Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

e01452fae0...db.exe

windows7-x64

8

e01452fae0...db.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2024, 18:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e01452fae026a319ca3a858940cfd62242b10b264ae06fc05d50c45f11c0d7db.exe

  • Size

    105KB

  • MD5

    9ff813299d25a30883c0697996beaca0

  • SHA1

    44ff3dc76d72b4eabac961492308b0befd89f878

  • SHA256

    e01452fae026a319ca3a858940cfd62242b10b264ae06fc05d50c45f11c0d7db

  • SHA512

    e593a2dbf8fa78814634a72e515a0822675bc558c9d7b135906c1b0fdf53b38b9dcfff80434d7b85f98bde1ee42e679a268e8225be6f54bef00a0044d383872c

  • SSDEEP

    3072:JjaY46tGNFC0VFu2NQKPWDyDRepJltZrpRSfHe:/46tGfC0jhNSDyDRothpQG

Score
8/10
spywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\e01452fae026a319ca3a858940cfd62242b10b264ae06fc05d50c45f11c0d7db.exe
        "C:\Users\Admin\AppData\Local\Temp\e01452fae026a319ca3a858940cfd62242b10b264ae06fc05d50c45f11c0d7db.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1412
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:848
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2304
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$aAC56.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2776
            • C:\Users\Admin\AppData\Local\Temp\e01452fae026a319ca3a858940cfd62242b10b264ae06fc05d50c45f11c0d7db.exe
              "C:\Users\Admin\AppData\Local\Temp\e01452fae026a319ca3a858940cfd62242b10b264ae06fc05d50c45f11c0d7db.exe"
              4⤵
              • Executes dropped EXE
              PID:2948
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2652
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2920
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2936
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2096
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2600

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            258KB

            MD5

            abebaf128d6bdb9fde2b1f0e33f1940d

            SHA1

            173fb9534043dca8d7b00cd16e140bea31e380c4

            SHA256

            e8db4f222623580956eaa3cecb1aff5bcd019e9a004c3fe05f0feb696580c44e

            SHA512

            6d73721e41950c1d3473bfe154ce33ed2b52034ec9c56608e84f00323db7860930dfba52613a5a8f02644a112891e3d8e615c705647719b70316ea8dd226be92

            Download Submit

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
            Filesize

            478KB

            MD5

            77ec999dc753d70d4a8fbc32a98efb2f

            SHA1

            172ba524961356c8cf218baf27e14c66a07ffefc

            SHA256

            7178ea26cd9a2cd05e48e5d856a330d3e276d798d14aa10852df737f141dfbc5

            SHA512

            67d6a5f5034c44c4dbd5df9f61dc7754a1981040f04e2bd8159b8311f9b57009d731ac051a7751ff4674817f3d6f2c3fb5537046a289f45ca038d10084b6bd58

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$aAC56.bat
            Filesize

            722B

            MD5

            b5d9b11f1d6e62847b030e79a1fa9d04

            SHA1

            adb482fb0d064078fc7d5bd0bf455ecdd42a6456

            SHA256

            70d0f7416251aa6e3cac47b6656836659cad547935f2aed27c10012d8b0ba65c

            SHA512

            de6eeda293c16e2fc54380eaae697b408fe624756c42ff001c6614c35179bc6d6068c103d65a10da0fc4fb70df3e5b780e1d1ef5050db6440abfc71f154d147d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\e01452fae026a319ca3a858940cfd62242b10b264ae06fc05d50c45f11c0d7db.exe.exe
            Filesize

            71KB

            MD5

            423adb5b09778f505593929d89d3fd8c

            SHA1

            ba688ed370a2dbba0589fc7bcebf726111910189

            SHA256

            99cec7888af203c8997fc4e9a3b2a5b974540fe0e70f161c1b6b025309f12607

            SHA512

            406452e7891f8b4307465ee83edb925c76a1649bb405878cfb1d8e971c470569163f1493922b25a44f71b788f0ff1971485eafe47d982752d3974426032edd51

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            55b45e3d9494b95a16c60dfc44599db6

            SHA1

            66ec47cfced6ff77e8a5bba352f48ad6f7e78d7b

            SHA256

            3e4b59e3d964fb8e6f36415ef5acbb9d24638945c0ee0ed4624e34e3fd766449

            SHA512

            416fa491918b8e071b0d6d4bfe6c83de520a6543720f9fc072e22c0ffe4a1c82ece856f4961e111b04365ff3e70ae834e9b39b0a9825686b78b5102a1c70933f

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            832B

            MD5

            7e3a0edd0c6cd8316f4b6c159d5167a1

            SHA1

            753428b4736ffb2c9e3eb50f89255b212768c55a

            SHA256

            1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

            SHA512

            9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini
            Filesize

            8B

            MD5

            9bf5ad0e8bbf0ba1630c244358e5c6dd

            SHA1

            25918532222a7063195beeb76980b6ec9e59e19a

            SHA256

            551cc5b618f0fa78108dd2388d9136893adb10499e4836e9728f4e96530bf02f

            SHA512

            7fdce76bb191d4988d92e3d97ce8db4cae1b5c1f93198bffc4e863d324d814246353200d32ea730f83345fcb7ad82213c2bcd31351e905e473d9596bc7b43ad3

            Download Submit

          • memory/1200-32-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1412-19-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1412-17-0x00000000003C0000-0x00000000003FE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1412-18-0x00000000003C0000-0x00000000003FE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1412-0-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2652-35-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2652-1645-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2652-21-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2652-3287-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2652-4043-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download