df5c338cb85ccb718e098a1c973199dea11d5fb81837c498972573944da09bfd214

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\5c77dc74765c0500f1023136ee097d938ef4da166a4874db26040e69dfeac992.exe.exe
            Filesize

            544KB

            MD5

            9a1dd1d96481d61934dcc2d568971d06

            SHA1

            f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

            SHA256

            8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

            SHA512

            7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            39KB

            MD5

            f7ebb3d79ef53cfda9bebd3a4b0e4e0a

            SHA1

            3670512f285d65e981e9d7592844c7c42e5d4773

            SHA256

            3c2d6a686dd3a04d7e3413afbe50663a259d1fefa0bb8dfa9568d4c87bf99ef5

            SHA512

            177035a8504c5f1456659715d33968e85b291e44aa89232e96c4c52a2b2156c80f6f5639802241a46d0849f8230c9212d7fc6977b96d5c09440217ba3bad2adb

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini
            Filesize

            9B

            MD5

            7619ead719f9163af9f64f79eeff7c36

            SHA1

            7b956c82fba1f4a0ea8b09ca2e39d89159e21b75

            SHA256

            da9af76d7e3938d1bd300436de0d394ef0453f260a69c94905084222eb3fbb45

            SHA512

            29dd3ef54766931036c2f0d755bb3fc89619e548c95658577930a5a748ac2b2855a9e5ee5601697ebbac8a7d435abd4c9e9e2255b0e455e267e0d95358fa86df

            Download Submit

          • memory/2672-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/2672-10-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/5076-11-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/5076-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/5076-5166-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/5076-8696-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download