Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

ae8a6324bc...0N.exe

windows7-x64

7

ae8a6324bc...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/07/2024, 09:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae8a6324bc182c423085ccaf624264f0N.exe

  • Size

    153KB

  • MD5

    ae8a6324bc182c423085ccaf624264f0

  • SHA1

    20b6d4285017c2e601dc3be2c29256a948f4ba70

  • SHA256

    1d1989cb7940ef0718ed7b23379e321a840df9262c121b44327d595e42f6a48d

  • SHA512

    722f0d465d0dbbec276cac795a79de0b5056ab812e55b1004374af48a331dc3c3ab532010e3bd5e7e624b5a029a9d0bf5f92b43063ffb38ad28b6dd7825ebbc0

  • SSDEEP

    1536:Hsae+Zk7qzUJBeLkbiT29dXoT/igXrotyFD+ljb6e2s82qjUbb5d6ojOepel5:Hsae+aezUDbHX4rFob8LjUbb5d6u6

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1392
      • C:\Users\Admin\AppData\Local\Temp\ae8a6324bc182c423085ccaf624264f0N.exe
        "C:\Users\Admin\AppData\Local\Temp\ae8a6324bc182c423085ccaf624264f0N.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2488
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1120
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:664
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF90E.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2816
          • C:\Users\Admin\AppData\Local\Temp\ae8a6324bc182c423085ccaf624264f0N.exe
            "C:\Users\Admin\AppData\Local\Temp\ae8a6324bc182c423085ccaf624264f0N.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2788
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2300
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2852
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2996
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2732
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      264KB

      MD5

      6d0d6e0e6b9c1f755eeee10305f199c9

      SHA1

      6bd5ffb0481f75d5edbb659dfc0c85f3fd1c9147

      SHA256

      fd93ab2b7dca5b0b769637aeec591fe865efa180d2f46625c80153dcb1ccfa6d

      SHA512

      eb15d0f478723e397ce4ca3ac36d6ee30066dd1139f5828efc1016db7a6e5632ab99dd72146091d0dd42409d5497619250ea718fccf3a9debf9ceed3a34d74b3

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      484KB

      MD5

      7b714d463f7db900d5b6e757778a8ab8

      SHA1

      2cfc0e9f54236af8e10b0bfa551d87a20982b733

      SHA256

      c995370836939a29853611830ca08d437286d4f45603edce88f36aa1f99a0d97

      SHA512

      e8fe8823b5b7f282c24c964cbf4f248b7562259a13410bf95997288727f9bfc6ea51c4aa40182b649a2235bafc02062e0c57f4f62876b5174395071a8d68f9bb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aF90E.bat
      Filesize

      536B

      MD5

      4c6a21d8c95fbf17607dcff658f67fe6

      SHA1

      0647bbd685d1213a7ddbcd67995ce52ed8ca2c14

      SHA256

      17d682b5b9496da51ec8e25f9515dd7f5a87f270dc5d3852b54d93f4bae9e9f2

      SHA512

      cddf7dbb831a540aa5bc8c064af5e49d3e213d5891875004f4ee6164453a45c233c6596ed24682796cc3d27ca17c740bcdcc9b4d0e98121f46cc9ae4f3c987d7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ae8a6324bc182c423085ccaf624264f0N.exe.exe
      Filesize

      113KB

      MD5

      095dabb90bb0953800131fbcc6f6df5e

      SHA1

      9166e25e1fe27c3f92e642ec2fcc36e7c3b19216

      SHA256

      72f1979b588357e1b0dc3e6e9f9a368d2742f18bf1daab0ee94f26d6811f8a33

      SHA512

      041a008d96140a46aa89776fd11e64064b9cda9bd551747f59ae98ccfdff07af010061338655d4d07925f4e2a6c9fc3c79159cec2c9e055445f4b2ab1275152f

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      39KB

      MD5

      dd45e175b084f3e7b3923cb8fcb3833b

      SHA1

      e44896aa2e3e4a8ba6677fd10c4eac8315b3939c

      SHA256

      cff2b960d67366aedaec8aaa4388a3537000a7253a3eeef378d24e1a171a4f13

      SHA512

      562284581292c3965df7e1f95bcffa2047d9a9e42e863e32b9cfc7b289270db24ca1ecb004f26d499d9901c49c11844cf3868b93b4b704f30a98ba4b52824fba

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\_desktop.ini
      Filesize

      9B

      MD5

      c20162cff0e529974834e150d7e6691f

      SHA1

      512e9821581354bd8078227ddf386b17e771ff38

      SHA256

      82f2070eb6138ab12ec2a1f0c3ca7b3b97db75cc19a5076ed382b017f309bdd6

      SHA512

      c2c414232ac5fc3d7ff195523c49610795d0ea4d95c69748ef9ddd4a42203ace52a7da8594cb20102743a21b6eb5bd9e7ee5915513a9c11a0db319323538d744

      Download Submit

    • memory/1392-28-0x0000000002A10000-0x0000000002A11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2300-32-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2300-2290-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2300-18-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2300-5957-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2300-6391-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2488-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2488-17-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download