Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 04:12

General

  • Target

    be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe

  • Size

    1.3MB

  • MD5

    9fe1882c032b5e51c335c50b4b37902f

  • SHA1

    5fc01266eb91b6b095c4e9e61211329916ad7ab0

  • SHA256

    be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937

  • SHA512

    a779390053a8db71503c15a95cb320f64b432971796f9d63db110997573362f0478039f3768be1c554bc9538f498d19558057bddc3d301f3bba6ec77f6b40fca

  • SSDEEP

    24576:3Z+05tErv2XwKvHoBHErvOmnD4TxJeUrtONbcDvX+ZRDSq9yG0+GYCwdD5sguoax:3Z+05RvyiUTxwuoNbxzyG0QCKD5daDEy

Malware Config

Signatures

  • Renames multiple (216) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3544
      • C:\Users\Admin\AppData\Local\Temp\be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
        "C:\Users\Admin\AppData\Local\Temp\be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:5008
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2948
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3360
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB4C9.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3604
            • C:\Users\Admin\AppData\Local\Temp\be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
              "C:\Users\Admin\AppData\Local\Temp\be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:216
              • C:\Users\Admin\AppData\Local\Temp\be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
                "C:\Users\Admin\AppData\Local\Temp\be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe" -z2
                5⤵
                • Executes dropped EXE
                PID:5024
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Adds Run key to start application
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3584
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1064
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:64
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3156
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3052

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\7-Zip\7z.exe.Exe

            Filesize

            613KB

            MD5

            957da4c41d9536ccfa60f108efca858a

            SHA1

            1e8c2e6905ec7a33223be76753813e4c3488e5e8

            SHA256

            ce3fbce1e9def7f33d54e0cdfa21824495266b78ce6c167236c2f19775fa1333

            SHA512

            6b1d5da2cbc5022cd908e8db70ee2782d7e53c6b337b545909b920dca674b2e43418c78f4b9b7b569ad86735980e32212ae449573499c3f6329e3c90920e69b1

          • C:\Users\Admin\AppData\Local\Temp\$$aB4C9.bat

            Filesize

            722B

            MD5

            7075ea1d57b680236c85579492526509

            SHA1

            f027a7f462a4caa7bb5636cbb201b1313434976f

            SHA256

            53449453a8cf0e91126ff8ef680a8d3c5c0b8622b82dd1b293bce4da5f3e84e0

            SHA512

            0b0d4060a2015322711cabf1e4386b8ef436992dfcbf0990ba4bc2307a80696c817796fb227c66e892c5b6afc84e20cf93e0fe7a633cac2f57e27f298351c458

          • C:\Users\Admin\AppData\Local\Temp\be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe.exe

            Filesize

            1.3MB

            MD5

            0e3388b926c56152f09db6e3c9f201af

            SHA1

            b3cda93064e1af57f6f3975c2f594e04722bdbe1

            SHA256

            a3539705432118adb5fba381787adabf4849cba591c0d7088e423cfb835bf522

            SHA512

            cb543c19a066bdb31f3416b68eb618d4507a74b52a6e47b7a5a6f2a798b571208b6835792794c655d76b3f9839e06ec6d5c74b32362b5b161809e534fa291b46

          • C:\Windows\Logo1_.exe

            Filesize

            69KB

            MD5

            da79cc012e1b885a2e5f124c1555e2b0

            SHA1

            ae73909e579e5e08cef224201f110acf76e7b3de

            SHA256

            1e36b5c0b0205de3ddfe6582239ef752c71f871a525cd817f8088a388db6d43c

            SHA512

            5ab8c0b46cf962c70bf2a51db9d4eb023427fec2322059606088f91d3ee10686407612c22520e78b322ed31b9fe7632bc2fa38dc0410f86df32c517aeb7494fc

          • C:\Windows\system32\drivers\etc\hosts

            Filesize

            842B

            MD5

            6f4adf207ef402d9ef40c6aa52ffd245

            SHA1

            4b05b495619c643f02e278dede8f5b1392555a57

            SHA256

            d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

            SHA512

            a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

          • memory/3584-12-0x0000000000400000-0x0000000000448000-memory.dmp

            Filesize

            288KB

          • memory/3584-14-0x0000000000450000-0x0000000000490000-memory.dmp

            Filesize

            256KB

          • memory/3584-25-0x0000000000400000-0x0000000000448000-memory.dmp

            Filesize

            288KB

          • memory/3584-26-0x0000000000450000-0x0000000000490000-memory.dmp

            Filesize

            256KB

          • memory/5008-0-0x0000000000400000-0x0000000000448000-memory.dmp

            Filesize

            288KB

          • memory/5008-1-0x0000000000450000-0x0000000000470000-memory.dmp

            Filesize

            128KB

          • memory/5008-11-0x0000000000400000-0x0000000000448000-memory.dmp

            Filesize

            288KB