Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

48e391322c...d4.exe

windows7-x64

7

48e391322c...d4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23/07/2024, 22:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48e391322c45ee17fedb3390043bc585ba06404c471537ce61fcaee9bd3c2dd4.exe

  • Size

    11.1MB

  • MD5

    7135d7c900dd00c4667123138b426040

  • SHA1

    cb3d1bf4c8363f7727de0588bb3c609e76149630

  • SHA256

    48e391322c45ee17fedb3390043bc585ba06404c471537ce61fcaee9bd3c2dd4

  • SHA512

    3e534fc754afaa8e00e886363f4f28b286a5888056fa4536eb0f0fd33816e2391aa5e803aaf1641a6e34238551c113c398c39574d35d119e1535df22225193fe

  • SSDEEP

    98304:8b+0ChEPIGiq3y3vx+w9TbfjJ+kdfpK46Tle36jknz9Y:2+kIGv3y/x+KTbfjJ+kdnAlejY

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\48e391322c45ee17fedb3390043bc585ba06404c471537ce61fcaee9bd3c2dd4.exe
        "C:\Users\Admin\AppData\Local\Temp\48e391322c45ee17fedb3390043bc585ba06404c471537ce61fcaee9bd3c2dd4.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2292
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1888
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1816
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2A0D.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Users\Admin\AppData\Local\Temp\48e391322c45ee17fedb3390043bc585ba06404c471537ce61fcaee9bd3c2dd4.exe
            "C:\Users\Admin\AppData\Local\Temp\48e391322c45ee17fedb3390043bc585ba06404c471537ce61fcaee9bd3c2dd4.exe"
            4⤵
            • Executes dropped EXE
            PID:2780
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2720
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2524
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2008
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2864
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2652

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      a2f2252f83d6cec96ba74f04625cda0b

      SHA1

      13e0a28135596b99862f5453f691c97659aa2061

      SHA256

      561ae9afa3c74a25303928fffc0d8951c0e807a26c2616145d06fade3b99ec2f

      SHA512

      01ad85cfae3aef0610c03cb1062f3c07ad71fd93a3ad18b65db7191c97736bc5090fe4b42864bbb74593409f7c6310de56a65a3696a1adaaabf504a5579f7598

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      79d96b6a2771e7783309bf05ebe7b5c1

      SHA1

      b19da11278224b17598d5b6de189892a83196708

      SHA256

      eb38a47ec49f3f376f53aff58def8c3a0e095bad67e2887d3f58bb4a3c71a19e

      SHA512

      72e30060fd922fc37662d762bc647bf85938986d810057926fe86a1622e1b05fc841bab9ee06ee7855071ed27da3d8fe20d41f03ae68c4c76cc720a7e56d4d68

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a2A0D.bat
      Filesize

      722B

      MD5

      8c01797c7a486e1409c3cacbc3f2d802

      SHA1

      9a335f7dcde22ff16c8a6f2c36c5114df2892b81

      SHA256

      f63f0c08af70b1a9d4e4b64642abf4a7f59afd0bbfe7a2bab9ee2d4512be9c1a

      SHA512

      274f962dbcf120598ec6c2b3f0f78f4e26bc3730fe8e48c160ea41bd47f1fa631d5be057ba773069c0d70929ffc3f8b9f324f544f694941400a63ad735a1dfbd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\48e391322c45ee17fedb3390043bc585ba06404c471537ce61fcaee9bd3c2dd4.exe.exe
      Filesize

      11.0MB

      MD5

      b45b7bd6eb92c5b65378d8d0a0964747

      SHA1

      5ca6f198ac83c90496110259b57ff4a5f47b64bb

      SHA256

      5f1d9218f9735a763ffecc47c7b6f0c342b7f1a5da835733e0b3b73903f864a0

      SHA512

      bde39c4b6d04caae8280bdd53e6036c53ed394a72f0d4d1273c149175570e8a87f87c8963869c96834fef7e82893da38c49ce4aaa1851e65c055dbbcac7c1708

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      acc875481830dccdda351ec15db601bb

      SHA1

      f03af1ee9a3368c71b0d46586d700ce1d39fe9bb

      SHA256

      ac544e154655a153a03c5f3dd52645c30d12c3ba6886c8b037663694748491ab

      SHA512

      e2564a8a9e7a8ddb78bc7541d0648c2b42185e7c06b63145a07f50871435f97cd6c691180e4ad900646a4a4a936981b6685934f6d289d6f013bca1ff975f1336

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\_desktop.ini
      Filesize

      9B

      MD5

      ece8e24737d1957fb4e94d8890ee8d02

      SHA1

      6c79bfb99f560a2102a903116f5a0c195f7885e4

      SHA256

      d920366b3c62a677cf0cf1f267a7c2f3dd693f2ff60ee023091bf9c39c5e30b8

      SHA512

      ccf58b4da1ad1379a546f307bca8dc4452a61a3cb443814f4d9566b8d8d35cc9d794ada4d1a13296ed5bc0248ba5ef538e5dc5e22861c2ead3f479beeb5c2d37

      Download Submit

    • memory/1200-27-0x0000000002A90000-0x0000000002A91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2292-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2292-17-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2720-30-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2720-804-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2720-18-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2720-2680-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2720-6349-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download