Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    16/06/2024, 22:14

General

  • Target

    ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe

  • Size

    92KB

  • MD5

    ad197336d243861e0b00345682288eca

  • SHA1

    1ff3a98615423b323ed4a245054a529b312d4d6f

  • SHA256

    ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558

  • SHA512

    0cfe2880aaa04e1225e470072a33497261c4342499c25e05864ba8a26ec2e4f73438368fccf4e663a3959fee9dbfcec8f4c0e95c3935d48f1431d7ebd70fdb76

  • SSDEEP

    1536:2de+Zk77RN++t4SMKvL/yapmebn4ddJZeY86iLflLJYEIs67rxo:2de+aX3x4AeLK4ddJMY86ipmns6S

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1224
      • C:\Users\Admin\AppData\Local\Temp\ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe
        "C:\Users\Admin\AppData\Local\Temp\ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2108
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2856
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2416
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a11AD.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2800
            • C:\Users\Admin\AppData\Local\Temp\ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe
              "C:\Users\Admin\AppData\Local\Temp\ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe"
              4⤵
              • Executes dropped EXE
              PID:2872
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2816
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2828
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2836
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2844
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2716

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

            Filesize

            258KB

            MD5

            10a592ae5b5c62f519f12d9350c72e69

            SHA1

            1a83db490750920d33cde5c0182d07660835d948

            SHA256

            738a7e7ad8d449047253d33f3a11ada756149b9d9d32b5cbd6c8906e873fc7b2

            SHA512

            aac2103a7cb462979a8e6008f2858b5b3453741d8fa9acc3fd24ff7b7eb9c40004791a2e222b1ffc20e766ac60b397e8a2e757ce90826350dd5bcae5cdf48559

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

            Filesize

            478KB

            MD5

            f00f90ad5ee9d3dd590b46e8e42efc3a

            SHA1

            17fffd38ae6e7471fd977e0e90a7cfb14e2e8d8f

            SHA256

            56ac0953e53d75a53207226d3e70d78611540431905bda50c48f4b47bfa87f71

            SHA512

            004ac5514ebc72901ee138612f5d262935b05c15fd69f6004e6cc127e6dd9710368abb64d70c220ea4444a9ae1d2e74c5054d055ee1354475eb4a270015d25f4

          • C:\Users\Admin\AppData\Local\Temp\$$a11AD.bat

            Filesize

            722B

            MD5

            d0760e639ca80e0a91b532d1b73b2ba8

            SHA1

            a401d692a03a6550e8da68b3854fea71c1ef0e50

            SHA256

            b4a750bf8ff94a14a08cd9ca23e8859172f2348f948e70d1410b8b342dfe967a

            SHA512

            39bcb3a55821b1303d48f9441234a9d88547a79a5039f4efe7d799da51c9ec7b2a0e8d0d9c680dffdd9670442cb6101283b8d7b4678f692ecdbc4306f4539e4c

          • C:\Users\Admin\AppData\Local\Temp\ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe.exe

            Filesize

            59KB

            MD5

            dfc18f7068913dde25742b856788d7ca

            SHA1

            cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

            SHA256

            ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

            SHA512

            d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

          • C:\Windows\Logo1_.exe

            Filesize

            33KB

            MD5

            07daeb795d5b9d954642ef8e65b37cf3

            SHA1

            99f211b8054e62c25a79ab4cc3cd811b68b8779c

            SHA256

            93cbf291547872b50c6fc2d8cffaa0f61f7703c315e0b36006e2e010c66dbcbf

            SHA512

            7813b5cb2387b31bf4ec4e149b5982d9affaf56a9120d6f84e60b37be416395b1d2ff72682ee8055f057d75ba009d44c77a2cb06fd5d23a5a2a0d1b9ac50413f

          • F:\$RECYCLE.BIN\S-1-5-21-2812790648-3157963462-487717889-1000\_desktop.ini

            Filesize

            9B

            MD5

            1884bfdeea71ff22db39c196f4447c9c

            SHA1

            3eafc7e6e17ba6ce7a087a3588fb1efb596da038

            SHA256

            163167bc5a01ad6b3ed4406c2a9a1baaf2c0ef4620ab7d5b39aeddf976ca776d

            SHA512

            b22124aa3a912462e6face7f71ad3dfec4b27dab16b2e20e3a0adc277f89f631ec889c91b185ac4b9b670933d881b8fd26c25d6f405e465aa8148cdbb7f7c3e2

          • memory/1224-27-0x0000000002D50000-0x0000000002D51000-memory.dmp

            Filesize

            4KB

          • memory/2108-17-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/2108-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/2816-30-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/2816-19-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/2816-3341-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/2816-4153-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB