Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

26e27eb7b2...f6.exe

windows7-x64

7

26e27eb7b2...f6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26e27eb7b21105bd43a9c76e1855c9957b48fda96b9f1803cdc2a80643870df6.exe

  • Size

    400KB

  • MD5

    744bc1b9a04f5a72e7f26638ac5740bb

  • SHA1

    1858151a3d1365a06f3ef71fd8320ab9d2d6c875

  • SHA256

    26e27eb7b21105bd43a9c76e1855c9957b48fda96b9f1803cdc2a80643870df6

  • SHA512

    40c2a9ac8bb6fe0045f8642d2f56a9f5a2ee53a3d562c3b2b9be0e1938a52d0cc22e35e1f6bd199b170118c288ee05578f2d300600558e5007e893f99efc612d

  • SSDEEP

    6144:k/KW+aezsP2zPVz7jUBs8hqcBCi6dbfra4erJlt9A+xX1oOAisEIWmGeNkfGuYFk:HW+aQahVy41

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3484
      • C:\Users\Admin\AppData\Local\Temp\26e27eb7b21105bd43a9c76e1855c9957b48fda96b9f1803cdc2a80643870df6.exe
        "C:\Users\Admin\AppData\Local\Temp\26e27eb7b21105bd43a9c76e1855c9957b48fda96b9f1803cdc2a80643870df6.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4620
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2720
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:920
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a57C5.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:740
            • C:\Users\Admin\AppData\Local\Temp\26e27eb7b21105bd43a9c76e1855c9957b48fda96b9f1803cdc2a80643870df6.exe
              "C:\Users\Admin\AppData\Local\Temp\26e27eb7b21105bd43a9c76e1855c9957b48fda96b9f1803cdc2a80643870df6.exe"
              4⤵
              • Executes dropped EXE
              PID:3772
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:368
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4200
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4480
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4548
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:5032

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            264KB

            MD5

            9dedb1a7eef99feed2af3fb8c73297b0

            SHA1

            fa03da28428dcfb50fce06b34745dbd9f1c31143

            SHA256

            1def99dc66bb41bb916f73bb75499d0a72900e77c0a62c85c475526384b89cd4

            SHA512

            b1994704303dc932cf601bf0bb4ffca7e49f317dc1f9194c79262aadb1ecc35ff9ce40518f4064a97d7893c0418216cc4ede0b4bf6c40e6891f12d5bf49d01d3

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            583KB

            MD5

            60556e4b20fce0b271b4217af2a803a6

            SHA1

            9de0c826bc1a91bf30c6828ce8fbea2f229018b5

            SHA256

            23b62dada4f5e1e602a4e0f9208c60463208610e4d81062e8b972a2a44b64f64

            SHA512

            788f8db0638f7f9b9ed22f74b3ca0086319c640cb71bdce2f3e366ded96587cb318e4ccb27167299ba8e531f62215c73faed9caff6eed8b0d556817de92f355c

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            649KB

            MD5

            006e8207aa163306a5174b6dea4b573f

            SHA1

            412a2165e9732fcae518386013c7d0d124c58780

            SHA256

            97b5e11d59b882a2bec3e62394e53ce8d2aa96f24ba4f991d43422ba452afeef

            SHA512

            5234a1fc74155bc5a0e02728e691003d51cd9b23b75f196964883600cf148776f3833d3237bc00d7f27cf0b7f15f3bcc3dbe37a00883eeb9c3cd0c93bdb3a2cd

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a57C5.bat
            Filesize

            722B

            MD5

            e16518921847c5b3d66706a009282ea2

            SHA1

            299ce962381973eda592b2d19fab5f2387c2425d

            SHA256

            77876a124327bde5e2145331f29353e766748c0e389ed8ac68f0eeecfbd0166e

            SHA512

            08d206ff3c485cc63ee503b2b55216af84eff559c74c47811145dc8e9a04bbb58727b8c009b1ce5f0a7fb2ed8a2424fb1646e2dd74cdc3f0ad8da5e21e04d89e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\26e27eb7b21105bd43a9c76e1855c9957b48fda96b9f1803cdc2a80643870df6.exe.exe
            Filesize

            360KB

            MD5

            5fbd45261a2de3bb42f489e825a9a935

            SHA1

            ff388f6e9efe651ec62c4152c1739783e7899293

            SHA256

            9e63701598199d5c47217e23b44d0e3ec5d53f5419166b1b6c68a7e9e8fc47a4

            SHA512

            7f22b1995a07016adb342c551454d602bfbe511525139aee8581b62116608e9e278fd81c26382f1333c7eccded4474196e73c093bb5cbf8e8f203e865024c058

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            39KB

            MD5

            a526b8c1dae7728e93d5ba5eeae7b353

            SHA1

            bb0c23e0b0a3cfa0ae52854c14e0adce7c439a33

            SHA256

            57253ef09f37588bafc2dd017b0ad6f27f5d6a6b526d5ca90bae19f25fcfe616

            SHA512

            4577203ad19ef23357f96091f8d621db5fb42ad4f6f2fdce68f3ec51fea248fbc38deb5d13865097d2c7cbca1db8ae9f18a42b6aac1fedc81a479d2ebbf20926

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-3571316656-3665257725-2415531812-1000\_desktop.ini
            Filesize

            8B

            MD5

            af485d3db9f82d3e5bdc8c6d87fb742e

            SHA1

            f879c3dbd3d34e9789ff73896508bfbeabbf7468

            SHA256

            7a7b688ede50bbaf08d4579fbd8c6b6c99d9dd1206d95ab24d8174eb9be98759

            SHA512

            d5fe5155948320ef6d3f80c01c9a81f0d4f60bab381d921ab2e06b62475618b973b34346bd41b40af24f2b5aff64bba68710f405f7ff21a58f369acbaaee9360

            Download Submit

          • memory/368-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/368-4752-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/368-11-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/368-8708-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4620-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4620-10-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download