Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/09/2024, 17:51

General

  • Target

    a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe

  • Size

    66KB

  • MD5

    9a769a66705076525660d751ac973f10

  • SHA1

    84c2e6fcc5e44a94a3c70e72d3c58476ef8fe344

  • SHA256

    a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1

  • SHA512

    e105b5ecb8864e34c573a2696c2a3653c84e2225430e4bcbdc92da6106c1550171dc782097c45c07784526015970a937d8591cd2fd78db735aab6e8177ae0a9d

  • SSDEEP

    1536:JEaYzMXqtGN/CstC9qVFuiS4qz0XSW3iDhy3:JEaY46tGNFC0VFPS4qz3DhO

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3532
      • C:\Users\Admin\AppData\Local\Temp\a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
        "C:\Users\Admin\AppData\Local\Temp\a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2980
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3512
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a705D.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2292
          • C:\Users\Admin\AppData\Local\Temp\a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
            "C:\Users\Admin\AppData\Local\Temp\a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe"
            4⤵
            • Executes dropped EXE
            PID:4980
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4192
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:692
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3304
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2060
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4800

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

      Filesize

      251KB

      MD5

      5ca9e8b7545a05fc5e64d531cd019824

      SHA1

      5de7b8bdc13ca961c18bc121ae38285ac27ca982

      SHA256

      75383cef3c9a81f719e5a9c048f339681e8664eb1aa01379f5753b13c83eb173

      SHA512

      957dd4239ff5a46df373aafe728ef16c5a345a91545b6435328c67d470cb1ea163b4d88e4faa4377c6bf6453452287fa8097efcec3bf9fd209fd4dca44871319

    • C:\Program Files\7-Zip\7z.exe

      Filesize

      577KB

      MD5

      c2fe4f6b862991214548a6e7d9148737

      SHA1

      072bd4a0b34741a2a182cdb8d81d134b09d44ceb

      SHA256

      24bc895a6b6b00adc5f63d4947e421e12bec3072aa51ccc9a534b16c4bda65d2

      SHA512

      24c69c5fef51897883d0da0da56577b76ca55f48b6df4b9ca12ef2b3a5636d72a6251366f8bc52215e9e993bdbf3bd6c1ca90cf90d91bb3ab748a6d5038dd9a2

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

      Filesize

      644KB

      MD5

      b683d08031e54ea6942378775fcacdf7

      SHA1

      a2e7e8911ab44ce6e768058d02e2d68a8b093c7d

      SHA256

      7d2c375e7c1e52dfb0254cab9fb3816c5a1ba987b44910dcbbc5f0b3b8294070

      SHA512

      68d53577071249f8e4a5a70713c9b82a295bde488e00cb5c5287ed7c78a5195829eb65c83ddee6f64f6da085d3c0b0723249464044f20088b76aa631dff72599

    • C:\Users\Admin\AppData\Local\Temp\$$a705D.bat

      Filesize

      722B

      MD5

      9b9c8b5988b038a343900019464bbcae

      SHA1

      0a71a2bd6d42eb4e75087f994f47332d325535ad

      SHA256

      25b42f6206300bed2eb351beafadc3628f97b4a93d9bb04765742e4ac5566d75

      SHA512

      d98490f9148a6249a5c7abc93190aee5d780eca9de063031d5abf12625fa12774c09ec204126c64d05eebd7cc6237b8ded6b2cd43a42dc33bd37efa2d976e32b

    • C:\Users\Admin\AppData\Local\Temp\a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe.exe

      Filesize

      33KB

      MD5

      e23f654ce94c5fea4bc1d10bac9e1705

      SHA1

      8bf96eb96181339a2c0f261768045546503d7545

      SHA256

      74d75e8cd9f52cd9b294bd8203d21c83009824890811174af2601795a2bffe6c

      SHA512

      c9021cec17d19bfea97d6c038747f6c0a387934d3700e058b4ffad41f9d4805771c52739c5f9efdf69db099a52fc48040e7fed692acbea0398b3ffe843f9fce6

    • C:\Windows\Logo1_.exe

      Filesize

      33KB

      MD5

      59da86273cbde98e3fb6274e3181834b

      SHA1

      24b2e7d415d7f4e40ec6420f0e88cb401165b64a

      SHA256

      853e0659e3f3c5fd81de6edcebb97b388b0006f7c78b514cd2aa93aa1d97f724

      SHA512

      3534114ac7de80b2f6c5794109a7f89386b86df095799844353530384f113e63bffa6a85f445f5c1a825d45740631b95c80a0612d8a2a1964469207df6615f41

    • C:\Windows\system32\drivers\etc\hosts

      Filesize

      842B

      MD5

      6f4adf207ef402d9ef40c6aa52ffd245

      SHA1

      4b05b495619c643f02e278dede8f5b1392555a57

      SHA256

      d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

      SHA512

      a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

    • F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\_desktop.ini

      Filesize

      9B

      MD5

      e02899454c67c7d6d1af854fdcb53b67

      SHA1

      26fb213f7c299c2a4d8c4afd234ee0b751d7a30e

      SHA256

      0e67e90646d3ba7b46f935b205c9f89e8bff2dca7aeda3cd5dfb93868b262315

      SHA512

      e1519bebf62ab4cb28e630a201312812e04f815ec0663f7b68b478da97c0bf7c7c2238a8632540d3d1f37acbe83919fb198b39ebeb222c19faa2130ab65ffffa

    • memory/2600-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2600-9-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/4192-20-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/4192-11-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/4192-3124-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/4192-8811-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB