Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

1c7d8b58c9...f2.exe

windows7-x64

7

1c7d8b58c9...f2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2024, 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c7d8b58c9bb761043fedde862f002afb7004fd94a8ee991f22edb97353f79f2.exe

  • Size

    92KB

  • MD5

    0d5e3dcf180d8839c227f3823c3e5dd8

  • SHA1

    94270624c73dff91abf8e13d36af865bf9c6ba8d

  • SHA256

    1c7d8b58c9bb761043fedde862f002afb7004fd94a8ee991f22edb97353f79f2

  • SHA512

    8ea81e54a2a697597d99e94fa0410ee7df1038697fbdaa2b7471580955e6245d5e0f68b9846a3c4541e0f41dd94afcf6cbd9c437904562c2862b46eeeac8e357

  • SSDEEP

    1536:6Hcx1aeg1v9OQZVUKM6+kKpdyapmebn4ddJZeY86iLflLJYEIs67rxo:6Hf9lOzKM5pMLK4ddJMY86ipmns6S

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3372
      • C:\Users\Admin\AppData\Local\Temp\1c7d8b58c9bb761043fedde862f002afb7004fd94a8ee991f22edb97353f79f2.exe
        "C:\Users\Admin\AppData\Local\Temp\1c7d8b58c9bb761043fedde862f002afb7004fd94a8ee991f22edb97353f79f2.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1924
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2940
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2672
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3141.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3364
            • C:\Users\Admin\AppData\Local\Temp\1c7d8b58c9bb761043fedde862f002afb7004fd94a8ee991f22edb97353f79f2.exe
              "C:\Users\Admin\AppData\Local\Temp\1c7d8b58c9bb761043fedde862f002afb7004fd94a8ee991f22edb97353f79f2.exe"
              4⤵
              • Executes dropped EXE
              PID:556
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:464
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3444
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2140
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:384
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1716

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            c9badcb684862f516b396d44b56baceb

            SHA1

            0d8eabcdc92e05177e46da3ea05ae2f41b01416c

            SHA256

            14c73a5bd721c24ebd8109d5d9a1e7dc8802c1bef0401cdd123ab41ae381c609

            SHA512

            543671893e74c261f12be887a10669dae034fcacad4998ae5282fe102aa4bcdcfa0776a9667f32f60fae93acdc5c2ad23f11ad330354295e9e44a67bc1dddb68

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            5aac7583510ebed6b8057afd1b55dfd3

            SHA1

            403d071ba18ca5251c300de07bf79219bba33e8c

            SHA256

            93a36984edc02b39685f692eb85eaf1cf3a02ce9767a2c4b5e38725e5e200adf

            SHA512

            e4ebe57faa33924f168d121a346b075e29b4fa018b5dadf7f55a322262730f76572e46c316e6429d8fbb3fd0b3443429e4dd34b4f0bc7fed3b4126f592a09899

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            ab26006fce082246aa3ffd6ff4cbcf89

            SHA1

            f8686e05d1aeb169e13c8d3889b01dd3988d5124

            SHA256

            a31829ad88d68b47eea131646207d5b3b53468a9bdd665365f608b6ce186b8ba

            SHA512

            0b7f2d8dab9c10a6619970c6e0568380d79951ec942f79bc035b8c93ebe8b23d925e42b62e22aaacce6ff981fbd719526aa797031b50a036e7e6f5aef0728df5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a3141.bat
            Filesize

            722B

            MD5

            4ea831098b1bab06b450cc2018af1fb8

            SHA1

            b1a3e4f086f262c8e59fc498af414e2c4375442e

            SHA256

            36ef2b872e2673346b3f403441f4eff793504fded8b3e5e40376e24a303c7272

            SHA512

            312de5325f39f21b65f3ab424f4206fa4ed24a4ecbc2475c01c911c9675d293f8743c7e0d1002a365dc5e294e3e5cf4ff0cf1474554df2f7c24fb875d0206561

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\1c7d8b58c9bb761043fedde862f002afb7004fd94a8ee991f22edb97353f79f2.exe.exe
            Filesize

            59KB

            MD5

            dfc18f7068913dde25742b856788d7ca

            SHA1

            cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

            SHA256

            ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

            SHA512

            d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            7a091274be36971fce58dba0c887a23e

            SHA1

            1dcc358a109927e63e11775b0f38cca741f8d230

            SHA256

            308ea0a61b9625ffc055c1709dfa413e77ef4d9e01926435215044f6e9ab8757

            SHA512

            9497df8f2d42a38e831fc72c1c0f57f9a120afce4cf93b5b0c7f4462ee3f3fed722ad02733b6919879733fb06136e925a8ab6e62aaad63bce02b1a6fd6858607

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-1162180587-977231257-2194346871-1000\_desktop.ini
            Filesize

            9B

            MD5

            4b2b75605a65a6762ec4715de0a70902

            SHA1

            3b85993ef06d2d814abc405188fdd19a1bffea0c

            SHA256

            77072cc5a7b394508cf5d819ff8cf4385a9b3cb15d8715a59845ccfa235ea34e

            SHA512

            888361e75afd4308bdad817af543704a42ffdf2d798acef619459e9978ac68f1cf4d468c6e0b146ab738b0109fdf331c4380471aa83f637b0f6ab06164840c65

            Download Submit

          • memory/464-17-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/464-2825-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/464-8665-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1924-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1924-9-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download