Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

b6c29383e2...4f.exe

windows7-x64

7

b6c29383e2...4f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/06/2024, 06:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6c29383e2d1350c451731cc354b089583679a74902bb9be9bb8606b73142f4f.exe

  • Size

    2.8MB

  • MD5

    7e2ded6b40f707c5a48b01b6b0c42eb5

  • SHA1

    8db426a7a5d9c36b201b51699c23de745435ccd0

  • SHA256

    b6c29383e2d1350c451731cc354b089583679a74902bb9be9bb8606b73142f4f

  • SHA512

    2434231606079ff2404a3a25674bbfec6a7346f7c2cd2534a5224fbc055eb18af44eb7a232a79fa1e32f410161d935b66e1fbbff17c637c06186c1893e0fbbae

  • SSDEEP

    49152:BPa6gLKJuMarhVnMFwTH8/giBiBcbk4ZxZ2DqFeVMhuxcPh:hd1XdhBiiMa7

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3296
      • C:\Users\Admin\AppData\Local\Temp\b6c29383e2d1350c451731cc354b089583679a74902bb9be9bb8606b73142f4f.exe
        "C:\Users\Admin\AppData\Local\Temp\b6c29383e2d1350c451731cc354b089583679a74902bb9be9bb8606b73142f4f.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2788
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2512
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBE2.bat
            3⤵
              PID:2644
              • C:\Users\Admin\AppData\Local\Temp\b6c29383e2d1350c451731cc354b089583679a74902bb9be9bb8606b73142f4f.exe
                "C:\Users\Admin\AppData\Local\Temp\b6c29383e2d1350c451731cc354b089583679a74902bb9be9bb8606b73142f4f.exe"
                4⤵
                • Executes dropped EXE
                PID:2260
            • C:\Windows\Logo1_.exe
              C:\Windows\Logo1_.exe
              3⤵
              • Drops startup file
              • Executes dropped EXE
              • Enumerates connected drives
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:4908
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3224
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:212
                • C:\Windows\SysWOW64\net.exe
                  net stop "Kingsoft AntiVirus Service"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4420
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                    5⤵
                      PID:760
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
              1⤵
                PID:2448

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                Filesize

                258KB

                MD5

                d27c63e967bc8b5fd47f2ed92a7c31d4

                SHA1

                61d4de0e67b9ff62bbb9c1abeffaa013af804f20

                SHA256

                cd9b6b425d624455491f2ecded3dd2eb9ea18a9a01a9e7024a7265b913cfb3f4

                SHA512

                d01d9b413904b54fe10ded037c3aa152f2484b375bb2f534e2287b2ba210db9bb138875a0cfcdba45f1e526747c782960d1ab3357eefbc034bec571177fba951

                Download Submit

              • C:\Program Files\7-Zip\7z.exe
                Filesize

                577KB

                MD5

                7c903b590b5471fdb6f912182c55f598

                SHA1

                613979c4db3458338017e9eae26d939483579a8f

                SHA256

                4d5cef8d007e7c92fa50bd8e1d88e35f4f12e1b066de4a94d703d41e093cfc25

                SHA512

                e46aebace8ec5d17c1e1131e9a24c5b530392188003325e0c8ba5c4e01829680510932f8a0ae0ba85b136a1a4a36830b84aee8145e017ab22505472c20befec1

                Download Submit

              • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
                Filesize

                488KB

                MD5

                97c225a6076098457011512e3a98608e

                SHA1

                7acea60aaf36af0706e86969c48cab55873e0f87

                SHA256

                d51354447034e0374f2596da08118c1ffc638945cca8bbf623f8a9ef1fbd3440

                SHA512

                37b7e78ad8bfa72ed9eb380f8776007e525fabb44f07636993c30814a9076de673563437d942d4e31eaff9bf1092190343c0d8ff112ad630b3e3727f8a0ed90f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\$$aBE2.bat
                Filesize

                721B

                MD5

                d67218a46a256a7ab3d54a69ca00b745

                SHA1

                889250d3bb0bfa2a5b804f4ef8d64e99aa9fee5c

                SHA256

                fd2ff8186cd10e7340a57812ba877ac2118fe9f03b38744064c5a9eb86f2949c

                SHA512

                d153a80711e6966c10b1d0c078e86eba54c3d833746b79592f6dbceb1ed832c86a5a7ff3bfbc7c458970e7fcf785942cb585279cb1408a317e1d4c5105bf872a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\b6c29383e2d1350c451731cc354b089583679a74902bb9be9bb8606b73142f4f.exe.exe
                Filesize

                2.8MB

                MD5

                095092f4e746810c5829038d48afd55a

                SHA1

                246eb3d41194dddc826049bbafeb6fc522ec044a

                SHA256

                2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

                SHA512

                7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

                Download Submit

              • C:\Windows\Logo1_.exe
                Filesize

                33KB

                MD5

                ef01f71a4c5d601732f01e9b5d6ea283

                SHA1

                073fcc96b3f22df37387be1006700d90346fc342

                SHA256

                4836226708703a884cbf785b4d4f10d3042daac184de30a47263d47c9f31c9b4

                SHA512

                009a4397351e1a406f4531edb1a071f207c9213750018441296dcac28670bc7af57165f67d72631bed1d56eff89148c751cea40aabc608532c60b39791e85a0f

                Download Submit

              • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini
                Filesize

                8B

                MD5

                9bf5ad0e8bbf0ba1630c244358e5c6dd

                SHA1

                25918532222a7063195beeb76980b6ec9e59e19a

                SHA256

                551cc5b618f0fa78108dd2388d9136893adb10499e4836e9728f4e96530bf02f

                SHA512

                7fdce76bb191d4988d92e3d97ce8db4cae1b5c1f93198bffc4e863d324d814246353200d32ea730f83345fcb7ad82213c2bcd31351e905e473d9596bc7b43ad3

                Download Submit

              • memory/2332-0-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2332-11-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/4908-469-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/4908-66-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/4908-1281-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/4908-1811-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/4908-4134-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/4908-18-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/4908-5516-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/4908-9-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/4908-6469-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/4908-8575-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/4908-8828-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download