Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

ecb38c0b5a...bd.exe

windows7-x64

7

ecb38c0b5a...bd.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/09/2024, 06:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ecb38c0b5a1cfb15dcb3dd97615ae5aa0e2a53df54dab5c4808d9047373b2dbd.exe

  • Size

    264KB

  • MD5

    bff283f236fd6be1b1135fc2c7f3d896

  • SHA1

    60549c51c4a916b17dd383aee52a7da569a17fea

  • SHA256

    ecb38c0b5a1cfb15dcb3dd97615ae5aa0e2a53df54dab5c4808d9047373b2dbd

  • SHA512

    bae6758847fd539a1a65e2ee7b0482afb4aac405a1477b98e55f36d81fc746350ddc209d4f981e0a95a58a3fac7aecaffcf6d1e5f46d4c2917c5630c0311cfbc

  • SSDEEP

    1536:KXe+Zk78UKUWlILFkbeumIkA39xSZW175V7UZQJ0UjsWpcdVO4Mqg+aJRaCAd1uq:KXe+auLRkgUA1nQZwFGVO4Mqg+WDY

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1272
      • C:\Users\Admin\AppData\Local\Temp\ecb38c0b5a1cfb15dcb3dd97615ae5aa0e2a53df54dab5c4808d9047373b2dbd.exe
        "C:\Users\Admin\AppData\Local\Temp\ecb38c0b5a1cfb15dcb3dd97615ae5aa0e2a53df54dab5c4808d9047373b2dbd.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1756
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2432
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aAD11.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1976
          • C:\Users\Admin\AppData\Local\Temp\ecb38c0b5a1cfb15dcb3dd97615ae5aa0e2a53df54dab5c4808d9047373b2dbd.exe
            "C:\Users\Admin\AppData\Local\Temp\ecb38c0b5a1cfb15dcb3dd97615ae5aa0e2a53df54dab5c4808d9047373b2dbd.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2916
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2940
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2776
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2868
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2908
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2272

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      41bd2fac22f6dd2b092274872e0b86c6

      SHA1

      9266a9f20efc219481821074be65f0acf8dbd990

      SHA256

      7658233cbf7e762541db95f1d6e43f863263e05c1ce00d99541ac36b3d62909d

      SHA512

      67c078b505cd9d9b11eeaea59d86ba66c188d79c236af8ff9b573c378734165cd6540a9ce944c49d9209bfffb264bd734980ecfc5f479f67948d71b37d462110

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      477KB

      MD5

      c32f3ae2a93a21a604cd493d86b40278

      SHA1

      4428387f1a1dd12ff5607459bcf4d89cd8ed80fe

      SHA256

      b84bbbbc007c88ca79ea94b2cf92e7a3093c8de3a8ce4b70b6f4d0a9480595a8

      SHA512

      5e7bb3318deebf7663fc4b9c3b20ce75986e32cbb27c34ec94fccf5affde4f0dd9e5dd0bef38510d088ec00b885dccafff09706a75fd927f882540ead7cc7965

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aAD11.bat
      Filesize

      722B

      MD5

      252863df785d1ff9da4270e76c6bca38

      SHA1

      5626b5f86f43ecb650f58db399004a4edcd5b4d6

      SHA256

      c832324373e2555dd21e8402e108b14321d6401bffe85311df2d4d4707219477

      SHA512

      38c44d2fba85bc0e261af5bae4b541954bbd60f33a158bba9eaf297e730cb050a8413736e42636ab5003f33a15dc6b330f35a63d906cf8f2233112be19ddfc45

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ecb38c0b5a1cfb15dcb3dd97615ae5aa0e2a53df54dab5c4808d9047373b2dbd.exe.exe
      Filesize

      231KB

      MD5

      6f581a41167d2d484fcba20e6fc3c39a

      SHA1

      d48de48d24101b9baaa24f674066577e38e6b75c

      SHA256

      3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

      SHA512

      e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      9b3072c3c58526ecbf15d66e52c04941

      SHA1

      500489a16879706004a62e507aee720aca23fdf3

      SHA256

      eecc0652adacd259e61170088ceea9864602c9df8ec70d8a5668e66a69e00390

      SHA512

      6a9799d8bdac1e7a29dfdaade10932f98009fc0cf3a56649ae893f41358ccb7a974e0b34346691e749a3e93447ce58ba29a5e96af5fca60ccf32afd8bfd9591d

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\_desktop.ini
      Filesize

      9B

      MD5

      9f88a7249d726e0d4ebea8ef2b661d98

      SHA1

      f68a9700c917086c68acd41e85887dc8fcc4c2c3

      SHA256

      969f39ddb9e19420959783eb412b391e2c49b99261750aa2716b781fabcc0f3b

      SHA512

      f68c4e069aeefc665d8c92f0c734098e4de0f4b1bea40dd72510827a49f9bd2ef6dd5b606d05cb0716630f1f27f471c3cf7d036442f34c3faa4f905d6101e21f

      Download Submit

    • memory/1272-28-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2580-17-0x0000000000440000-0x000000000047F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2580-32-0x0000000000440000-0x000000000047F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2580-16-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2580-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2940-33-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2940-19-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2940-3148-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2940-4195-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download