Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

1ccc8d004a...01.exe

windows7-x64

8

1ccc8d004a...01.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/08/2024, 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ccc8d004a0b8f62ee4b35065767e34afd54e04e5912eec28689301996dd0201.exe

  • Size

    264KB

  • MD5

    63393a2444718685acb3745e8a64fb23

  • SHA1

    6aa5b519e7eecda9218730cdad2033b72ad48743

  • SHA256

    1ccc8d004a0b8f62ee4b35065767e34afd54e04e5912eec28689301996dd0201

  • SHA512

    c95f501801182730e894ae0152a60b4ab93d31c4bd9b2c4cc76b2d0a73f06fcf7969d5a8399b31d58c62f11e75ead9ff843b95b03ca346143b990b17cce41483

  • SSDEEP

    3072:20aY46tGNttyeQLYm1LLRkgUA1nQZwFGVO4Mqg+WDY:L46tGdye41LLRp1nQ4QLd

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3368
      • C:\Users\Admin\AppData\Local\Temp\1ccc8d004a0b8f62ee4b35065767e34afd54e04e5912eec28689301996dd0201.exe
        "C:\Users\Admin\AppData\Local\Temp\1ccc8d004a0b8f62ee4b35065767e34afd54e04e5912eec28689301996dd0201.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4628
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2284
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1856
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC40B.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3892
          • C:\Users\Admin\AppData\Local\Temp\1ccc8d004a0b8f62ee4b35065767e34afd54e04e5912eec28689301996dd0201.exe
            "C:\Users\Admin\AppData\Local\Temp\1ccc8d004a0b8f62ee4b35065767e34afd54e04e5912eec28689301996dd0201.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4528
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3928
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4696
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1596
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1684
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3540

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      251KB

      MD5

      12ae904e74569a68eebba6b5fa332ec1

      SHA1

      36936bea76bc15ac1df1f90da70f9e7f74eeade5

      SHA256

      7c6f6d6d8af55d5e4fbdefb6ffd78baf7b2055b79659cb8473a4510ea3888102

      SHA512

      eef8275e6e9479aeb52ac482e60befbb08cd3f942d76f5addbf2c7576dd1f5077fcb4a69aacabcb4ab522696562740927ebf88b68c2ad438267b84224c9cc92e

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      577KB

      MD5

      6eb333f16078465e06807d4fd33a4a08

      SHA1

      2ab507fe34452141dd64bf459767c896602e6676

      SHA256

      0d44d38da05a975785ee86b35dffd6718e628f0f997dfb53266843a48885439e

      SHA512

      3435806a08ce78687aff2087bdceda79110539738aa23d7ed265f8494cbcc881d49e6f4843cf0503b4677e7c84d2076d184a0eccbb77fcbd026ae6372393b36a

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      644KB

      MD5

      74f614352141ac4f78c3e59955ed2258

      SHA1

      179465d798ce029d20b16601530037ca9d87563f

      SHA256

      e33cff13b2b5307aaa06fc8f6d15ebe31eeb5ac6ad8d12b4b5c877eb34cca70c

      SHA512

      af736346b2a298b653dccc43a44d852001584bc22c5e00cb959246a0544044587e27ae3af6c253bf68b3dbe24a0badbe0bf55784f704d8e2f703afaed49ae6ae

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aC40B.bat
      Filesize

      722B

      MD5

      9b0eab9f39df5940a10158ed708be635

      SHA1

      c846387f72837d86de6d9534825ef1addf380886

      SHA256

      01bf2b9fa75325e691e5e505909c63742f56355f18f73ec5609123070660e90d

      SHA512

      4de2447a587043f43fa383bbbfa1e056091e81d426e6fede84121fedc06be6091621a0180af246f23badd7d668f126a0a5fafe56d9d55d915f24df3bf1558e96

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1ccc8d004a0b8f62ee4b35065767e34afd54e04e5912eec28689301996dd0201.exe.exe
      Filesize

      231KB

      MD5

      6f581a41167d2d484fcba20e6fc3c39a

      SHA1

      d48de48d24101b9baaa24f674066577e38e6b75c

      SHA256

      3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

      SHA512

      e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      8d4ba3976a7a415a0421ddc3892b2358

      SHA1

      23adac0a985c6f21e7c0f3b8438c66847dd5e6f5

      SHA256

      274f5f0e98244b78c0a68b40e70fcceb8b2de8d5039eb543a1973f3385288e8c

      SHA512

      37af1aaa30199297df087716e5a39a762bd984775a50df4624f1b141aaac8035945d6faa162801f69f9e71063ad01de11f4da6232105c2ef8d32bf8133b64b37

      Download Submit

    • C:\Windows\system32\drivers\etc\hosts
      Filesize

      842B

      MD5

      6f4adf207ef402d9ef40c6aa52ffd245

      SHA1

      4b05b495619c643f02e278dede8f5b1392555a57

      SHA256

      d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

      SHA512

      a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2392887640-1187051047-2909758433-1000\_desktop.ini
      Filesize

      8B

      MD5

      0d72cd0b0aa46eeff2619cd2c58bf101

      SHA1

      5176d485e9a54ec517fd12c2aa7efcb1855286f2

      SHA256

      48db671b8d392706b0784a38cfdbfc3e9090457cbb04901a9eed5e8248a76bb7

      SHA512

      730ed8a629022a50a151646467a82228962c006a4fa23eadce4f586ef36df5fd311001c5ec502ddc4fe2e52b4f2a8da86e40950aefbcd51f8fd3dea8ebc304ba

      Download Submit

    • memory/3928-20-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3928-13-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3928-5537-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3928-8744-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4628-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4628-11-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download