Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/06/2024, 22:14

General

  • Target

    ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe

  • Size

    92KB

  • MD5

    ad197336d243861e0b00345682288eca

  • SHA1

    1ff3a98615423b323ed4a245054a529b312d4d6f

  • SHA256

    ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558

  • SHA512

    0cfe2880aaa04e1225e470072a33497261c4342499c25e05864ba8a26ec2e4f73438368fccf4e663a3959fee9dbfcec8f4c0e95c3935d48f1431d7ebd70fdb76

  • SSDEEP

    1536:2de+Zk77RN++t4SMKvL/yapmebn4ddJZeY86iLflLJYEIs67rxo:2de+aX3x4AeLK4ddJMY86ipmns6S

Score
7/10

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3188
      • C:\Users\Admin\AppData\Local\Temp\ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe
        "C:\Users\Admin\AppData\Local\Temp\ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:824
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4652
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2644
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCEC.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3736
            • C:\Users\Admin\AppData\Local\Temp\ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe
              "C:\Users\Admin\AppData\Local\Temp\ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe"
              4⤵
              • Executes dropped EXE
              PID:3868
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2612
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2848
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:4932
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1656
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2660
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:2936

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

              Filesize

              258KB

              MD5

              10a592ae5b5c62f519f12d9350c72e69

              SHA1

              1a83db490750920d33cde5c0182d07660835d948

              SHA256

              738a7e7ad8d449047253d33f3a11ada756149b9d9d32b5cbd6c8906e873fc7b2

              SHA512

              aac2103a7cb462979a8e6008f2858b5b3453741d8fa9acc3fd24ff7b7eb9c40004791a2e222b1ffc20e766ac60b397e8a2e757ce90826350dd5bcae5cdf48559

            • C:\Program Files\7-Zip\7z.exe

              Filesize

              577KB

              MD5

              67e957ecdddbda6d11610f4171abff27

              SHA1

              5992541c97df359c56f3191f7112d7ae54036960

              SHA256

              7ce8ce473a70905a1fb6f9c4e0c5f7970cb7905df28d68bdfc629ed859e5d6db

              SHA512

              1500b5d86ca68cef3f206916466e7ec397c1b2fe85b4c651e050d4b2905a3031ecead5bcce0bbae2b772bdf09f0f2b9295f1fb3b7b6b5f510b3bf3cc558f20bc

            • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

              Filesize

              488KB

              MD5

              eda67b51ec7865c563bdb4c71c05f943

              SHA1

              298a1857790f97d53588af929f9fb76b1b06d9c6

              SHA256

              fb94f7611acd7467122e355d08f0663af9b7b8bef68ab3af7e8910a7c95313b6

              SHA512

              fafc17fb523f5406313ffd64fff372ae2afecce520fc35684a8ec947033531dc71669ed62da395b7bdd34ed045e40942b0e5a99a217819defa0142ff3ad7dcd5

            • C:\Users\Admin\AppData\Local\Temp\$$aCEC.bat

              Filesize

              721B

              MD5

              2d03b2f1c0b02bdba10bc71db7c75533

              SHA1

              5efebdde83075c60312caf9949811e5962297685

              SHA256

              3b4611b923606436dcefde8203424679c7acd6b621dee22d3ee95c18632a40d3

              SHA512

              987927e3f0bcdcd48c6ff7eef707fb987967a2df5d34f823230e5dd1909e2fc099157168d1b2019bd485002b8aee80456f6bf7783908199b2d187bf7f54f93b7

            • C:\Users\Admin\AppData\Local\Temp\ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe.exe

              Filesize

              59KB

              MD5

              dfc18f7068913dde25742b856788d7ca

              SHA1

              cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

              SHA256

              ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

              SHA512

              d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

            • C:\Windows\Logo1_.exe

              Filesize

              33KB

              MD5

              07daeb795d5b9d954642ef8e65b37cf3

              SHA1

              99f211b8054e62c25a79ab4cc3cd811b68b8779c

              SHA256

              93cbf291547872b50c6fc2d8cffaa0f61f7703c315e0b36006e2e010c66dbcbf

              SHA512

              7813b5cb2387b31bf4ec4e149b5982d9affaf56a9120d6f84e60b37be416395b1d2ff72682ee8055f057d75ba009d44c77a2cb06fd5d23a5a2a0d1b9ac50413f

            • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

              Filesize

              9B

              MD5

              1884bfdeea71ff22db39c196f4447c9c

              SHA1

              3eafc7e6e17ba6ce7a087a3588fb1efb596da038

              SHA256

              163167bc5a01ad6b3ed4406c2a9a1baaf2c0ef4620ab7d5b39aeddf976ca776d

              SHA512

              b22124aa3a912462e6face7f71ad3dfec4b27dab16b2e20e3a0adc277f89f631ec889c91b185ac4b9b670933d881b8fd26c25d6f405e465aa8148cdbb7f7c3e2

            • memory/824-10-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/824-0-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/2612-17-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/2612-1840-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/2612-308-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/2612-8-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/2612-4943-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/2612-2501-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/2612-5770-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/2612-8632-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/2612-8825-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB