Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

765588f23c...8e.exe

windows7-x64

7

765588f23c...8e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/05/2024, 09:58 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe

  • Size

    694KB

  • MD5

    15edb5f3d8dc8b4bb3560bd7a9b3eff6

  • SHA1

    35ee09a607af1e28015862df58d890eef9bcd27e

  • SHA256

    765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e

  • SHA512

    e5c85752efba5f785f67a5b7c406233a2c3a5fff22903068c2c85a4596de1080f84f40bc58c2aef13de7fe4419e2aa8ebed5ee4ca5617575caf56823920a8b19

  • SSDEEP

    12288:/PzJgrpXt3hcorRSJwGHuwbwDdlELUDyoagA0rtmmrBE:/PzJgrVtxcolSJwGHuOud6L9fN0pmr

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3516
      • C:\Users\Admin\AppData\Local\Temp\765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
        "C:\Users\Admin\AppData\Local\Temp\765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3228
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2644
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2932
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3A3A.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4120
            • C:\Users\Admin\AppData\Local\Temp\765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
              "C:\Users\Admin\AppData\Local\Temp\765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe"
              4⤵
              • Executes dropped EXE
              PID:2936
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3216
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:392
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4904
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4088
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1208

          Network

          • flag-us
            DNS
            8.8.8.8.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            8.8.8.8.in-addr.arpa
            IN PTR
            Response
            8.8.8.8.in-addr.arpa
            IN PTR
            dnsgoogle
          • flag-us
            DNS
            13.86.106.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            13.86.106.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            172.210.232.199.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            172.210.232.199.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            68.159.190.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            68.159.190.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            95.221.229.192.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            95.221.229.192.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            50.23.12.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            50.23.12.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            56.126.166.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            56.126.166.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            82.90.14.23.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            82.90.14.23.in-addr.arpa
            IN PTR
            Response
            82.90.14.23.in-addr.arpa
            IN PTR
            a23-14-90-82deploystaticakamaitechnologiescom
          • flag-us
            DNS
            91.90.14.23.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            91.90.14.23.in-addr.arpa
            IN PTR
            Response
            91.90.14.23.in-addr.arpa
            IN PTR
            a23-14-90-91deploystaticakamaitechnologiescom
          • flag-us
            DNS
            13.227.111.52.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            13.227.111.52.in-addr.arpa
            IN PTR
            Response
          No results found
          • 8.8.8.8:53
            8.8.8.8.in-addr.arpa
            dns
            66 B
             90 B
             1
            1

            DNS Request

            8.8.8.8.in-addr.arpa

          • 8.8.8.8:53
            13.86.106.20.in-addr.arpa
            dns
            71 B
             157 B
             1
            1

            DNS Request

            13.86.106.20.in-addr.arpa

          • 8.8.8.8:53
            172.210.232.199.in-addr.arpa
            dns
            74 B
             128 B
             1
            1

            DNS Request

            172.210.232.199.in-addr.arpa

          • 8.8.8.8:53
            68.159.190.20.in-addr.arpa
            dns
            72 B
             158 B
             1
            1

            DNS Request

            68.159.190.20.in-addr.arpa

          • 8.8.8.8:53
            95.221.229.192.in-addr.arpa
            dns
            73 B
             144 B
             1
            1

            DNS Request

            95.221.229.192.in-addr.arpa

          • 8.8.8.8:53
            50.23.12.20.in-addr.arpa
            dns
            70 B
             156 B
             1
            1

            DNS Request

            50.23.12.20.in-addr.arpa

          • 8.8.8.8:53
            56.126.166.20.in-addr.arpa
            dns
            72 B
             158 B
             1
            1

            DNS Request

            56.126.166.20.in-addr.arpa

          • 8.8.8.8:53
            82.90.14.23.in-addr.arpa
            dns
            70 B
             133 B
             1
            1

            DNS Request

            82.90.14.23.in-addr.arpa

          • 8.8.8.8:53
            91.90.14.23.in-addr.arpa
            dns
            70 B
             133 B
             1
            1

            DNS Request

            91.90.14.23.in-addr.arpa

          • 8.8.8.8:53
            13.227.111.52.in-addr.arpa
            dns
            72 B
             158 B
             1
            1

            DNS Request

            13.227.111.52.in-addr.arpa

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            02569885e9369db7f7e10caf1b50ba83

            SHA1

            10a6f75e80a9f81aa4c6143a31eb419ff252c667

            SHA256

            f9fbd769b3a8bcc2a77241fa76adb574009dd443f0ebe5913450e2e9f21d87da

            SHA512

            d18ea18d470cde35ac5f775b8f51d9d0bbaeea64312a30ea4ed7261174cdc3c8ac60e8f205004bcac90c937fa732851d3f5bdf5dde3417b624f1ee24e87640c3

            Download Submit

          • C:\Program Files\SelectConfirm.exe
            Filesize

            1.3MB

            MD5

            d44142e9df71aefb28b6a235116913c2

            SHA1

            d2005d60ac1e92524299b755ccd0a5204dcf68ce

            SHA256

            18070e4c44b70a43f26081cab0e918cdddf95e4ce0c2b3a4607aca950c18dc7d

            SHA512

            39ec90e0e5bb22749f056bc8386b0c72a6b2b7afcb48635e6f72adab46bbc31998b5f00f6ca66acb91d09164225b9097dd7805d73d60027843ae462be8045a5b

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            644KB

            MD5

            11e0853d537d2721ecc655c1fc527e91

            SHA1

            c8e23d103e93073ba7c93374878ae9a9f926c944

            SHA256

            f168cda7cfa0f4f1d8dc26f615772410afe41b43fbc3da3cfe2c249b1eadca30

            SHA512

            3e5af85789e480d355053e9ded02108ae53136aec795d5d37faf1d5426275f7f3729e5583b0a95b3434d5b4452c7382405c0f8bc94e8a65275335c62268e0ee2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a3A3A.bat
            Filesize

            722B

            MD5

            050e76e18ace295ab4212df70bd94d11

            SHA1

            6f26d6f335fc5308071379e9e023f5ff0aa1b391

            SHA256

            bc465dabce1b20f9d5eecfe955dac2845580cb6bafc8355ea4f04e76a059d052

            SHA512

            8731d000e748e87dc8b0082b1e17b8d3f6fd7be18d3eee4bdecc5a786ecc4dfc6c9dea21b1c55d0e94a0de387315bd6c056b86d4235489ac845ba4e02f62ce35

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe.exe
            Filesize

            661KB

            MD5

            1ccc2c9ae08b2b36660deac77dfbcfb7

            SHA1

            1a3e671eb5140104a4c9b056299af6a696e134ca

            SHA256

            98218f68e5674d99bcdbf3c9e1c4786e7cf1433fb27a4c4e0108894fb5acd0ec

            SHA512

            c212849356f531811a30bc97e212734ee34cef809a5dc40f72991bcd24fa9b23db623c553b3a9358782d42665f296f2d4f980149c9e23b4915b191f76723eea5

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            e88b528305eba2eaa41bd67d5be2f3e9

            SHA1

            46ab8f327b9ad592d6b6e2786ff0c5a5735acbfb

            SHA256

            8549f3ecbe5d5d917c87472123a8ffc41b19b52c94b1fbc7089a971436dfe5ae

            SHA512

            8437f856ced59ed9edb400139bcc5bb083164c52fd843d058d94bd40243b3314af75e3fd18380708561a00a80c7160153a40e768c493f08ea4afc102357252e7

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\_desktop.ini
            Filesize

            9B

            MD5

            e850d9ceb7ebcc619d731dc2f1377b2b

            SHA1

            a45553c9057075c02e28f90d5e8ea57a0dddbacc

            SHA256

            b682a6e85069777ca22f84b99607acd09640eaa80029d74363c0a5aabddead4c

            SHA512

            be92bd8393d0fe69559ec55e1068fcd77ccc699361a9cb98d467bd51a029c371852b7a1196ad53fa8865e956582e6a4d35f6ac6fea3832058b7a427133b0048c

            Download Submit

          • memory/3216-10-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/3216-18-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/3216-5211-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/3216-8668-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/3228-0-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/3228-9-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.