Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

043824e731...cf.exe

windows7-x64

7

043824e731...cf.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 14:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe

  • Size

    164KB

  • MD5

    05d3c6e1c2726cfa659f044cc6c3f232

  • SHA1

    b82f957011ea799358735b7c4422188a03d0a09f

  • SHA256

    043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf

  • SHA512

    68cf693d6b60afe565b38a5b117d00e2bd4977a2b11226a737f202d000a75b56657360f21985dd087de4536df0330b65121d5417f3d7c409755ad38b2df3b2a7

  • SSDEEP

    3072:xHe+aX38yas99djmMGWBgh1002J8emEu3T7TO+9Z9sTOVrZzxVxU:c+aX38KYWBW1Wu3rOOuOVr8

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3472
      • C:\Users\Admin\AppData\Local\Temp\043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe
        "C:\Users\Admin\AppData\Local\Temp\043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4700
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3556
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA103.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1860
          • C:\Users\Admin\AppData\Local\Temp\043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe
            "C:\Users\Admin\AppData\Local\Temp\043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1940
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4732
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2920
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4992
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2780
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4472

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      250KB

      MD5

      e02a26d5c40ba99e0dd41bf5283f0a89

      SHA1

      974aed12b49db8fd18494a80d2de9a73dd98e594

      SHA256

      2f8f7e0cb11eac3e0ed40c10d931d225e43e8a7b47d2043c1126709b809f1f05

      SHA512

      68566c219e68a07608a7ce9d2cd1124ecc82fe5272087637c61393e51c9afb60d939f84c0c2b03bab6ac239fcdbcfb93fa1b0ff80c2e6531cfbf55452b3bb49f

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      577KB

      MD5

      3a84e2e2d803729ca1b5d7dae236609b

      SHA1

      b9024563b4c92548ae0375e8bdffb303a72403c8

      SHA256

      24d15e4819b257074e2d5afa799b1bbc12489d0bce68328ce16870068466b65c

      SHA512

      b062be5d60825a0f6c92f4862b06e46e7c232fe2f8fdf80324cc9183d21da63922968626bd12d553f78214af8f717be9824655944637c7156a90e7e4e13a8581

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      643KB

      MD5

      c0057db68dfd75cccab3b14a084dd427

      SHA1

      75f6f857332903754df4c73bb1a22201a0f5fa94

      SHA256

      a248fabffb80434c968c6878a53560b86c15015b2a567ecc26d7405786b665ab

      SHA512

      369739ca80ba57d97a3c3a15fc1b5b30d1b111a8450510c8dd32e7768a68426e10bcece74754b3826a437cd05b6eb70ad882a092aafb85f72b9072779d485854

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aA103.bat
      Filesize

      722B

      MD5

      f4347ed9f03f570e52f860c51caf4c53

      SHA1

      5b80550a2ccb01df600ef08f2fad12a97b813a2a

      SHA256

      7d2e7a6fed869417bbb5c36df6cbf5b4e76ac56a5e520cd935d11deae012d601

      SHA512

      ee0bdc638dc95533eb02676e4902d5d2351848798b68cbb35845a085d3b4b4c236eb491e8bf28aeb37e2e051a6b3da5e73de28d739fc8e0de772bcfa20218551

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe.exe
      Filesize

      131KB

      MD5

      16438a96a8adb85472ca72da04701b29

      SHA1

      b1f5ee8bc083804de4de820255107f6541c84735

      SHA256

      9291cd97d2f1b119438f16e97ea75119f19fd959ec5414e84b337530d692e289

      SHA512

      58f659a29cb34245a261b7666b1cda4b76f2df1039f3713dda6ff5a97c33b4cc273b110d10b4131a6a5c13897efcfa9a5ef3031e0e5fb14db1adc0ac1ef25dcd

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      fac489180a927456fde29aa70b6c863c

      SHA1

      b7638615678d7137f7c9a8ab01952fd6266730d0

      SHA256

      e888702980111bdea63056293f56946432701aac652c474a5f8614a137e021d7

      SHA512

      cbe953def68f48b32003143d8980b0443c46373395d31ceab62192cb0d2a97d45428e950f54f03b507b9e39b12770c9701e2b5de6e1fda1ce763a9aede7e6682

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-786284298-625481688-3210388970-1000\_desktop.ini
      Filesize

      9B

      MD5

      5412111268dd2c1fb1cf8697bfab9b6c

      SHA1

      16d0b289e83c74cb50a004edd7c5750ac706f321

      SHA256

      f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

      SHA512

      13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

      Download Submit

    • memory/2964-11-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2964-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4732-18-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4732-2734-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4732-8-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4732-8763-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download