Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

a886a373f1...d7.exe

windows7-x64

7

a886a373f1...d7.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/07/2024, 23:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a886a373f1fa3134a8523f844dec7f875c5457ced6e05d2bc4ef41eed89325d7.exe

  • Size

    5.7MB

  • MD5

    840120c3e95a1d9d03161f07247c98ba

  • SHA1

    49886f9fcf5f3ba5f1e38f5698064ceeafe93744

  • SHA256

    a886a373f1fa3134a8523f844dec7f875c5457ced6e05d2bc4ef41eed89325d7

  • SHA512

    8714ae37c9967031b072f046f1cfbe0491b90b06c0a7750acc727d4e858cf774ad0775a8976f5f0b293945c718fe0fadb8daa9623d6bcd7dd560e2ff7f724e84

  • SSDEEP

    49152:fBr9Pv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dr:fzKUgTH2M2m9UMpu1QfLczqssnKSk

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3428
      • C:\Users\Admin\AppData\Local\Temp\a886a373f1fa3134a8523f844dec7f875c5457ced6e05d2bc4ef41eed89325d7.exe
        "C:\Users\Admin\AppData\Local\Temp\a886a373f1fa3134a8523f844dec7f875c5457ced6e05d2bc4ef41eed89325d7.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4800
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4944
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:4752
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a94ED.bat
            3⤵
              PID:2848
              • C:\Users\Admin\AppData\Local\Temp\a886a373f1fa3134a8523f844dec7f875c5457ced6e05d2bc4ef41eed89325d7.exe
                "C:\Users\Admin\AppData\Local\Temp\a886a373f1fa3134a8523f844dec7f875c5457ced6e05d2bc4ef41eed89325d7.exe"
                4⤵
                • Executes dropped EXE
                PID:3560
            • C:\Windows\Logo1_.exe
              C:\Windows\Logo1_.exe
              3⤵
              • Drops startup file
              • Executes dropped EXE
              • Enumerates connected drives
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1148
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4712
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:3056
                • C:\Windows\SysWOW64\net.exe
                  net stop "Kingsoft AntiVirus Service"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1544
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                    5⤵
                      PID:5088

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
              Filesize

              250KB

              MD5

              c13ea86fa58e0fb89a69133723fd3cac

              SHA1

              2cab9e6df5717265b55f113dc1eb7306b5546ec0

              SHA256

              1ee90eea08fd2419a5c04fcb7c449c2d9d2516c4295eb352c0f4c4a115c9ed1d

              SHA512

              c96a79495cb643bffa503ac52155672971b6f4a53a0de038f510f6688c03136bcb9c79d27da04ce1f76158a05613684581bdfa147ad685c14a3b2323b511192f

              Download Submit

            • C:\Program Files\7-Zip\7z.exe
              Filesize

              577KB

              MD5

              c0bde512b3b9caef5e4a9b696f092c3f

              SHA1

              1407359866db297f2486d92be186c399d6ba72e4

              SHA256

              4c43192ff866a2e44885f6ac1b0df0c0914b582d9debf91c0bb3daed39f640d5

              SHA512

              252930bf7f1f88ee870e6a77a790ed741b4c16fffba1b69c793ed81f72d37d1becd6250d5bc4d6075b554b305acd7c6f1ebf5e9c96fed56b3d5b730c2b93397f

              Download Submit

            • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
              Filesize

              643KB

              MD5

              fd5b28d45c3ad2169bdc153e4e1cbb2f

              SHA1

              a0280e71033c5e7132a5be5c75bcce17df6724bd

              SHA256

              f556707681a15a00d01a2cc7a4cead3a5a9e659a191d2d6db5abd20f0f9572af

              SHA512

              02e35d1961decd18c984545f06db2eaf316ce1e386c201495c9da063b3cdb7a6a56496d63772e4189caec0959d47ae513ec6125e0550d624cf988efdae46c1fc

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$a94ED.bat
              Filesize

              722B

              MD5

              401621c81fd65f97150b78cd516c2716

              SHA1

              ca77dab4bf9d14d0eae8f6ebbb281d8816fa5ffa

              SHA256

              eb9118d4d083187945efa3ce1b61c2fd2a5638d7fbaffd6a811bc340b76f3952

              SHA512

              751a8c3a2c65217935ffa505b2c2c871ab3277f6f433dafbad9b5180bbd76497a77ad8674abb9b5d90a2632b887336c5f0faf75fdb487be5c3d4b06c08bb2943

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\a886a373f1fa3134a8523f844dec7f875c5457ced6e05d2bc4ef41eed89325d7.exe.exe
              Filesize

              5.7MB

              MD5

              ba18e99b3e17adb5b029eaebc457dd89

              SHA1

              ec0458f3c00d35b323f08d4e1cc2e72899429c38

              SHA256

              f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628

              SHA512

              1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              33KB

              MD5

              f0bee728d69001dfc8f94f1c501fb542

              SHA1

              6a53cb88d18702029de1a890175fdba926ea05dd

              SHA256

              92b8885950c738b7e6294548617878028237847623db09ceeed8f7607e94b5e5

              SHA512

              5ad10cdf51b83995125a3d153b826ceaa4fe24e3841bfbf094a16f46a61b7b5153a66962d412c54f6f0129e059559ad8590ce4165b8d99592cef08fde692b26c

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-2636447293-1148739154-93880854-1000\_desktop.ini
              Filesize

              9B

              MD5

              2d55518fd017e47e3d2fdb1499f0a0cb

              SHA1

              5e0e91cf08f4b70c94d582ee42471bf8ff44c6ff

              SHA256

              d615830656bcceecc6fa1159903a379b6e729160ef16ceff51d5c27d2540e52d

              SHA512

              d689aad66c472ce7380828a7363d8626c99dc7025828ccc8f69701e3659e176cf0aa50cfc69d4d813986d823a2075067195b35843f16c1144e6d74094916c2ee

              Download Submit

            • memory/1148-18-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1148-3700-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1148-11-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1148-8743-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/4800-0-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/4800-9-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

              Download