Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

78ec8a8469...9c.exe

windows7-x64

7

78ec8a8469...9c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25/07/2024, 16:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe

  • Size

    512KB

  • MD5

    008b3ec9907d9a77af4184c4bdd21363

  • SHA1

    4eb6cbda2f445ebab6b5e17d24aaf9410f8f0fe2

  • SHA256

    78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c

  • SHA512

    3a1fd9720e2650a0863cfb1be53815224fbae4654469fa13fbd2a7cefa9ae34e9e8527086c0f667a3c711306e48e00f171b965538603454eb8050ebf3170f2b4

  • SSDEEP

    6144:xj9irKZ3HIwK3EsjcNVh4FwGrOg5YnOj/9XTj8Tu6eezwJ:xjErKZ3H1GE86Vh4FwF0O6XcTus

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1380
      • C:\Users\Admin\AppData\Local\Temp\78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe
        "C:\Users\Admin\AppData\Local\Temp\78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2040
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA62E.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2060
          • C:\Users\Admin\AppData\Local\Temp\78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe
            "C:\Users\Admin\AppData\Local\Temp\78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2944
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1460
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1984
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2024

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\$$aA62E.bat
      Filesize

      722B

      MD5

      6af390be89f880b485664820c6596a6e

      SHA1

      e125cba7340f28331bdbb9e4906c01998d292e0c

      SHA256

      47c433d473a755474966528f406cc7419397c7cebcacb42cb8d623d0eeecc5a8

      SHA512

      02148ac173c8184cbe0305ac3335afc48462be3b1a2ddb9f36b7fdc25d40961275445642404f164d19be5a109aef35b9fc5a082272afbc830c997d63c7da098c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe.exe
      Filesize

      468KB

      MD5

      c4ccbfcc0d0a6bb476fb8e8d352b60fa

      SHA1

      681a5f2227fd19e4dbdc61165f1eec37e1cb8abe

      SHA256

      bdcee160a2ee7dcc8309b8db79f5eca7669ace1c06eef7f692a1037bcac1b77a

      SHA512

      8b2685a02eb7670b437e0b3818678a3dd7832026c27520f273dedfdf347a73810d2dafe4863394fd629589ef963c17814c580b65549c0a4594433895be076941

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      44KB

      MD5

      a1e83aa49c64944e517bc07a234dab98

      SHA1

      407f1ac960be565208cf819db33efa05f2cb8bed

      SHA256

      bdc5a53d89d55dec88d3b8869e21671b6a219cf99b8ddae8513492f0b8d354c0

      SHA512

      324756cd823e87516dc19831b15b3bda49f0bba854b93fa29b5aca166fae9ba08a6071b05dc03302b8f22382e7967609712a5c7fca8e00eb5afb1f5801c915d4

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1385883288-3042840365-2734249351-1000\_desktop.ini
      Filesize

      9B

      MD5

      c20162cff0e529974834e150d7e6691f

      SHA1

      512e9821581354bd8078227ddf386b17e771ff38

      SHA256

      82f2070eb6138ab12ec2a1f0c3ca7b3b97db75cc19a5076ed382b017f309bdd6

      SHA512

      c2c414232ac5fc3d7ff195523c49610795d0ea4d95c69748ef9ddd4a42203ace52a7da8594cb20102743a21b6eb5bd9e7ee5915513a9c11a0db319323538d744

      Download Submit

    • memory/1380-30-0x0000000002960000-0x0000000002961000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1460-18-0x0000000000400000-0x000000000044F000-memory.dmp

      Filesize

      316KB

      Download

    • memory/1460-3510-0x0000000000400000-0x000000000044F000-memory.dmp

      Filesize

      316KB

      Download

    • memory/1460-4351-0x0000000000400000-0x000000000044F000-memory.dmp

      Filesize

      316KB

      Download

    • memory/2040-0-0x0000000000400000-0x000000000044F000-memory.dmp

      Filesize

      316KB

      Download

    • memory/2040-17-0x0000000000400000-0x000000000044F000-memory.dmp

      Filesize

      316KB

      Download