Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

b6227408df...26.exe

windows7-x64

7

b6227408df...26.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/09/2024, 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe

  • Size

    963KB

  • MD5

    05856185e19e9591005fbc3b1b71c064

  • SHA1

    fb53f199268d0cb1a9dd2b0358062dcd33a46928

  • SHA256

    b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226

  • SHA512

    14559d721cedbd62473dabb7c0117fb12199cc22f71f3e2f9497621e50b0e15cc0a49254aa64f8be7a1c3f25e5628c23a2ca04d33a610dd35dd760da18ca86a1

  • SSDEEP

    12288:v+aWRKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:vBPBpDRmi78gkPXlyo0G/jr

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1180
      • C:\Users\Admin\AppData\Local\Temp\b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe
        "C:\Users\Admin\AppData\Local\Temp\b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2884
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2824
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF622.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2580
          • C:\Users\Admin\AppData\Local\Temp\b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe
            "C:\Users\Admin\AppData\Local\Temp\b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2612
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2980
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1904
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2592
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2864
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3068

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      73e7e4d64d7a01f7e8df598641540111

      SHA1

      8104ed53131db904b94106abb83ffcb9693dffbc

      SHA256

      335e21eff92c60c2aaad42dbca6076e20ac1de9d8ed5fab0ccec6775a668270c

      SHA512

      839540049b9d4eb31d9681a1cda73e6d5f4c608c27e1efaead55dc80fde9963d473bce2ca8f72a7e753042c1fe60934af9fe7b1c1c40fd864c5bc7e9ce8d2598

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      cca83bbf5782b69f2b55fb941c4d5b14

      SHA1

      db61bf16b63cf2f336089100add5e608eba10614

      SHA256

      462539b52a7f88960d280083fc7b25639e97e860b329c7ebd3ed356254a0079a

      SHA512

      a0833fdc5a6611f8b81b0265da1d6802245535c3246342252c3bba3680c9b3f0a0c916ba02b3ab26faaa5c4db1c88a8d9ba9e4bebd4be06de095c82adc857e3b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aF622.bat
      Filesize

      722B

      MD5

      5f3c1618d7a6627070d4a10d6f8f9891

      SHA1

      f134985fca1607470f579b9d6d807dcfff8a7a28

      SHA256

      cb64582264a5928be365b00445ec4603eda8839f6c65ff8f861a24042131c18b

      SHA512

      d160fb7cf00cc2fafb179403f8a84e801954af72a28b70ae71faadc3ff3c6e0bfef6262f7f14f181b7634e0d68d52acfcca86e1db61243ef0883f61f2072e254

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe.exe
      Filesize

      930KB

      MD5

      30ac0b832d75598fb3ec37b6f2a8c86a

      SHA1

      6f47dbfd6ff36df7ba581a4cef024da527dc3046

      SHA256

      1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

      SHA512

      505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      7e619692b53866243cf3f4bcd669d555

      SHA1

      5a8429b110acd43c0ddb3f101eac0bf55afb402b

      SHA256

      d33a86247c1731fc2f4acd320bd281542e708ae43ffdb05ee62a89f50bf034ff

      SHA512

      e7d65a2f4fa9e54b2f3445cc3c51d2e442e42ea1132b77c8fe0abf67052eb75a32414e02b10cd172e62b84996898c7dffa1e88496a1b5441dd3fb5059a320421

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\_desktop.ini
      Filesize

      8B

      MD5

      5894100cc85ef83f995c15a4d7fce813

      SHA1

      55d61ce36a76e549348eff08abae3e32e96b8123

      SHA256

      4912abab5bf4a890230f6c060bcae7827f96d9ffcf6025852967b53a65fc315d

      SHA512

      248346b25ea49cbaaa8bbd25f2fb26ad59c3f1ba650efd4e9eda9b32d1e918292bab3e5f1b19d92543d416cfe9d8a0b49d09f1eebcdca085a031e8238d461655

      Download Submit

    • memory/1180-29-0x00000000024C0000-0x00000000024C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2792-18-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2792-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2792-16-0x00000000002B0000-0x00000000002EF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2980-32-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2980-19-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2980-3001-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2980-4190-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download