Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

7c9f3c7f0a...37.exe

windows7-x64

8

7c9f3c7f0a...37.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/09/2024, 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe

  • Size

    66KB

  • MD5

    9d2b72abd8d0fade5bdca3c1109ce4c5

  • SHA1

    fcee37365cdc82a91ae115beaf503c8f3457aa5b

  • SHA256

    7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537

  • SHA512

    8d3b89fd3ef6a23bedd229d7daed68051644f530c02aceca3d5a8b0f89160d5f09554ab78ed3bde8e2f4356f994b1b78ec6d3e73113d27b5f502a34556e54628

  • SSDEEP

    1536:PuPoaYzMXqtGNttyUn01Q78a4RE/MF0Vz5gpEaDoc:PhaY46tGNttyJQ7KRE/W0VzBaDP

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1080
      • C:\Users\Admin\AppData\Local\Temp\7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe
        "C:\Users\Admin\AppData\Local\Temp\7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2316
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3036
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4BEE.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2720
          • C:\Users\Admin\AppData\Local\Temp\7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe
            "C:\Users\Admin\AppData\Local\Temp\7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe"
            4⤵
            • Executes dropped EXE
            PID:2512
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2676
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2700
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2496
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2456
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2500

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      8e672d546093aa7f7efbaedd6b57c5b0

      SHA1

      765a3f6cad7ce3d3f501258bd3ca14520e2a01b5

      SHA256

      5d4a1a1a33f954dcc3ae18077cbb2ba57357d6d5aed146a5a30e578192743e63

      SHA512

      df8be0e189eb3611eea801676d3878a4d160627ce86a200eaaf17bcf95a867a18640b714df324daa11f0822da077bfd090e9bf81c1c369ce65e938227badf50c

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      6a69ce6928676e96da75ff133c378a5d

      SHA1

      d7906fa148c1bc6b22a81231c83bf02c30efdfe9

      SHA256

      7213ffb4ea5f57902d832479d1eac60337c17ddf99cd09b5cd35231c09ea8012

      SHA512

      5a0c78abce8fd1a5153dccd611fc75e5d5da865b277764e3a3e46ac9c91cd985a789e929dd78958e4d255aaa1221a0776a794e0be1c3983b8638c9d1a0a3479f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a4BEE.bat
      Filesize

      722B

      MD5

      ac935e777a686c3156ab0ad522791bf0

      SHA1

      24b941efb52d6ed3ff477e020f0cafcbf092514a

      SHA256

      d1c01eb9cbf31832c07be565f870a6c7e2230756e068d71a3380f8432242f408

      SHA512

      76586e5cbbdf81a8d4711b3d4036e169136eda92076bb199f4d9338e0d72ecc95402b5f825aba613b2f7ee90dfcde3738734df1d64110e4d4f95ed60ca503b67

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe.exe
      Filesize

      33KB

      MD5

      cfcf15f5729649399cfb9b2590c9e80a

      SHA1

      f595a3f2812a29492326e5a0478f3924bcbae545

      SHA256

      b6fde5431374f5cc8a2b6b6953d7c466ce8828faf68c43661a2c0cf87481868f

      SHA512

      bbd925abf352af8962ab5e7d4b76bc4146e806cb0f8fde8a7cc2c13318450b46dd5529f6855065241de56efd72e33f4f9961ef5aa4ba8fd3c1ca312444ac8e19

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      4674ed865526038d8119445bb553f2b3

      SHA1

      97748b9e405e0f585e3d53fea53017d42994f311

      SHA256

      bc3afb605b77075a2bc94b73ffa22e4402fc9e3362806ad293c4198ea81fd51f

      SHA512

      e1b2a929cf3b7f66934c1df530c49345da935c51e56a66f271397a971639eb2ea37eda451bffc90bc788865c9fa22359530508d0245efe6045aa182ecb5b7e2d

      Download Submit

    • C:\Windows\system32\drivers\etc\hosts
      Filesize

      832B

      MD5

      7e3a0edd0c6cd8316f4b6c159d5167a1

      SHA1

      753428b4736ffb2c9e3eb50f89255b212768c55a

      SHA256

      1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

      SHA512

      9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\_desktop.ini
      Filesize

      9B

      MD5

      5412111268dd2c1fb1cf8697bfab9b6c

      SHA1

      16d0b289e83c74cb50a004edd7c5750ac706f321

      SHA256

      f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

      SHA512

      13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

      Download Submit

    • memory/1080-30-0x0000000002570000-0x0000000002571000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2316-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2316-18-0x00000000001C0000-0x00000000001FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2316-20-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2316-16-0x00000000001C0000-0x00000000001FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2676-34-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2676-2963-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2676-4146-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download