Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

b6c29383e2...4f.exe

windows7-x64

7

b6c29383e2...4f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2024, 06:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6c29383e2d1350c451731cc354b089583679a74902bb9be9bb8606b73142f4f.exe

  • Size

    2.8MB

  • MD5

    7e2ded6b40f707c5a48b01b6b0c42eb5

  • SHA1

    8db426a7a5d9c36b201b51699c23de745435ccd0

  • SHA256

    b6c29383e2d1350c451731cc354b089583679a74902bb9be9bb8606b73142f4f

  • SHA512

    2434231606079ff2404a3a25674bbfec6a7346f7c2cd2534a5224fbc055eb18af44eb7a232a79fa1e32f410161d935b66e1fbbff17c637c06186c1893e0fbbae

  • SSDEEP

    49152:BPa6gLKJuMarhVnMFwTH8/giBiBcbk4ZxZ2DqFeVMhuxcPh:hd1XdhBiiMa7

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\b6c29383e2d1350c451731cc354b089583679a74902bb9be9bb8606b73142f4f.exe
        "C:\Users\Admin\AppData\Local\Temp\b6c29383e2d1350c451731cc354b089583679a74902bb9be9bb8606b73142f4f.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2308
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2928
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2236
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$aFE8.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            PID:2600
            • C:\Users\Admin\AppData\Local\Temp\b6c29383e2d1350c451731cc354b089583679a74902bb9be9bb8606b73142f4f.exe
              "C:\Users\Admin\AppData\Local\Temp\b6c29383e2d1350c451731cc354b089583679a74902bb9be9bb8606b73142f4f.exe"
              4⤵
              • Executes dropped EXE
              PID:2560
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2924
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3016
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2764
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2472
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2580

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            d27c63e967bc8b5fd47f2ed92a7c31d4

            SHA1

            61d4de0e67b9ff62bbb9c1abeffaa013af804f20

            SHA256

            cd9b6b425d624455491f2ecded3dd2eb9ea18a9a01a9e7024a7265b913cfb3f4

            SHA512

            d01d9b413904b54fe10ded037c3aa152f2484b375bb2f534e2287b2ba210db9bb138875a0cfcdba45f1e526747c782960d1ab3357eefbc034bec571177fba951

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            5264aab343fc1f53c29d1065346d0010

            SHA1

            db43bc0b28b4ada0c5635db50fd0b64410ab76ad

            SHA256

            d33d56847b353c8207a43aa01cc75527328ebf4bba669e90e29266d1b6fb57dd

            SHA512

            bb4ba1f7c5cae56cef564dd99f1a1fd3e2c656f8004f689a22ea641d886cbb3a19dde3dce5be4cf8cee4ce190170fd8c5390cb9c7c40ae54109559685119a958

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aFE8.bat
            Filesize

            721B

            MD5

            dbab4a6a55c9d48d9e85360b80be0d0c

            SHA1

            b1e1e152d372a83f575d76612da630065f3abc7b

            SHA256

            1b45e93de06497b5285b0c7bdf442496f062c19eb8d4d5b1a724707e1e19dde0

            SHA512

            d1f65ddc6968284b29ea8ee06b06378bb54946ebdcbc7987813ed62a0c84c2a13c7b5c0bc0f3b4b7fc00bd31f29a6f57fa44fc627a93a9522424ca1d4b01f5e8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\b6c29383e2d1350c451731cc354b089583679a74902bb9be9bb8606b73142f4f.exe.exe
            Filesize

            2.8MB

            MD5

            095092f4e746810c5829038d48afd55a

            SHA1

            246eb3d41194dddc826049bbafeb6fc522ec044a

            SHA256

            2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

            SHA512

            7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            ef01f71a4c5d601732f01e9b5d6ea283

            SHA1

            073fcc96b3f22df37387be1006700d90346fc342

            SHA256

            4836226708703a884cbf785b4d4f10d3042daac184de30a47263d47c9f31c9b4

            SHA512

            009a4397351e1a406f4531edb1a071f207c9213750018441296dcac28670bc7af57165f67d72631bed1d56eff89148c751cea40aabc608532c60b39791e85a0f

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini
            Filesize

            8B

            MD5

            9bf5ad0e8bbf0ba1630c244358e5c6dd

            SHA1

            25918532222a7063195beeb76980b6ec9e59e19a

            SHA256

            551cc5b618f0fa78108dd2388d9136893adb10499e4836e9728f4e96530bf02f

            SHA512

            7fdce76bb191d4988d92e3d97ce8db4cae1b5c1f93198bffc4e863d324d814246353200d32ea730f83345fcb7ad82213c2bcd31351e905e473d9596bc7b43ad3

            Download Submit

          • memory/1204-26-0x0000000002E00000-0x0000000002E01000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2308-0-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2308-17-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2924-30-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2924-3317-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2924-4140-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download