Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

83a7d67281...95.exe

windows7-x64

7

83a7d67281...95.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/09/2024, 06:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83a7d67281eb45851a02743bf1f8b3a2c3846f783c3607862d324b173281c495.exe

  • Size

    251KB

  • MD5

    59086294a275f8ad0928bca367937158

  • SHA1

    969cb1754a300380cada3e38d93277f01bffa4bf

  • SHA256

    83a7d67281eb45851a02743bf1f8b3a2c3846f783c3607862d324b173281c495

  • SHA512

    0086fa7291bba356c850e3e96aa20eb22582163f2316241c1f8006711f68eb63cf2ab087605fa097634ef2ec33b44bab91080d66008de2c30ac0bcc61c8021e8

  • SSDEEP

    6144:A+aX3LxQZbO5JCSZT0wwla4G13CmdxLzI9LTB5xnmT:A+aUbuJcfcXbz0Tfxo

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3456
      • C:\Users\Admin\AppData\Local\Temp\83a7d67281eb45851a02743bf1f8b3a2c3846f783c3607862d324b173281c495.exe
        "C:\Users\Admin\AppData\Local\Temp\83a7d67281eb45851a02743bf1f8b3a2c3846f783c3607862d324b173281c495.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2316
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3208
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1912
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD68A.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2440
          • C:\Users\Admin\AppData\Local\Temp\83a7d67281eb45851a02743bf1f8b3a2c3846f783c3607862d324b173281c495.exe
            "C:\Users\Admin\AppData\Local\Temp\83a7d67281eb45851a02743bf1f8b3a2c3846f783c3607862d324b173281c495.exe"
            4⤵
            • Executes dropped EXE
            PID:4032
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4384
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1528
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4516
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3112
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2532

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      250KB

      MD5

      71ba7af50c95582d5533b66cb35dd83a

      SHA1

      e04b58f7ee8b0ca9ef148ec1e10d088047f867ab

      SHA256

      1ea29a665f9812577876ba26bd78ba674c2db7f4595a40d75b1dd8cd822a936b

      SHA512

      031a9dffc539f40f0fe328c92b5a1610411f60dab96929d5eeb32018bbc754940cfb844d55becf9647a038dbf6fa885aecf6dcab8604434ae7cab5396cc1df15

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      577KB

      MD5

      5ac4056f9d0b3bd588671434ead1c17f

      SHA1

      9d3e0e6c41fe202d78ac7adc0c26c0a5d27b5d9c

      SHA256

      ed3ad6c04b7778bf946fe1a0cea7b00a82542c7cb9687e562741248ea7657411

      SHA512

      12955c0c491b2f4b5343ba8d64ac9c08eaa77cb5b84929b36fd9efde7e241dd1553d3175fb39d1f4f9a9cb9e1242f501df3943788977fb06b0d30871ba5330d2

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      643KB

      MD5

      a5d877ddb05e13f657da9a470f10bd7c

      SHA1

      0e06863bb66b72b01d0120f89a176a13ffccc6cc

      SHA256

      5fba16468f3e99ea99a8b3007a6d4a34ddcbedcf757c192f0eaf707297414777

      SHA512

      aa28dca40bbc144f40dec11b83cbb4ed746f3f74c831318c2eea0d5d4108ed6452485f30ab7f697114e19b48d4b256580042a542ebd65dacacea5e5384f600ed

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aD68A.bat
      Filesize

      722B

      MD5

      10283e4523c1915c8b13357e55922322

      SHA1

      19e56a47ed00ff56647626fd06a408a7021ae042

      SHA256

      f70df5ea3cfd8e1215badf66b1b07b05ca71b1b01d678ddbc6a23688dc45b988

      SHA512

      d97b87a6f9b3d680e1e466055a6675cf76464002bac494da49ef0c008934e8f7a0bc36a6ae00ddebdbdde4e251027c3efb4053ae3957588922f3dfa635122d69

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\83a7d67281eb45851a02743bf1f8b3a2c3846f783c3607862d324b173281c495.exe.exe
      Filesize

      218KB

      MD5

      5f1707646575d375c50155832477a437

      SHA1

      9bcba378189c2f1cb00f82c0539e0e9b8ff0b6c1

      SHA256

      75d348a3330bc527b2b2ff8a0789f711bd51461126f8df0c0aa1647e9d976809

      SHA512

      2f55dd13abfeb5af133ac5afb43c90fd10618e8fb241f50529241cff7987fff382cf151146855c37ad8ae0401b34f6d9aa32cbec03cdd67a224dfe247bad6c99

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      c4ec2631f0913b349423b6d2bd687a6b

      SHA1

      9b9ae1664a063db7e1bd53073f6f1c3a62fa0e55

      SHA256

      cdaed7acb956972ce40a95412620150fcf1428c34a8ddbd0e9f0742df0d885bb

      SHA512

      a8ba683aa3c9d607d7ef9c3ec28a924b23be85a90e5334eb2a9f6edb8117442a818608c44f010b2bdaec052319fcc6436b5628408f4ebb82d207196df1729e86

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2718105630-359604950-2820636825-1000\_desktop.ini
      Filesize

      8B

      MD5

      4b4a61d6d446a36ccde31e7ebd6e7aeb

      SHA1

      6abcca1983b34a570385eb5b421b92449c851dfc

      SHA256

      d685543d9800644339454e98bc6c2f9ccea646fd51fdb5181583ca60fcdef8e9

      SHA512

      c25ac03153db7beb8b163c82e5ef75e916346047a00202825b79797b6259f877eea6fac6ea333743d7e423d5fc65d713e9e0cafc0631321beab8ae01ede9ee65

      Download Submit

    • memory/2316-10-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2316-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4384-19-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4384-2745-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4384-11-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4384-8918-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download