Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

49387e11c6...7d.exe

windows7-x64

7

49387e11c6...7d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49387e11c69e53ae0ee354a3949c8b3b6b33c795421c6bfdb0bfc143022d8d7d.exe

  • Size

    66KB

  • MD5

    4fb487529015ff51edde64445286e1e1

  • SHA1

    b8f31ace306e77d368c647911da0c60009c14379

  • SHA256

    49387e11c69e53ae0ee354a3949c8b3b6b33c795421c6bfdb0bfc143022d8d7d

  • SHA512

    3ed32810cfbb5b2a7c86c0e959b35dad36b1df5fb125fe45787adc35939d582a19ec73c918fd073c6d4c17b8f5c470187af13cfe0d6ca1e1a5a1605610497631

  • SSDEEP

    768:2UmNHp+Vxr1x5cE9Fl5pz8w1rU9hFInlItvVhoEqzjQCyGleXNhyaBt6UkAkBJzz:2fpsrz8GvnGtvVfqzlledcTJzz

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3600
      • C:\Users\Admin\AppData\Local\Temp\49387e11c69e53ae0ee354a3949c8b3b6b33c795421c6bfdb0bfc143022d8d7d.exe
        "C:\Users\Admin\AppData\Local\Temp\49387e11c69e53ae0ee354a3949c8b3b6b33c795421c6bfdb0bfc143022d8d7d.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3196
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5064
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4896
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC081.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1760
          • C:\Users\Admin\AppData\Local\Temp\49387e11c69e53ae0ee354a3949c8b3b6b33c795421c6bfdb0bfc143022d8d7d.exe
            "C:\Users\Admin\AppData\Local\Temp\49387e11c69e53ae0ee354a3949c8b3b6b33c795421c6bfdb0bfc143022d8d7d.exe"
            4⤵
            • Executes dropped EXE
            PID:2324
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4724
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1972
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2572
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1580
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1504

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      577KB

      MD5

      7864a3f777019c73ad26ab282fdaba77

      SHA1

      c46f6b0c3503911395a1d13ac2f7884a20a76382

      SHA256

      f3117732a9955b7a81629f8f4e3feba53ff1f1491c2c49c6b2d76a1fa64b0545

      SHA512

      94191a3fde694d248ace8d212253821f502d5e592ab2f4cb1d137c7c55645d218b48839a00e8a87a6e5ef31138e700e3e56c2b6d84e0c4e8291394df45261645

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      644KB

      MD5

      9044b8cb7dee805474f46fdff328cebb

      SHA1

      1cabc4c6c2c86cbb78765bc9dbc34fb343a473d2

      SHA256

      62fedddac5d2bc0012582f6d5c8a62f1cfeb146338ded33892f3e2e9a3080618

      SHA512

      4c3baf797abb9745bd194cb39da4f7541273d5ceb694929e562b3823118a8851a9b5dde4379d3936ca8fc233339560f7716518a62b421a2fcfe228d1037d9753

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aC081.bat
      Filesize

      722B

      MD5

      5173566a3bbbc5523ac20375de014bbe

      SHA1

      f8418ade095fd5410d154eb6eb0c07ce19932712

      SHA256

      da0537648067276a768fe8d28462d3f5edbf2e449e927f046155203a1954ad46

      SHA512

      b6cbf9a36abea65b11a68091f78d21c902304f4adef570f405aae4fd78b56394483b763b29319288b4e5317551e06b2c73f08ed7e82f6cc785d39f1d2250d57a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\49387e11c69e53ae0ee354a3949c8b3b6b33c795421c6bfdb0bfc143022d8d7d.exe.exe
      Filesize

      33KB

      MD5

      64f8db30b16d1c755d033d069c70d2d1

      SHA1

      04e8f26c383027cc63531f48477424bda65b14e5

      SHA256

      0823bf7a2c453892ffa4328a970a417e0907d584bfb7f819ed0f4bb139d12e55

      SHA512

      f461b40de656e6df6360a1ba393b000720c0ffa91147b00ee42aefccb4122da4314ce4de00364e692a0517f5e6643fe061b232fb316e993642f2d43b393b38aa

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      3253bf7588138d1e39d3105c7b5dc8b9

      SHA1

      b26c43ff51ce241d473aa3efa30cd3b3bc68e43a

      SHA256

      63554e061f95eb7f63c9d50e7c14fc88c1cbf4db277efaefe1bea2388f9ed5e0

      SHA512

      cd45a96ada3daa5d2386ef9d5ded03a7e1e6f5c800bf01d02c1289c2e5234b8ed2b430ad0438837b32da22a753d07b0d1ee918dca8567a8c6c3619a8050c3bd5

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-355097885-2402257403-2971294179-1000\_desktop.ini
      Filesize

      9B

      MD5

      5412111268dd2c1fb1cf8697bfab9b6c

      SHA1

      16d0b289e83c74cb50a004edd7c5750ac706f321

      SHA256

      f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

      SHA512

      13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

      Download Submit

    • memory/3196-0-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3196-10-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4724-11-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4724-18-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4724-3191-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4724-8857-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download