Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

ecb38c0b5a...bd.exe

windows7-x64

7

ecb38c0b5a...bd.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/09/2024, 06:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ecb38c0b5a1cfb15dcb3dd97615ae5aa0e2a53df54dab5c4808d9047373b2dbd.exe

  • Size

    264KB

  • MD5

    bff283f236fd6be1b1135fc2c7f3d896

  • SHA1

    60549c51c4a916b17dd383aee52a7da569a17fea

  • SHA256

    ecb38c0b5a1cfb15dcb3dd97615ae5aa0e2a53df54dab5c4808d9047373b2dbd

  • SHA512

    bae6758847fd539a1a65e2ee7b0482afb4aac405a1477b98e55f36d81fc746350ddc209d4f981e0a95a58a3fac7aecaffcf6d1e5f46d4c2917c5630c0311cfbc

  • SSDEEP

    1536:KXe+Zk78UKUWlILFkbeumIkA39xSZW175V7UZQJ0UjsWpcdVO4Mqg+aJRaCAd1uq:KXe+auLRkgUA1nQZwFGVO4Mqg+WDY

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3404
      • C:\Users\Admin\AppData\Local\Temp\ecb38c0b5a1cfb15dcb3dd97615ae5aa0e2a53df54dab5c4808d9047373b2dbd.exe
        "C:\Users\Admin\AppData\Local\Temp\ecb38c0b5a1cfb15dcb3dd97615ae5aa0e2a53df54dab5c4808d9047373b2dbd.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4328
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4672
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1248
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a632E.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4872
          • C:\Users\Admin\AppData\Local\Temp\ecb38c0b5a1cfb15dcb3dd97615ae5aa0e2a53df54dab5c4808d9047373b2dbd.exe
            "C:\Users\Admin\AppData\Local\Temp\ecb38c0b5a1cfb15dcb3dd97615ae5aa0e2a53df54dab5c4808d9047373b2dbd.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2464
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2044
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4592
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:5024
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4352
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2148

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      250KB

      MD5

      4dd56b31f3c4d0d5cfba349b906d5843

      SHA1

      dde679248bf5eb0452051bac6853d62224d8cc27

      SHA256

      2036eb95f6187dcbfd9e0a3bd443a589f150ef60cf8e831112214431d9c36311

      SHA512

      779bc40fa720d7cc11f939efbd227e6ae5dd68224167bae1edb536f2c07019107ae367a541c4fb1beb52f99798b8bf4ec2a2018a44e8d5126cc648d252867f17

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      577KB

      MD5

      0e4873e5fbd8b5bfa0969c62d188af8d

      SHA1

      071e69887f14896be0479819d328344cacd3647e

      SHA256

      6a35a88731ff34c53d3aa1c8100cfdd271d9c40d16e3f4873fb20b54cdb1bb89

      SHA512

      12625fc1e03c2d01688050842175e5420ccbab5321ed72be2cb647f18fcbcc2048b5cefa2eaf41267fdc525c49f446f2a8c47f053cd95d8fb439079c22b534a4

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      643KB

      MD5

      29bab5fa7dbfd951e1c8290a8f4c2ba7

      SHA1

      7b86728d64cef9686bd45f2ff6fdc818c11a1bbb

      SHA256

      dda333d8aed86ba750f669280e458ad2fb8d8ad5700a5fe0df584a1c818c481b

      SHA512

      5bb37bffffe297653f91e0601f17b507659bcfe78567e6e1d10506d3c3bea737e7d6374224ecc01f421cff8f74b299eba8fe3152742b2b1c228966a630de1339

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a632E.bat
      Filesize

      722B

      MD5

      5902edaddaeb9d567cb9f9bfa7feea29

      SHA1

      199682c9d93474e508362f82769626579915ab02

      SHA256

      da4d479edc0846338bbf869706ba2b8260df51735eebb415ee4ac090927503ce

      SHA512

      1ba73610da7e4d57d38d1f2e8a840688a26002fbee40e9c0f52068bff984ee5a6b9c4d4b0d50f10a6548ab51a29d09ae0bfa05d6e303f24b0b9052f043c0bc52

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ecb38c0b5a1cfb15dcb3dd97615ae5aa0e2a53df54dab5c4808d9047373b2dbd.exe.exe
      Filesize

      231KB

      MD5

      6f581a41167d2d484fcba20e6fc3c39a

      SHA1

      d48de48d24101b9baaa24f674066577e38e6b75c

      SHA256

      3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

      SHA512

      e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      9b3072c3c58526ecbf15d66e52c04941

      SHA1

      500489a16879706004a62e507aee720aca23fdf3

      SHA256

      eecc0652adacd259e61170088ceea9864602c9df8ec70d8a5668e66a69e00390

      SHA512

      6a9799d8bdac1e7a29dfdaade10932f98009fc0cf3a56649ae893f41358ccb7a974e0b34346691e749a3e93447ce58ba29a5e96af5fca60ccf32afd8bfd9591d

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\_desktop.ini
      Filesize

      9B

      MD5

      9f88a7249d726e0d4ebea8ef2b661d98

      SHA1

      f68a9700c917086c68acd41e85887dc8fcc4c2c3

      SHA256

      969f39ddb9e19420959783eb412b391e2c49b99261750aa2716b781fabcc0f3b

      SHA512

      f68c4e069aeefc665d8c92f0c734098e4de0f4b1bea40dd72510827a49f9bd2ef6dd5b606d05cb0716630f1f27f471c3cf7d036442f34c3faa4f905d6101e21f

      Download Submit

    • memory/2044-2875-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2044-17-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2044-8-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2044-8742-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4328-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4328-9-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download