Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

c229f2008c...11.exe

windows7-x64

7

c229f2008c...11.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/09/2024, 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c229f2008c8101c7f6490694af2c8eb538c6c2abea578d74d4a94d18243f6111.exe

  • Size

    176KB

  • MD5

    73d3829bda7873aad89b3e12ffc97f9a

  • SHA1

    064bf3c8014ab716ec387ff53e377a4947442604

  • SHA256

    c229f2008c8101c7f6490694af2c8eb538c6c2abea578d74d4a94d18243f6111

  • SHA512

    155b6fefbd4c8caa59f551f266954941e21b9badf4f493d122ff96a7d937cfcb2cfeb8194890c95487f85ceeffd4bf31c1b313e409afee027ff5bca4b083ee13

  • SSDEEP

    3072:Kfe+a1DfByOpGjAvb3eLG2FmDDSrDVTFooWZet3:1+appyOpGcj3UFmDDSrDVTSBQ3

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3464
      • C:\Users\Admin\AppData\Local\Temp\c229f2008c8101c7f6490694af2c8eb538c6c2abea578d74d4a94d18243f6111.exe
        "C:\Users\Admin\AppData\Local\Temp\c229f2008c8101c7f6490694af2c8eb538c6c2abea578d74d4a94d18243f6111.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3056
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1600
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3576
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9376.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2700
          • C:\Users\Admin\AppData\Local\Temp\c229f2008c8101c7f6490694af2c8eb538c6c2abea578d74d4a94d18243f6111.exe
            "C:\Users\Admin\AppData\Local\Temp\c229f2008c8101c7f6490694af2c8eb538c6c2abea578d74d4a94d18243f6111.exe"
            4⤵
            • Executes dropped EXE
            PID:3212
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2848
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3220
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4148
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2476
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2260

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      250KB

      MD5

      6bb9d7b6949c25cc2312bcd71b8e4f91

      SHA1

      96d199177506b8cc560fbc5bddca9473e9444bbb

      SHA256

      c9b0a0f3da1d9d659f8f1e9fd23403be58b04a4e96c1ee5bab96b7fd84aee5d6

      SHA512

      9eab4cff5138c8d1409e97cb80dd88a190c6984591a15a3c6bef094ecab16856deeee19daba78b34b3b1a27ebf70a487196f3c6d92e4e9645c036b8f4d42e92d

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      577KB

      MD5

      d482896e968579c40dc016709636b6d9

      SHA1

      9f22a694928296a8f9711eae826019d4673890ad

      SHA256

      d716593b016a341c615c009724981d6960b83767c51abda0b7bb3e3ab2fd7483

      SHA512

      6638bd31dafc77f748009a9834599259daf1eb19804af8837d3a5d6339caf1f04cf839dbc543ddb45ce9101d24325eea33766a7117466ff915779d49e56b5d08

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      643KB

      MD5

      29bab5fa7dbfd951e1c8290a8f4c2ba7

      SHA1

      7b86728d64cef9686bd45f2ff6fdc818c11a1bbb

      SHA256

      dda333d8aed86ba750f669280e458ad2fb8d8ad5700a5fe0df584a1c818c481b

      SHA512

      5bb37bffffe297653f91e0601f17b507659bcfe78567e6e1d10506d3c3bea737e7d6374224ecc01f421cff8f74b299eba8fe3152742b2b1c228966a630de1339

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a9376.bat
      Filesize

      722B

      MD5

      d5c0ccdf3cb0e7a3e3efbcc69f7bacaa

      SHA1

      9348dec9f9de0bd8393f142f1685b97b22a1965a

      SHA256

      8fb6cd7d1790a9c3b116f2b434702a3f7d7069aaa2f9ec3dbf96eca5dd3507ef

      SHA512

      94c8dfdea61d1209fbe0d450cee6d3caf5f0e8e5a12b9e66ad45862a76242d918908bd3ad36a6dd9b786c6df9a6ee6cfdf250662c3668a051345f07c5feb1147

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\c229f2008c8101c7f6490694af2c8eb538c6c2abea578d74d4a94d18243f6111.exe.exe
      Filesize

      143KB

      MD5

      33b4c87f18b4c49114d7a8980241657a

      SHA1

      254c67b915e45ad8584434a4af5e06ca730baa3b

      SHA256

      587296f3ff624295079471e529104385e5c30ddc46462096d343c76515e1d662

      SHA512

      42b48b4dcd76a8b2200cfafddc064c053a9d1a4b91b81dee9153322c0b2269e4d75f340c1bf7e7750351fb656445efaf1e1fe0f7e543497b247dd3f83f0c86f9

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      ac4d54500ddcf012f66bc5ba7530beb1

      SHA1

      375bfcd1b95696f4b1c5f93dd5621e5c16fcda98

      SHA256

      733b97920694040cf31888669d75229717b34c0e0fe892d10bb5421f0879fc09

      SHA512

      076bddcb1a579a43ec3714f9396a2b3836bcb86d469c9df56b9bbc94aaf1330069c97c75081e5414faf2160b8904f357fa823c40273e64c8278059c760fa974a

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-945322488-2060912225-3527527000-1000\_desktop.ini
      Filesize

      9B

      MD5

      9f88a7249d726e0d4ebea8ef2b661d98

      SHA1

      f68a9700c917086c68acd41e85887dc8fcc4c2c3

      SHA256

      969f39ddb9e19420959783eb412b391e2c49b99261750aa2716b781fabcc0f3b

      SHA512

      f68c4e069aeefc665d8c92f0c734098e4de0f4b1bea40dd72510827a49f9bd2ef6dd5b606d05cb0716630f1f27f471c3cf7d036442f34c3faa4f905d6101e21f

      Download Submit

    • memory/2848-17-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2848-2819-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2848-8-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2848-8833-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3056-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3056-9-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download