Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

9dccc37950...14.exe

windows7-x64

8

9dccc37950...14.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2024, 09:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe

  • Size

    1.3MB

  • MD5

    1bbf95a7df851e922b359f8b27b12a48

  • SHA1

    8b1fd38c50ccadb7af35b6d00dd5ab47285808d7

  • SHA256

    9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14

  • SHA512

    6f0700adcf29422f56fb895e2b4bef25b3b00883db242af0e7e245425462e08c008b1fa79be4531534f6041b3266655f02ed35553305f4683fa3db8cf24a359f

  • SSDEEP

    24576:e3NYUR5kbjnCciOinOjLldsBjt8t2R8jpfZIg4mw6Ns/pZmBZOlnLyAuvTkM0XMA:edYGILDcO/fsBmLjRw6qpZmBZWyLaXMA

Score
8/10
defense_evasiondiscoveryspywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 16 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • System Binary Proxy Execution: Rundll32 1 TTPs 1 IoCs

    Abuse Rundll32 to proxy execution of malicious code.

    defense_evasion
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1112
      • C:\Users\Admin\AppData\Local\Temp\9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
        "C:\Users\Admin\AppData\Local\Temp\9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3068
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2508
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBB73.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:532
          • C:\Users\Admin\AppData\Local\Temp\9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
            "C:\Users\Admin\AppData\Local\Temp\9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2868
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32.exe advpack.dll,LaunchINFSection campaign.inf,DefaultInstall
              5⤵
              • Loads dropped DLL
              • System Binary Proxy Execution: Rundll32
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2168
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msninst.exe
              C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msninst.exe /Action:Wait
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:2296
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2472
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:484
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2884
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2344
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1396

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      c3d819a8afc0c7640efdb48130fb27ec

      SHA1

      281034e8481fea1ee1b7b042fb731be14d843556

      SHA256

      c683f25edb69a96d0dac6925db4d1364c996c988ec6119793388abf5f93bac1f

      SHA512

      69072d880dba527136464889192482274a288db54cb591eacd23a11e6c9fbd09f386d6b4c95807068fee3e9c01589a81bf4aed26dd12285598d11beb505be802

      Download Submit

    • C:\Program Files\MSN\MsnInstaller\msninst.exe
      Filesize

      163KB

      MD5

      2485015258c469ddc4ab3ccda98cc9f5

      SHA1

      17e854ad716472693a74e925828036ac763c1759

      SHA256

      90d847548781ffc10fbc80ca36ae6ffa1116bf747f31623cc23cb94207953eac

      SHA512

      3ae2ab11e8ef4db45e9225ac2cedd5b30d01d777339f7a79d5f35e5bd1eb2c698313eabbe78e7a7c5624a81578a7b3d2a61b79f0d756538bc556dd87fc696397

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      0a2f7bc5d2f3b1abbf852f12ac72d39f

      SHA1

      3ed5d15e03f4a79247638844b8e938794445bfde

      SHA256

      c2eadf7bc1b2c55782d5307c4bfdc59f4c900494b9a624e199c675b582a13d7c

      SHA512

      8c47195b5c79359b6e7c5088d1a2c757ce6a1f16dd61c4c4d0bb7baafba4135c7a64541ce7a3af55b65f83af3df2677ff6f63f9c80fdfb1f7696d54c4609d63d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aBB73.bat
      Filesize

      722B

      MD5

      2eba78b0776884ff4f68271fc1f9d277

      SHA1

      2e016ffccf8e2cfe48890400bcfa8836d1581132

      SHA256

      6c7ba855ddd42855f7fa15638ab32bf4ef3cb109f06f8940fe576c1af91b2c33

      SHA512

      20a5dbf93e5605e82cad08da3d0604eca205c2e7c0c5e4ed1f0fed24e321bdb1737c3bd53bf8635fe9446929bc2a8ed8bfbb103cbd343661ed37ae332a252f6a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe.exe
      Filesize

      1.3MB

      MD5

      14a1e5a8cfef5f18b96540c1fb52ccb2

      SHA1

      5a0014e4a255c8be2fe3548bb32767bb05408ff0

      SHA256

      4ecd3f8b60c60870cdd67abf319b373c3438bb7bceac46209b2c87bd5e73a3f6

      SHA512

      dc5113345692c1d6ad46fcade300d0e69613e37c6ff5a1cc5cf83bda2a5605f24890de89c22d218d319d9145dcddb37c4c50fcfd7e1cabd3750f18e9a4ce9096

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MsnInst.dll
      Filesize

      244KB

      MD5

      8d26ec464de935561c221407c40cd4ac

      SHA1

      d7a729baa54a2aa8de08e0fe478c5c07cc490e55

      SHA256

      30714be137b7b648b0c3aa2a7410467289b53a8e2601f8c208a3613e1d31d0f0

      SHA512

      7d92bf3527c896b48f1e14e318fe086276cbd271b1d212965c87a75ad4ad4560c9e48d58f5138599695489bd3d759c577bedd4e9d7413522c7a16219dfb21de2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\campaign.inf
      Filesize

      1KB

      MD5

      c4fb756abc97776beeb4ffa65303c843

      SHA1

      12b4e5c25a718020086608b72bf96b5bb513f8ed

      SHA256

      80ed31ae5890469ee38fe7b950149e2f488344d892f1ef5ac3dc3e7ff3de2d6c

      SHA512

      7695f79d44eb84fc08b2b7d8911916661db5ac4dbef91e77c9730ba84c576a1474cbcf18d9f155cd9ae2e74a0a33c88ed413c662a598dc045e1a6d246821be1c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iasvcstb.dll
      Filesize

      26KB

      MD5

      de63b3678f314fd74da0cf343c5860ae

      SHA1

      389bc0a0004feec9b089f993b1f9084716874b44

      SHA256

      ace81690c98cb396758dc016a76b77706924dd3a8598b3a0492bc12edb9af153

      SHA512

      43d63cdfcb5d2d96df0d0715ce24fdeed4fb8ef7e4530a640b5472c444a57e2045c3ef044a1f0c693c40d5c8d40eee4263010895d6c3b9101bd08c60baa76710

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.mar
      Filesize

      516KB

      MD5

      9229c34063391d37c7643ba38b5c4f09

      SHA1

      512b0b599b92fdcd35fc9571713947dd5978592f

      SHA256

      2143c7a5aa2f9d321fbd902d80ac43f4fe9c684d2e5a55fbc686820e06261d9f

      SHA512

      96847f62f94b2527ee03ae4699f219e1a1575190f622d98aee83c48a92839c49c188bf005b46bae49232376b59b39b5397d3569c64559def85b98582d1e00c62

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdbxi.dll
      Filesize

      82KB

      MD5

      d44eb3849bd5bab21356a41a94c8f868

      SHA1

      88273eb0af7657655df71d608fe93734b112559a

      SHA256

      2c2b10bb87662d1d61916784106a82cff510add0972112a9a14c03927b2d0846

      SHA512

      d8d9f5ad1de64b584dc06cf683f8b83b2af99c57768898ed7b627c3ee9fbe13b17e7166e556378806026e7b2d21e1a299431044bac6e7125f0f090b7a26d3a57

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnihc.mar
      Filesize

      21KB

      MD5

      64ec522096f2fd6f6258745e72215d8f

      SHA1

      471fc3fd3728b649beb4f4a8e4010f48846b834c

      SHA256

      65118f920c6912e6a7dc6325698570fc7fa79beeb64d6204e6ca93f68ae0f692

      SHA512

      691bd4e9016d97a87ac974d2ea8a6d6fd62bb3de6bceb257dad59df3a27c8d67b4b9524572a3ab9e9dd09c667a75e4a809fa83c2335900d58255edface015c93

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnilc.dll
      Filesize

      31KB

      MD5

      82836e35011754a1738b25c4904e1137

      SHA1

      79e7b001ac214d9551562f8a1f4883b441a59502

      SHA256

      3f0e18479c7f8f75045d88605bbfa290663092464816739080b21b02d61f2588

      SHA512

      66aaef095440129d79c858e362241bd63f64a8074a08cadda37835ae91399bc490c490278bf51e84be1b7f427f8a11a2a20f97f6c969d431962f8719d1bcaeaf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnitd.mar
      Filesize

      62KB

      MD5

      1ecf3b523c89ba2eb75c5ad8af347ebe

      SHA1

      d890967ddd05585c742d2ef18e4b0c5795db1334

      SHA256

      35f135fd9c04cdaf78bad191872cc1aa9cc38056f7c76ba29f0669be9e07210d

      SHA512

      5fb8ca6245a033b12f234960223e146e743ccae7af73ecacb1a7d3826db656219f78242d49b5ee6d51cd5ae6f178b10c27ba3f6d6cdd9336590e4b1ccb5ad065

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnms.ico
      Filesize

      24KB

      MD5

      bca0ee599ffc56c533585e9026b3b58c

      SHA1

      ae5849eac5db2a69f09350fb455d50f16774290e

      SHA256

      090ee05cef8113594959c4ba3d992eb1e5d2effb7f71ba8854adee27b8b6cf95

      SHA512

      5f7384af5a527f6cba3e8f04b5ab9314f1e8abbcbe4a3b57d2c8fa9939f926e8f7d64529dabd3912b1e41a95671ec4504f6a9c9ad341ef8e455371997863f2ad

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnsign.dll
      Filesize

      746KB

      MD5

      ffb0a9a7208b773c1fd469bec18a9185

      SHA1

      26a15559f6139eab67b76446f36d2ebdb87e569c

      SHA256

      ccec6240c7a188e55156476d1bfcd06722c36bd7555f28845d747493529093d5

      SHA512

      9a019efb4d62f24ef979102e889c7aed6f49d213dbc362990ea2af8ec5957687e887883c234ee1026ebd20b4095209dfffa62da5f998d8ba0d29e75ed0a77bad

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnsusi.inf
      Filesize

      5KB

      MD5

      9433366f4264f97cd01e7b29bb00bd94

      SHA1

      b064e88c8030cc986ac59c690e7eabc889541ce4

      SHA256

      581a7e5bcf20a47f55e980b3b35e3881d72bb8c65f380857831906c9e6e332fd

      SHA512

      aae48f610cdf02e30527a02ac83891505683e42ad5131029a18a4b1076912b10ddacee499ffecf5b24f95facb174afb920eb3de7ee4559a0250b0686da64404f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unicows.dll
      Filesize

      239KB

      MD5

      e1102cedf0c818984c2aca2a666d4c5f

      SHA1

      d8d88ea7083aee9c40f6fdc6c56451a018d21a83

      SHA256

      22f23cc65698741184ec34f46e6f69717644e0b5aabf5d5bd015101f2d72e56e

      SHA512

      e58b35815801d6d3797f95c986834d2ca5450ccc3f1fa1d27d127a8d1d36f8e21279173715a00686c9c831d22d7c5b5b9cc5874170223a4d78f09c4eefa390a2

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      e208f6af1dc1a3edd66c624e077cec40

      SHA1

      bea784e13ccc99e7c57f3d0da9fabce84490f096

      SHA256

      03786976836eba0a156710c1cf4a214a7d41f3cff15720c68e9f7802b988bec6

      SHA512

      37b21ab071472f5b51b36dbd71b04e307bafd576d50eaba91540aae737f3fcf5741ccce975b5386a9438e6c4d9ae5039681e821511b50534b37fdc8220bf6707

      Download Submit

    • C:\Windows\system32\drivers\etc\hosts
      Filesize

      832B

      MD5

      7e3a0edd0c6cd8316f4b6c159d5167a1

      SHA1

      753428b4736ffb2c9e3eb50f89255b212768c55a

      SHA256

      1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

      SHA512

      9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\_desktop.ini
      Filesize

      10B

      MD5

      dce9bef24921d1fb94c029be04b911db

      SHA1

      d5ff43d520d5df3ee58c947db0b2ac3a039667b6

      SHA256

      c09fceb912fc9cf0f284d9d24ab0029af67d3a3bf08b81d9c0d8a7681b82c157

      SHA512

      cefdb984819b6b058b8d7747c2a9a74c94f6acf2728e884520154f2ffe42776f19b5a5b22b43b61acbb679acefb8489318c7be92e360a3b239ffaae445d6d97b

      Download Submit

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
      Filesize

      90KB

      MD5

      0ac28de5e930e8a52ad6b163c5473412

      SHA1

      25371c9d876959cb58b50c25ad709cf98dde45bb

      SHA256

      06eed244d89f6e15205d5beb8085ac33c0de486dfe30eec9fb73b91de07e5f62

      SHA512

      c2c82449927cac953668142a3f597c06626b0b3a26e8036de34e4ca1042a572fa3befa799d43fb24a1d23c821b5ed7994e3d211b6aaced15ba31d4639e96d877

      Download Submit

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\msninst.exe
      Filesize

      129KB

      MD5

      c8e284efba3b50c9216dbe552d24f5b0

      SHA1

      c76b65dd211e03a2a53f57d87cc90df61b0ab10f

      SHA256

      66d7811a891b614f7fc174ae5a3ea1d29d1edde50b12fcaf51c0dc5b54a20b4a

      SHA512

      42db8c59820836fee76ffc877983f72d639d9e30171943ae04d8cd8bcd4ac61730a5e0f4b80a905f4f59c03fa8ba62e1c8f4c1e9095eca65f17a2f122a688ef5

      Download Submit

    • memory/1112-191-0x0000000003D40000-0x0000000003D41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2472-224-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2472-3160-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2472-21-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2472-4352-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2520-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2520-17-0x00000000003B0000-0x00000000003EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2520-19-0x00000000003B0000-0x00000000003EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2520-20-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download