Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

8219fe1947...a0.exe

windows7-x64

7

8219fe1947...a0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 16:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8219fe19473af014d21ea1f74c22c90da1ec37401fda06860e16472c9f28c3a0.exe

  • Size

    1.1MB

  • MD5

    4c7576c47be1159e7d67d42228a2ed42

  • SHA1

    3f5d4c47e975bcddfbb3cfe78eca9f9418741902

  • SHA256

    8219fe19473af014d21ea1f74c22c90da1ec37401fda06860e16472c9f28c3a0

  • SHA512

    3edbe2e46e781eb2e0161af40d8e0ae4f4ca4eb25677f01358d002417686856186d9b602ac69b1cfb95c600d10807ecd5c73f884bf2da7301cecac1ec4cf294a

  • SSDEEP

    24576:t1sXT9T+w6zY8v5a2FZ7WDpk2Kvfd5nP6Wp8zrMBThYBjv:sZ6zY8/7WDaDvfd5iQ8zoBThojv

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3380
      • C:\Users\Admin\AppData\Local\Temp\8219fe19473af014d21ea1f74c22c90da1ec37401fda06860e16472c9f28c3a0.exe
        "C:\Users\Admin\AppData\Local\Temp\8219fe19473af014d21ea1f74c22c90da1ec37401fda06860e16472c9f28c3a0.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4572
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3940
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8B58.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3860
          • C:\Users\Admin\AppData\Local\Temp\8219fe19473af014d21ea1f74c22c90da1ec37401fda06860e16472c9f28c3a0.exe
            "C:\Users\Admin\AppData\Local\Temp\8219fe19473af014d21ea1f74c22c90da1ec37401fda06860e16472c9f28c3a0.exe"
            4⤵
            • Executes dropped EXE
            PID:1780
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3972
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2844
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4996
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1512
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1316

    Network

    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.ax-0001.ax-msedge.net
      g-bing-com.ax-0001.ax-msedge.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=233364feb8f346478b81866482ef72ad&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=
      Remote address:
      150.171.27.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=233364feb8f346478b81866482ef72ad&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=0AA1A6A9E0C86E950487B3BFE10A6F5D; domain=.bing.com; expires=Thu, 06-Nov-2025 16:20:05 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 8B1E035DACF54D2096E73C457998C7A3 Ref B: LON601060105036 Ref C: 2024-10-12T16:20:05Z
      date: Sat, 12 Oct 2024 16:20:05 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=233364feb8f346478b81866482ef72ad&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=
      Remote address:
      150.171.27.10:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=233364feb8f346478b81866482ef72ad&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=0AA1A6A9E0C86E950487B3BFE10A6F5D
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=Qw1WjAymc6J1ugCFDgsyCpcwCJSj1ZEC-qVvHp-m1KU; domain=.bing.com; expires=Thu, 06-Nov-2025 16:20:05 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 417CF25813E64FE885FCF11AD9BD02AD Ref B: LON601060105036 Ref C: 2024-10-12T16:20:05Z
      date: Sat, 12 Oct 2024 16:20:05 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=233364feb8f346478b81866482ef72ad&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=
      Remote address:
      150.171.27.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=233364feb8f346478b81866482ef72ad&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=0AA1A6A9E0C86E950487B3BFE10A6F5D; MSPTC=Qw1WjAymc6J1ugCFDgsyCpcwCJSj1ZEC-qVvHp-m1KU
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 559521AC98504F228B531CEA164DC5D8 Ref B: LON601060105036 Ref C: 2024-10-12T16:20:05Z
      date: Sat, 12 Oct 2024 16:20:05 GMT
    • flag-us
      DNS
      55.36.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      55.36.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      69.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      69.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      53.210.109.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      53.210.109.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      83.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      83.210.23.2.in-addr.arpa
      IN PTR
      Response
      83.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-83deploystaticakamaitechnologiescom
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • 150.171.27.10:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=233364feb8f346478b81866482ef72ad&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=
      tls, http2
      2.0kB
       9.4kB
       22
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=233364feb8f346478b81866482ef72ad&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=233364feb8f346478b81866482ef72ad&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=233364feb8f346478b81866482ef72ad&localId=w:02C7DD5D-B832-2571-1EDF-9D74CD57B9AA&deviceId=6896208602436814&anid=

      HTTP Response

      204
    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       148 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      150.171.27.10
      150.171.28.10

    • 8.8.8.8:53
      55.36.223.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      55.36.223.20.in-addr.arpa

    • 8.8.8.8:53
      69.31.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      69.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      53.210.109.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      53.210.109.20.in-addr.arpa

    • 8.8.8.8:53
      83.210.23.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      83.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      251KB

      MD5

      c9bce56e6c73940b71a024d031d67e29

      SHA1

      c03ffbbc7e3837bc5cbabd2eacccecfff624607c

      SHA256

      c5743ab362bab4eb252577ea5c1fb1bf9dce9a6ec0db29ad2b29acd450c4c44b

      SHA512

      32e59e499a9d7a9c907e638a00f06e69f6ce00c87fec22d1cb0b2b40f5cc9668794cd7eac3fe590b4999f22dd6d927968cf0c21bff1c0af15eac381759a4ca27

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      577KB

      MD5

      63dbbfc836380251ebca4f61580f1814

      SHA1

      6c16254aaeb7f1a86097f6c9220d092730bfe36e

      SHA256

      0cbdf5963d6e01bee0f4db2543b2295b97fc3e8ddf3fda5b38974e56a805fba5

      SHA512

      37033d1c0557af1f07399b4043f7cfd62e27cc5060c91b3179a96fb0c8401de57e566e77c3634d9c18cc41c19131476d359a5adbdb16f1891c6572f96fbb3d24

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a8B58.bat
      Filesize

      722B

      MD5

      21c72f247a4c26b3e4c598d786a1dfe0

      SHA1

      9fc5b213316fd3888f89693fdd738b3d4479e107

      SHA256

      dcc203e569fa161c5039b26fabb6dbd431e862ee3910dc813b2e9b73d9aedc62

      SHA512

      5e26efc1c0d833f6d944994921147a4db239c7a933995fa2b5f6440324671b9b1796b423419ef764fbd2095d14d8200eff2216731238dcbd289ab22f59a273bc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\8219fe19473af014d21ea1f74c22c90da1ec37401fda06860e16472c9f28c3a0.exe.exe
      Filesize

      1.1MB

      MD5

      f012ebe3b9f0c4d18b43076b68295667

      SHA1

      27ce582d305bf5ec574fd7edf39e1300783e9323

      SHA256

      bdff5163ff3787a7a8b6bb3f688e877c5fa10db2ad535bb9765c91e976fbcafe

      SHA512

      06ce3eceb42ca555511f55e85fe79441a4a8c70ad32c36a045560cb8449e44f08bcd9e938e9a11a0360c7363ba2fff4dd92b1a300e21e214a6d273009d8c2463

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      c4440056e06065be031cfa6acd94c763

      SHA1

      6c1f366e99fb096685fe30bab2f51d0a41dc7188

      SHA256

      878628fbd3611ca93730e8df7e81fa34165480a71e875cbfc192fb83f97e386e

      SHA512

      e8301dc938a9bc3b2205951171ca38d7c441e425d4d8e1e97ad82fb2b2f519ad4b9774d58b482183a50b769a7a16ec951ea828755c7433b454016b0fae2c86d4

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\_desktop.ini
      Filesize

      10B

      MD5

      291aa08828faa68893c7f89a0dfc158b

      SHA1

      fcae3d190f0d8c14b44dc2be0b627b0680d2eab9

      SHA256

      f9e79f635e09441b5a073e6263a1d1de881c2105d7637650b5ec2d20f6a7c841

      SHA512

      9c80a5e3e37731eb0eba85b496e512dbfe08c77c207bcb41ad429d289e3d348e8e7b83ef00052c445581df37aa60729a4f0c2dd3ed0ed2e5d05a8758a23f1f38

      Download Submit

    • memory/2808-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2808-11-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3972-8-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3972-21-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3972-2565-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3972-8827-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.