Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

c077728a0c...6e.exe

windows7-x64

8

c077728a0c...6e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    28/05/2024, 08:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe

  • Size

    50KB

  • MD5

    7a5b7ffa724719d0192866634464c040

  • SHA1

    fa0a62aa6282576858285ee5396b16bd807c719b

  • SHA256

    c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e

  • SHA512

    3759b3f41f997a1f0a5d90adf1404c6f4af45e5d6cead213633661d9e6a6c6e657ec949d3f821d87c132e9136f0eb6c8633314b72686ac3796cbf1624843af0c

  • SSDEEP

    768:PLpnGnElOIEvzMXqtwp/lttaL7HP4wIncLRdR5kP78a0RJW/a9IOOlT+P9zLLpKE:PhUaYzMXqtGNttyUn01Q78a4RCoH3WW

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1140
      • C:\Users\Admin\AppData\Local\Temp\c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
        "C:\Users\Admin\AppData\Local\Temp\c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:856
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2760
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1D70.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2532
            • C:\Users\Admin\AppData\Local\Temp\c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
              "C:\Users\Admin\AppData\Local\Temp\c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe"
              4⤵
              • Executes dropped EXE
              PID:2356
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2780
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2948
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2640
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2500
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2380

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            ebb1acf3749aab2799316e438dfdbdf4

            SHA1

            704fe023ab74891eeff0ba9779303aff0b0da5aa

            SHA256

            2f7d16cda5245419705eeff7f92014c5d80e91d8a2d04beff74d79f832f7e77f

            SHA512

            ff93751e380f95501d316a68f459a42e116d3ca10a1d609f4f48ca679e5b9c820021ab2c1869a8d13c5a47a291a3f81e6e22966f41ed55f0f4d64a65902bacb4

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            db30f5e16c744915af12c09f1ccf3e41

            SHA1

            d5feb47e0ca1c47b0a4cfc90be501e97f613ce90

            SHA256

            cfc87b2273f90e5125ca09d4fed15c56a82dabc54e418301f8ce23476201950e

            SHA512

            ff466c60abd62f72cbe687d48fcc485855e0df65599da37112d3872324176bf68428c312d8fbfaf20deba2295b2c7fc51129436a73ba8bdc58836289f6a47f6b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a1D70.bat
            Filesize

            722B

            MD5

            b67ca361f8f6116cbbf3363b1c3f1bd0

            SHA1

            8211374e981e51de5b47411f28bc4f6687472beb

            SHA256

            1982b90a7e0c94b87809a95855a3d3d9f50f5ee4f07bed5dadf92fb8df40e607

            SHA512

            7a1be6163a7fdb7c7c8c4c2f19e3f2d4f6f4e01cd28ba181aa2fba3fbd40886fca47acdbd6a6c3ca5f5ccb65e8c8519fa4553f5c707311c883006e2475e3d740

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe.exe
            Filesize

            16KB

            MD5

            5587c5663414e345518f8b6dac344877

            SHA1

            882f53d66d9fa78340a9b8d892fd3216ff6ab99d

            SHA256

            cc1f45cb2173797fcc43c4193c27547a55cc3469e65f4f8189db311c8ef08e9c

            SHA512

            3e6ad3830362433143485261c8673cc7daa41a9cab81a8e7ed9b67a687b688ec4c36eaefd46ecb796e69f6c148933ae51a78190865a3f2f631f4254c7d3f4c73

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            b889976a7791068af99766aca8f357d8

            SHA1

            146247c065098fb7f98f6cc1094825486b77d65c

            SHA256

            2d86f486401387ff3dcf30a8ffca900063a26c269b2e44bc1b925cbfafc30e92

            SHA512

            bad98a62f1e63adf7fef79f14ea027179ad4255a862f30114918046d14c89256cd2f5dcc3044941ecde471d9ede8d18a4ee040ca300cd1a9b9243aabbeee9558

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            832B

            MD5

            7e3a0edd0c6cd8316f4b6c159d5167a1

            SHA1

            753428b4736ffb2c9e3eb50f89255b212768c55a

            SHA256

            1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

            SHA512

            9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini
            Filesize

            9B

            MD5

            e850d9ceb7ebcc619d731dc2f1377b2b

            SHA1

            a45553c9057075c02e28f90d5e8ea57a0dddbacc

            SHA256

            b682a6e85069777ca22f84b99607acd09640eaa80029d74363c0a5aabddead4c

            SHA512

            be92bd8393d0fe69559ec55e1068fcd77ccc699361a9cb98d467bd51a029c371852b7a1196ad53fa8865e956582e6a4d35f6ac6fea3832058b7a427133b0048c

            Download Submit

          • memory/1140-31-0x00000000024A0000-0x00000000024A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2356-27-0x0000000000400000-0x000000000040A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2780-20-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2780-35-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2780-3286-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2780-4105-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2904-0-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2904-19-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2904-13-0x00000000003B0000-0x00000000003EE000-memory.dmp

            Filesize

            248KB

            Download