Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2eede65324...ba.exe

windows7-x64

7

2eede65324...ba.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 14:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2eede65324b2e8a57b63f82ae8cc812497596ccdf5da71e82a72228f74d542ba.exe

  • Size

    258KB

  • MD5

    5bccfa5d3d7bcee768187346a73608d1

  • SHA1

    4ea22c666a8ffe6e0f03607e45a85deba5484cb1

  • SHA256

    2eede65324b2e8a57b63f82ae8cc812497596ccdf5da71e82a72228f74d542ba

  • SHA512

    28be9c9b18f9db60abb7b13ba92152278e650e59e76843bb4143f3375f23ac5e08cf45a209a13c4ca916e27555a45836ddd066544f9e9d6e4d8c49a4eac7e7e4

  • SSDEEP

    6144:S+aezDQZbO5JCSZT0wwla4G13CmdxLzI9LTB5xnmT:S+aRbuJcfcXbz0Tfxo

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3268
      • C:\Users\Admin\AppData\Local\Temp\2eede65324b2e8a57b63f82ae8cc812497596ccdf5da71e82a72228f74d542ba.exe
        "C:\Users\Admin\AppData\Local\Temp\2eede65324b2e8a57b63f82ae8cc812497596ccdf5da71e82a72228f74d542ba.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4832
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4056
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1620
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF57C.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:716
            • C:\Users\Admin\AppData\Local\Temp\2eede65324b2e8a57b63f82ae8cc812497596ccdf5da71e82a72228f74d542ba.exe
              "C:\Users\Admin\AppData\Local\Temp\2eede65324b2e8a57b63f82ae8cc812497596ccdf5da71e82a72228f74d542ba.exe"
              4⤵
              • Executes dropped EXE
              PID:4496
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1536
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2032
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:3184
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1308
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:1972
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3752 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:1016

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\7-Zip\7z.exe
              Filesize

              583KB

              MD5

              80b4ed875f0b2d49bc5ad056ea34e86e

              SHA1

              8b6cfd1956a55cc22cbdddc8799d571974d1f274

              SHA256

              622c928a4cada8ca1f49b08c72266e229a183ca5ffed94f06b4ccfc6558624a0

              SHA512

              d75ee42a91eff1c955cb3f41f944de6cacf25adc3079de910ec6fcfa949a7a6687a0c5091cf544fc0e7ee79151d47fa56f76186e06a08edf703ad8b19f78e883

              Download Submit

            • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
              Filesize

              494KB

              MD5

              73b8afa9c3c287b59a05eccad6bc1d60

              SHA1

              6ae108be5c05fd882c422c37995c3eba370c41e5

              SHA256

              b189f4bac49bd3e9d501b009ae20db1a60a6a3fa931118ce3fa918b3cfd4811d

              SHA512

              685cdbf70d4829048d2f908f41c0de3edcc4eeb53b4852616983ca41d4428c787504e94c65329292370d355fdd90bad02a60834903279a917e0bbb814c17c53b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$aF57C.bat
              Filesize

              722B

              MD5

              e8c378addd1c8bb46d6b1d52c4801bbb

              SHA1

              972d1355bc1939bfb93dcc7fec180b299fa714e7

              SHA256

              5a85d2cb51c877865e70c1cd704642b1944a3bf769890cb10296d6c8cedf16c8

              SHA512

              9afa7c684bbed53a61c40b2ede77439ef89e6aa73759acd1d31a568ccbca4099492c1ff88a695e9363f2462dbf1cc94d1d126e17352d797598ba15aa52deb14e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\2eede65324b2e8a57b63f82ae8cc812497596ccdf5da71e82a72228f74d542ba.exe.exe
              Filesize

              218KB

              MD5

              5f1707646575d375c50155832477a437

              SHA1

              9bcba378189c2f1cb00f82c0539e0e9b8ff0b6c1

              SHA256

              75d348a3330bc527b2b2ff8a0789f711bd51461126f8df0c0aa1647e9d976809

              SHA512

              2f55dd13abfeb5af133ac5afb43c90fd10618e8fb241f50529241cff7987fff382cf151146855c37ad8ae0401b34f6d9aa32cbec03cdd67a224dfe247bad6c99

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              39KB

              MD5

              3119e880ce5d6d029185f7ed591e11d0

              SHA1

              3ab197daedf94e992062faa4eda18905b87c75bb

              SHA256

              b1eada5fd013195853bb65ee2b9fa55eb97840d20077d7a2fd43167800608eda

              SHA512

              18cafd3a73312811037cb0e44a578670498b09350d72febd262d62528094b9ba738357ef861bb9cb7704097b9c930b9aa38ee5823520e22cf71d4ebb453bf4d7

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini
              Filesize

              9B

              MD5

              60b1ffe4d5892b7ae054738eec1fd425

              SHA1

              80d4e944617f4132b1c6917345b158f3693f35c8

              SHA256

              5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4

              SHA512

              7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

              Download Submit

            • memory/1536-18-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1536-9-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1536-3120-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1536-1570-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1536-214-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1536-5683-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1536-7913-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/1536-8824-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4832-11-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download

            • memory/4832-0-0x0000000000400000-0x000000000043D000-memory.dmp

              Filesize

              244KB

              Download