Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

0407b44352...2c.exe

windows7-x64

7

0407b44352...2c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2024, 00:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe

  • Size

    577KB

  • MD5

    2594548b32cc51cf2f9d32033cbff157

  • SHA1

    0a2f78755c0fe25d1729d1bc38be80617aa16e38

  • SHA256

    0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c

  • SHA512

    7a5a798b2166a4f7ecf1b12efc0dfb536694255fa1aa8fb5779b7adb21a15d01865a230752a0ef5804a52101bac654c9c0ac8ae223d834509a67a11cdcb03f69

  • SSDEEP

    6144:Z13TE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQfu:Z13A7a3iwbihym2g7XO3LWUQfh4Co

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1280
      • C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
        "C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2792
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2928
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6864.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2868
          • C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
            "C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe"
            4⤵
            • Executes dropped EXE
            PID:2724
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3032
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2776
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2672
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1972
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2180

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      44f2a0b82d8247e1cd5a12a40841f9a8

      SHA1

      f451bd8ba9098bb674624169aa40f0371ba67924

      SHA256

      056311169bf6ff9bf378a311dbd3c48697ccce39bedac8cb9ddb7da01384127d

      SHA512

      bd5f7bf6b83c70bd03416a4944f62fdafbcb7907c3321432c831e189e9d4f95a52faefa575de57209fa5c1523ebed5fde8831f6230fc6f23400bbd33e772c219

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a6864.bat
      Filesize

      722B

      MD5

      89f237224cfa14a265420cb749cca435

      SHA1

      84d918ca9aec463c33ec401a66b7d52bbad837aa

      SHA256

      52cc412f78e2242dc0351c333a6afe5d817db8b92df0844e892524b07c5b52a8

      SHA512

      9dcfdd9e263a8c4cb8cdcff3b12f358a0c9c3129c13c0155fcefae78ea578bd4f2abc8a076ca6216a783b3962e7b46ebc9a2cd568fa2ea154936699d5ec0d336

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe.exe
      Filesize

      544KB

      MD5

      9a1dd1d96481d61934dcc2d568971d06

      SHA1

      f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

      SHA256

      8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

      SHA512

      7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      828e2b4217fa5d1af64ed5e53cc9c32f

      SHA1

      c4c9897302233cb01f5297a474273b9fc3dfe8b0

      SHA256

      dab472637885b769458d9bca73a6d7d43708337a651658029b6be881c0770123

      SHA512

      577324c9ff48421ce990fe851c0c0ae772cff4456c8a2afcbb9cdc4ab33921a6135f3a18599c8302277ca419a6897859544765ac6496519c3a998190b00c78e2

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\_desktop.ini
      Filesize

      10B

      MD5

      2c51e5c30f050245287a14eb60e30d30

      SHA1

      b59cbcb7f2c8f7f05c0fa80fd351595af1996f0e

      SHA256

      9310f08a28e46a620f4a99b4e12bf599760f5229b2ef0eb6c8e0be72b4197b88

      SHA512

      fb572888fe5c33c9d5f2ee5d138172a57b57e8b3e8b8eca76dea964e99f72692fe4fea9da946d4e5a4871f3c004571a9ea11ef77e3ef100d45f4a806ce2eb5c5

      Download Submit

    • memory/1280-29-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2772-18-0x0000000000230000-0x000000000026D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2772-16-0x0000000000230000-0x000000000026D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2772-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2772-20-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3032-17-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3032-33-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3032-1138-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3032-3310-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3032-4095-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download