Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

d9ce215eff...a4.exe

windows7-x64

8

d9ce215eff...a4.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2024, 21:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9ce215eff48861da70609b781b77dc6a2cd61fb38c176b6ca01b26e58e669a4.exe

  • Size

    165KB

  • MD5

    4bd7e9a9292bb9fcfce9a68156a3793e

  • SHA1

    f2daf7685882882e82b2abc796b24abfb073419f

  • SHA256

    d9ce215eff48861da70609b781b77dc6a2cd61fb38c176b6ca01b26e58e669a4

  • SHA512

    b4ac2dab2bcfb8af62da70b26e02ec3da64b43a7b03fe57acf1af69c46b9b5d9b7fa54e740d728f356cc2d7004d2cc2f28beaa21a27fb462f9ba47d0019d6634

  • SSDEEP

    3072:DhaY46tGNttyJxkaAT99djmMGWBgh1002J8emEu3T7TO+9Z9sTOVrZzxVxU:H46tGdyJTaYWBW1Wu3rOOuOVr8

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3448
      • C:\Users\Admin\AppData\Local\Temp\d9ce215eff48861da70609b781b77dc6a2cd61fb38c176b6ca01b26e58e669a4.exe
        "C:\Users\Admin\AppData\Local\Temp\d9ce215eff48861da70609b781b77dc6a2cd61fb38c176b6ca01b26e58e669a4.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1524
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1676
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1576
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9FAB.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1572
          • C:\Users\Admin\AppData\Local\Temp\d9ce215eff48861da70609b781b77dc6a2cd61fb38c176b6ca01b26e58e669a4.exe
            "C:\Users\Admin\AppData\Local\Temp\d9ce215eff48861da70609b781b77dc6a2cd61fb38c176b6ca01b26e58e669a4.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4008
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:336
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2864
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3700
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2016
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3532

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      577KB

      MD5

      e6063b8eee61602678635bf89f3991dd

      SHA1

      d004b96ffd06cf5bfcf48e77c48e9b1a0714bce0

      SHA256

      e5e4572ea60d3059f000069befc82ff7b332a7daf6685203e43857a1facc460c

      SHA512

      57af03af043eba976e6a654914647125ba9e4f7cbd13ceb4c15f3963e514e15c210aff33330435413a84e69f17441a18d0bd93d2c062d353ab9e688aadd93ab4

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      644KB

      MD5

      8eb75733643250ef5aee162b5005f5d9

      SHA1

      b0d66379e578b4f2537459776ff20b7578d9fa34

      SHA256

      455fe5ef3bb3fadb648b3d4354a64ac57ce11f6caab6bd5999a31e097eb77803

      SHA512

      898a6dd767897ad393272027193e571fde14879fc973305e65669d87d6e78967b51a1f1bdd03382424ddbf043cca83efd2e756413490c44c371ea7fa9c08866d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a9FAB.bat
      Filesize

      722B

      MD5

      445d4cd5e28c0d077d6d86496f4faaf5

      SHA1

      a554f9fb9927f84c431c65025e4c78343dac678f

      SHA256

      7f42fa0084f8c6a28fffc31fcb9cdb4d1b876f2ff21806abd8e78c40fad02583

      SHA512

      2cfd8ed45a70528b879635771eea9824d73edcd193f078ffc9d5faa3986dd0f72d3afe07aa47558b79439ae1d95d95979d64a0ec79fa8cd4730835a228520d0b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\d9ce215eff48861da70609b781b77dc6a2cd61fb38c176b6ca01b26e58e669a4.exe.exe
      Filesize

      131KB

      MD5

      16438a96a8adb85472ca72da04701b29

      SHA1

      b1f5ee8bc083804de4de820255107f6541c84735

      SHA256

      9291cd97d2f1b119438f16e97ea75119f19fd959ec5414e84b337530d692e289

      SHA512

      58f659a29cb34245a261b7666b1cda4b76f2df1039f3713dda6ff5a97c33b4cc273b110d10b4131a6a5c13897efcfa9a5ef3031e0e5fb14db1adc0ac1ef25dcd

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      cf608dde7031d25fc21172ba98b22e83

      SHA1

      1823651a0c434495c170ece90ae5a0fd0a8aac45

      SHA256

      9d476708c503b8ce8352e5dd1f3df3dd1f6a47c30439c0c9c6bd3d2115523a55

      SHA512

      6293409e2aa00f9395c323e1056342f608bb65ed85bae3feb055aa683aad9aa2cdd72b29c6b13104ccadbc7c80a58eb901b47a7887d7472c8f1f55a2f9afda13

      Download Submit

    • C:\Windows\system32\drivers\etc\hosts
      Filesize

      842B

      MD5

      6f4adf207ef402d9ef40c6aa52ffd245

      SHA1

      4b05b495619c643f02e278dede8f5b1392555a57

      SHA256

      d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

      SHA512

      a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-945322488-2060912225-3527527000-1000\_desktop.ini
      Filesize

      9B

      MD5

      f71c86c063e4029edecb6f54c2953ed9

      SHA1

      188a7fe431eab745a98832765c0f74c26a5ed0e0

      SHA256

      b2eaa6c5b246c3c615573a9a2346cc71e974fb760057d25b744b9c529eb11541

      SHA512

      581571fe2edeeb65c2708ca23abc6921022c4a234b1f675a2ea6d6a592df354ecb1e720c9d552a08fa7fd4dde3986e22dac9537a55fe3370331562504fe8df5b

      Download Submit

    • memory/336-20-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-10-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-2949-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/336-8851-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1524-12-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1524-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download