Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

6dbea94b6e...b6.exe

windows7-x64

7

6dbea94b6e...b6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25/07/2024, 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6dbea94b6ef06e261f45c3adec2be77727693d611c4e2b642bee15a74af8b1b6.exe

  • Size

    231KB

  • MD5

    a3d8c4a41ae0c3a179b556f80042eb28

  • SHA1

    648f27af25c6864fd6a7ffbc6b0bde8fc3bb8191

  • SHA256

    6dbea94b6ef06e261f45c3adec2be77727693d611c4e2b642bee15a74af8b1b6

  • SHA512

    6f5560f94d65b1ae9a6286569cc7e090b81925ace14d0ae7a8d21389e6569ea47480c28953dcb112f198408072297e7d2e0c9a19ed73fa475afc993c69c92ad5

  • SSDEEP

    6144:WKq7MrnmM0AI0vgajRI0vXdBv7/PsqkyskssIsVAMjzIGGpsAsdAXAs+s3OT4Ch2:O7MLmNkyFj

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1168
      • C:\Users\Admin\AppData\Local\Temp\6dbea94b6ef06e261f45c3adec2be77727693d611c4e2b642bee15a74af8b1b6.exe
        "C:\Users\Admin\AppData\Local\Temp\6dbea94b6ef06e261f45c3adec2be77727693d611c4e2b642bee15a74af8b1b6.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2440
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB74E.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1988
          • C:\Users\Admin\AppData\Local\Temp\6dbea94b6ef06e261f45c3adec2be77727693d611c4e2b642bee15a74af8b1b6.exe
            "C:\Users\Admin\AppData\Local\Temp\6dbea94b6ef06e261f45c3adec2be77727693d611c4e2b642bee15a74af8b1b6.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:2852
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:588
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:528
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2744

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\$$aB74E.bat
      Filesize

      722B

      MD5

      c116eba0c3a67041237efa877061cacf

      SHA1

      fd5e2cc008e6c1cb8e9286193f8e9fb993512d4b

      SHA256

      285f26be2576cf37958dc121f504f420e1d651b41a90bcc91a70e637cd9893a9

      SHA512

      3249eab7c5ff52aec2e2b300b61be23183c8a56bb513d6fb9d58d52907bbc372d7186b696954c6e3e1ab6f1ba1dff2d3f97ea931e986433e803306525f0b5af3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\6dbea94b6ef06e261f45c3adec2be77727693d611c4e2b642bee15a74af8b1b6.exe.exe
      Filesize

      200KB

      MD5

      606f9f54c61edfbbbf285cfdafef6665

      SHA1

      5b1d7216098224c02e03afe818d28af6820883c7

      SHA256

      663951ef42367ce264436ee770118464ae778a61fb629408b7d5d716001610c9

      SHA512

      223d24295f574e1da2cc305bc261ba4081a3f0950158716598fb46f013f790026e47d376f6be82bfe60a113cf7052c7ca9ac26c138e858dbf57ca81753e4421b

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      31KB

      MD5

      38500feec89e9b79d00d91919aad402a

      SHA1

      8083d3bdb04cee3b5d3630890821b88bf3ca19e2

      SHA256

      c716df8a66f99bed99f31d1496556628be2548f5cd92dacfe5db50d95dc8f9b7

      SHA512

      292653a1f4632b06be9614604308e7ed69f87018a6433ec59151408363be6c137852966814232047a01205765e71d0c641b74a9ef50d2e73083c355376bf2236

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1385883288-3042840365-2734249351-1000\_desktop.ini
      Filesize

      9B

      MD5

      c20162cff0e529974834e150d7e6691f

      SHA1

      512e9821581354bd8078227ddf386b17e771ff38

      SHA256

      82f2070eb6138ab12ec2a1f0c3ca7b3b97db75cc19a5076ed382b017f309bdd6

      SHA512

      c2c414232ac5fc3d7ff195523c49610795d0ea4d95c69748ef9ddd4a42203ace52a7da8594cb20102743a21b6eb5bd9e7ee5915513a9c11a0db319323538d744

      Download Submit

    • memory/588-21-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

      Download

    • memory/588-4002-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

      Download

    • memory/588-4351-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

      Download

    • memory/1168-32-0x0000000002E90000-0x0000000002E91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2440-0-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

      Download

    • memory/2440-16-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

      Download