Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

b868350db1...c7.exe

windows7-x64

7

b868350db1...c7.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21/09/2024, 14:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b868350db1f4552e806d90e1bc792e991b66fee10cb935920217bbc631f156c7.exe

  • Size

    66KB

  • MD5

    13111473d779d572f5db2e8b0a541e42

  • SHA1

    df3a9bdb9d0f2c62d0e1231f18add3eb74476cd1

  • SHA256

    b868350db1f4552e806d90e1bc792e991b66fee10cb935920217bbc631f156c7

  • SHA512

    7cae12e5983b37241e895ba9d58709bdeda77fc2253751145157423d3068abef17a059d5c057f39d1c306a96426e99bc7d14e598bb891ccd7befcbfaad332a0a

  • SSDEEP

    768:2UmNHp+Vxr1x5cE9Fl5pz8w1rU9hFInlIUC4OMMwP3Sy6EGyI4t6a9AkHNXLrM:2fpsrz8GvnGUC4ayFGyHNXk

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\b868350db1f4552e806d90e1bc792e991b66fee10cb935920217bbc631f156c7.exe
        "C:\Users\Admin\AppData\Local\Temp\b868350db1f4552e806d90e1bc792e991b66fee10cb935920217bbc631f156c7.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1916
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2404
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8A17.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2940
          • C:\Users\Admin\AppData\Local\Temp\b868350db1f4552e806d90e1bc792e991b66fee10cb935920217bbc631f156c7.exe
            "C:\Users\Admin\AppData\Local\Temp\b868350db1f4552e806d90e1bc792e991b66fee10cb935920217bbc631f156c7.exe"
            4⤵
            • Executes dropped EXE
            PID:2764
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2896
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2992
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2728
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      8ef1a94c2988444c9d5d6c36a63765d3

      SHA1

      d566ce1693e16fd605afcf2c5ea87af57af56197

      SHA256

      ab3dfdf37c3eaae2dbeb15b4e6be3659187e8e3613450664160702c787cf1623

      SHA512

      991fc8c061d831e96f6e061ec85f6d5c2aa7e7380a949bd04193ef6b0f8d495a462bf6b9bcafbd2893eefa0195bf4a191a923c36f4845e6f44a86be1e1ded45e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a8A17.bat
      Filesize

      722B

      MD5

      89362e5bd81a704256abb78fe340ab80

      SHA1

      f82bea9103ce0b1ea95fbb7ecfd6d23ba5f89211

      SHA256

      f400e1e545ccab8faed81a50e2b6de0c61f34aeef64664a5f219ef39066751f6

      SHA512

      7bba62fd5437f34bb8e00750eb91f8ffe3243a713d531928fc672542f3921a531503170549f2ae31e8d65cfcdceb5bdcc3bb3b8805a8d47bc8e3716f1a680717

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\b868350db1f4552e806d90e1bc792e991b66fee10cb935920217bbc631f156c7.exe.exe
      Filesize

      33KB

      MD5

      bdbce90ce74990df3b2c7c8484dde146

      SHA1

      ae6aadaf5467b97779d4c1a81b5cd3dfb9d8ecb4

      SHA256

      f4a3c012f2859ead10af1298d9b20fbd8ca2257f73d530a2b0c25937cb16f6eb

      SHA512

      78e2f31759ce490f38e898ef17a700dd0898cc32b526325e8d7230b4ff119c39124cd2abf30038f70318931cc995abee523b334a29812bf875302dc126c9f958

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      3253bf7588138d1e39d3105c7b5dc8b9

      SHA1

      b26c43ff51ce241d473aa3efa30cd3b3bc68e43a

      SHA256

      63554e061f95eb7f63c9d50e7c14fc88c1cbf4db277efaefe1bea2388f9ed5e0

      SHA512

      cd45a96ada3daa5d2386ef9d5ded03a7e1e6f5c800bf01d02c1289c2e5234b8ed2b430ad0438837b32da22a753d07b0d1ee918dca8567a8c6c3619a8050c3bd5

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\_desktop.ini
      Filesize

      9B

      MD5

      5412111268dd2c1fb1cf8697bfab9b6c

      SHA1

      16d0b289e83c74cb50a004edd7c5750ac706f321

      SHA256

      f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

      SHA512

      13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

      Download Submit

    • memory/1212-27-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2704-31-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2704-2961-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2704-4114-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3016-0-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3016-18-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3016-17-0x0000000000230000-0x0000000000270000-memory.dmp

      Filesize

      256KB

      Download