Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 15:07

General

  • Target

    7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe

  • Size

    66KB

  • MD5

    9d2b72abd8d0fade5bdca3c1109ce4c5

  • SHA1

    fcee37365cdc82a91ae115beaf503c8f3457aa5b

  • SHA256

    7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537

  • SHA512

    8d3b89fd3ef6a23bedd229d7daed68051644f530c02aceca3d5a8b0f89160d5f09554ab78ed3bde8e2f4356f994b1b78ec6d3e73113d27b5f502a34556e54628

  • SSDEEP

    1536:PuPoaYzMXqtGNttyUn01Q78a4RE/MF0Vz5gpEaDoc:PhaY46tGNttyJQ7KRE/W0VzBaDP

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3480
      • C:\Users\Admin\AppData\Local\Temp\7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe
        "C:\Users\Admin\AppData\Local\Temp\7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:404
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3684
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:5108
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9C21.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3204
          • C:\Users\Admin\AppData\Local\Temp\7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe
            "C:\Users\Admin\AppData\Local\Temp\7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe"
            4⤵
            • Executes dropped EXE
            PID:3540
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2116
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:436
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2448
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2356
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1044

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

      Filesize

      251KB

      MD5

      90d69822206b8e980d10a29cea7d01de

      SHA1

      7984618563bf7b6f02f085dccc0703e46da11f24

      SHA256

      f8c8eae5776a28c081e2d60d82beba328347cddcacf1779f8de50ff7db2f90e1

      SHA512

      b2f06e660e23689db6185de8837bdf2ca733a51216413485f621e46ecf835d8f269a6a83e4ae3e91e7d8b3f569ddec3e0deeb1baf5cc4aaa05b80623eb3c686d

    • C:\Program Files\7-Zip\7z.exe

      Filesize

      577KB

      MD5

      34021089aa784bb71f1f7d2dc7425b9b

      SHA1

      7e7b4c719eee1a4d4e95aae349409ad178b193ee

      SHA256

      883aa1531ffe6e58b523772781f0c6fe8f4c3d346c32c9750a065a97a076dab7

      SHA512

      787b81683f15b28d50439c8f8b7c6493b43a0cd7e1e3056585b8613361262a64b04b66d42b68542d14883bfc411a3a2d212c2f114b077c3e0c90cc5bd5c968d2

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

      Filesize

      643KB

      MD5

      c812cad58e4a4cedd3373f5125ed73dc

      SHA1

      48cb77381e1c81f5f75e13ee39e35ced130fc784

      SHA256

      1c27223874f6c587ed068134e66e9a0588de3776370bf5f14bfdd246c860d9cf

      SHA512

      72af90d02def9f922ca8d4e621bea562718c8e530039eb22f44e8fc9089ccc4990e0a20b1f2d5761e46af0e579bbd5a666c9176d07b096c751b754a476e6626f

    • C:\Users\Admin\AppData\Local\Temp\$$a9C21.bat

      Filesize

      722B

      MD5

      936ee9c068712ee1b0b745caa8f09428

      SHA1

      2bab9421e852a9288fead5a6e79bca0122a817d8

      SHA256

      745790dcac7655b98553366f47b2666392019f8a1fa6ac8366a064e6c6091ec4

      SHA512

      fae909c2e5d3bc309aa439055844c7e7d80d14be0726cdc23e43887db463baeb366b2a1c08893956ab89caed3e3b27ee82fd1216a58c9068abb2cf79a36133d8

    • C:\Users\Admin\AppData\Local\Temp\7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe.exe

      Filesize

      33KB

      MD5

      cfcf15f5729649399cfb9b2590c9e80a

      SHA1

      f595a3f2812a29492326e5a0478f3924bcbae545

      SHA256

      b6fde5431374f5cc8a2b6b6953d7c466ce8828faf68c43661a2c0cf87481868f

      SHA512

      bbd925abf352af8962ab5e7d4b76bc4146e806cb0f8fde8a7cc2c13318450b46dd5529f6855065241de56efd72e33f4f9961ef5aa4ba8fd3c1ca312444ac8e19

    • C:\Windows\Logo1_.exe

      Filesize

      33KB

      MD5

      4674ed865526038d8119445bb553f2b3

      SHA1

      97748b9e405e0f585e3d53fea53017d42994f311

      SHA256

      bc3afb605b77075a2bc94b73ffa22e4402fc9e3362806ad293c4198ea81fd51f

      SHA512

      e1b2a929cf3b7f66934c1df530c49345da935c51e56a66f271397a971639eb2ea37eda451bffc90bc788865c9fa22359530508d0245efe6045aa182ecb5b7e2d

    • C:\Windows\system32\drivers\etc\hosts

      Filesize

      842B

      MD5

      6f4adf207ef402d9ef40c6aa52ffd245

      SHA1

      4b05b495619c643f02e278dede8f5b1392555a57

      SHA256

      d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

      SHA512

      a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

    • F:\$RECYCLE.BIN\S-1-5-21-656926755-4116854191-210765258-1000\_desktop.ini

      Filesize

      9B

      MD5

      5412111268dd2c1fb1cf8697bfab9b6c

      SHA1

      16d0b289e83c74cb50a004edd7c5750ac706f321

      SHA256

      f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

      SHA512

      13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

    • memory/404-12-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/404-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2116-20-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2116-9-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2116-3312-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2116-8859-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB