Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 06:04

General

  • Target

    3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe

  • Size

    1.1MB

  • MD5

    f4926ba34c279f8f111d959725a34d63

  • SHA1

    9546c63e4a77640758391206dba5083bb532feb9

  • SHA256

    3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be

  • SHA512

    2e4c9d72609430e4955d8e089b726225f471572a182d0bc8a7b71269a783108d108968d5baff2d8a1e4c88ca36dd32401a665782f945685f4deca1b5a6311405

  • SSDEEP

    24576:nBvf9AiKGpEoQpkN2C4McuKo0GTNJpyT5RGeQa0s:nBv+GtCi27mVHyT+a0s

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3460
      • C:\Users\Admin\AppData\Local\Temp\3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe
        "C:\Users\Admin\AppData\Local\Temp\3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4652
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2740
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1488
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6EE6.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:768
          • C:\Users\Admin\AppData\Local\Temp\3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe
            "C:\Users\Admin\AppData\Local\Temp\3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe"
            4⤵
            • Executes dropped EXE
            PID:3976
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3636
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2328
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2004
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2348
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

      Filesize

      250KB

      MD5

      85288899f47f812de0920f0415e414f1

      SHA1

      08e9d96816a8f396b304e69edaf65972ca8fad20

      SHA256

      9cabae29a7cf9d995268c718d32dcee7e8d3d8965ebc6b561eba6db24de2d0bb

      SHA512

      bbd4b0a0faf889098fee026e3a68ca2c1739079559c7bed1c90c36a453b8ddac08a0887279f9d13a5f2520fd13535bd71ee77e6129e016aaa5d29199984572a7

    • C:\Program Files\7-Zip\7z.exe

      Filesize

      577KB

      MD5

      a6001b34878a0c9038926295609aeb20

      SHA1

      de581a97239e5e2729f3569e4150955ca29d9777

      SHA256

      147f7b327359fbef3ecd9197f0fb6cd7776e5b2de23ec6eef6c3043e1db2b36d

      SHA512

      167207ceabe2c9605fb2da9dea09ea723d766f7237769e0124abdbc2e62272300db493a60efeeafd07f39828ed2386661949b0e05e91bd77109ad275cc7be05d

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

      Filesize

      643KB

      MD5

      29bab5fa7dbfd951e1c8290a8f4c2ba7

      SHA1

      7b86728d64cef9686bd45f2ff6fdc818c11a1bbb

      SHA256

      dda333d8aed86ba750f669280e458ad2fb8d8ad5700a5fe0df584a1c818c481b

      SHA512

      5bb37bffffe297653f91e0601f17b507659bcfe78567e6e1d10506d3c3bea737e7d6374224ecc01f421cff8f74b299eba8fe3152742b2b1c228966a630de1339

    • C:\Users\Admin\AppData\Local\Temp\$$a6EE6.bat

      Filesize

      722B

      MD5

      ba08056444686c5e03c781564f2deb96

      SHA1

      d1a495aeba81b53a4cd87d8d7423639291047e2d

      SHA256

      923e64128dcce455023b5c3acb26dac09484588ffc5322298ba54ce50c992d82

      SHA512

      7687ca6a6c534b25671cd54ac8572b5e977a1c3a8c6c8649b21c79c16fdd874ac2390ff97e24fa9bf3695aed155aafa99bcecae69a9b5b0448a28bbf81ed8537

    • C:\Users\Admin\AppData\Local\Temp\3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe.exe

      Filesize

      1.1MB

      MD5

      09239e688ff75cd636ac932100b243f9

      SHA1

      2a7964c81b9a34bb77c4e3676e7d31b7d2668297

      SHA256

      a36ef4c18a08ee8d8c0d10d96ab37a0c3ce22a8f328733af8c0451579e4edcb1

      SHA512

      686708321d8756ddcfa2d1585ca7261be0ece33bd9d134888cdb4655b8484c727b34b4ac7f12d919184e85ab65088bc565549c262289cb64f9aeca0508290825

    • C:\Windows\Logo1_.exe

      Filesize

      33KB

      MD5

      0fa99b8acf13f45b95bacb99fad6efef

      SHA1

      d6271ca22be5d6bbfba2ef4229dca71182d43892

      SHA256

      c41ba3c322874847191377fd1671808aff7f2aac06b0ad1a8d1e81679e498b01

      SHA512

      efdbb5b56a621d6bffe454cf860483a21a64d59ece212cbc42f45f6a2259f5afd99621b88253b8808af5429b7e67d69136dc5fa63b304389e3e2ac090495cc31

    • F:\$RECYCLE.BIN\S-1-5-21-355097885-2402257403-2971294179-1000\_desktop.ini

      Filesize

      9B

      MD5

      475984718232cf008bb73666d834f1f4

      SHA1

      12f23c9301c222f599a279e02a811d274d0f4abc

      SHA256

      a5b32591119f87eb3c8a00c0c39e26ea6d6414aa9887d85fcb4903e1c14921b5

      SHA512

      80235dc2560b7991d79f9550cdeca6ac02c00cee6bf186f8f20d4ff3fbd7718be937b73ab768d71c4027e153557b08bbfd95ea88d2e0857a7c70cf1da6fa9937

    • memory/3636-3148-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3636-18-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3636-9-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/3636-8737-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4652-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4652-10-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB