Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

4cfb758bc8...5c.exe

windows7-x64

7

4cfb758bc8...5c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/06/2024, 20:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe

  • Size

    33KB

  • MD5

    3905de443e3362c9a3cf7a99ec967853

  • SHA1

    fad6b90d31da3df8c885fac5d78de93bec539fec

  • SHA256

    4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c

  • SHA512

    151968a824d131913cec483882b9a636aaa1202647f703b376b495e09f3ac1377aed756e85a449613a9cea4487cf9522ec2951e00ecb095e709eb55d21fe4183

  • SSDEEP

    768:mYBuC+Vxr1x5cE9Fl5pz8UOutDlMXaoSunjXWNN:/BVsrz8VuJlMXaDuiN

Score
7/10
spywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1084
      • C:\Users\Admin\AppData\Local\Temp\4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
        "C:\Users\Admin\AppData\Local\Temp\4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2004
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2352
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2144
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2960
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:2988

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          Filesize

          258KB

          MD5

          8a216d268fb4892b3af2e79a279a2a23

          SHA1

          51916b0eeb6d61280fac7de0363254427f245762

          SHA256

          c7a2a1b862ba9fdf706edd930c09dd07af8fb44f3edcfe0a22b41899eebae31d

          SHA512

          30adf4d918017584c668d9bacf0f6263a9f47087303aaa46ca6a0c9a1e96644fb54b7110ede95819e5782ca189909ce84af8bc80c2a5c1ac21cb62f33f729e93

          Download Submit

        • C:\Program Files\7-Zip\7zG.exe
          Filesize

          717KB

          MD5

          87e2e2dfbfec95ff04162e57a04bee58

          SHA1

          3d527d7351949cfc1081d13093bed1f502a539f1

          SHA256

          e3baff1970566e3f7557745866bd9d502a543c88ea970b12f52aa7204e80f090

          SHA512

          89ce52108755d1588c72ece7dabf7f2ebfbd4eddbb8b5439ba6ba85c84e5587aa3a4450b9360a038a001ca59d5a68b563b0170a422acc0e48691c02ebf203732

          Download Submit

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Filesize

          478KB

          MD5

          50cb47f0239e9a2044dfa0b0e6d92c14

          SHA1

          2b20d81a810449f5b994c3d785b6a8f7700a023f

          SHA256

          fa436f5c793efd8b5908c7bb003a95e126a350f3c5e51edd18ccdaf28aaba7e3

          SHA512

          27cdb9f9248870b1595fa8ff7f975fe225e80f43f47a6aac2867eadbad0dfea347c4ffa3bd6d52ba95d72d81cc12314b9ab9833d118b7a7bb0be707479371049

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini
          Filesize

          8B

          MD5

          378d822ce12583d0d584184af22d1d77

          SHA1

          c062ac770b028df6db676099e02f09fc2f77b171

          SHA256

          1ad01f8e46c86dfa34468e306eabe54b58d56134130b53ea7677961e3baaf6c7

          SHA512

          23cf7b916de734c6bb6fd3b2beee21f3e82bc95e93d8662dca818d7cf13602706f22671dce61388b2a7e0b613c07c70512331c4132759b16cf438cb1750bc397

          Download Submit

        • memory/1084-3-0x0000000002D70000-0x0000000002D71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2004-0-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2004-7-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2004-3294-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2004-4108-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download