Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2024, 00:13

General

  • Target

    0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe

  • Size

    577KB

  • MD5

    2594548b32cc51cf2f9d32033cbff157

  • SHA1

    0a2f78755c0fe25d1729d1bc38be80617aa16e38

  • SHA256

    0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c

  • SHA512

    7a5a798b2166a4f7ecf1b12efc0dfb536694255fa1aa8fb5779b7adb21a15d01865a230752a0ef5804a52101bac654c9c0ac8ae223d834509a67a11cdcb03f69

  • SSDEEP

    6144:Z13TE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQfu:Z13A7a3iwbihym2g7XO3LWUQfh4Co

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3408
      • C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
        "C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2352
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3608
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1944
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAB34.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1392
          • C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
            "C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe"
            4⤵
            • Executes dropped EXE
            PID:4616
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1080
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3752
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2308
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:648
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1592

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\OutCompress.exe

      Filesize

      648KB

      MD5

      9cf7b07dd06628796ff4e62fb9045745

      SHA1

      0bf672cd5d15e03dc0825573de2a664691f6157d

      SHA256

      1d0318fb8c24be5255c342d956996c5dd60d9f9a4e34456db4ef9c13731b6338

      SHA512

      fa5f74279d4090242a472b27436ef77a7da59141479c22a1714389d490dc6fe550cc227903360caf9951407fb6e9ff27102b797b6ed3a7b158710bf745936c9c

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

      Filesize

      643KB

      MD5

      d986668b051bea5787f946062c7b130b

      SHA1

      5bbc40ce89577fa48bfc3035ff79cd79fd2da41f

      SHA256

      fed2637beb19ec4b49c608e95b97cec22c1b1ac48b7c69401d0de845f7625d46

      SHA512

      d64420bb532d70433bb76db7d91968c517f89e05946c3f6c7a561afebb9764b0af74be1667d9aefc4563f7cb8c1551f81f479f17bcc9315d80ae2c3134759a4a

    • C:\Users\Admin\AppData\Local\Temp\$$aAB34.bat

      Filesize

      722B

      MD5

      e885aee87b69cacf0df85d8a6bba75b0

      SHA1

      57697be1e72ec58e02576753a88a5ab534c1668f

      SHA256

      b9303b9bb3ff0282c798f142230fc8794ef4cf590351bbd933f202113e465542

      SHA512

      9a2b7cfdec3f052894351362f3bc2f6204d41dc41462264d85768ec7bcea08871f9b2b4d2f115ab02ade14ed4e34940b48ec081355ffb6b26621eab4c0689cc2

    • C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe.exe

      Filesize

      544KB

      MD5

      9a1dd1d96481d61934dcc2d568971d06

      SHA1

      f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

      SHA256

      8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

      SHA512

      7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

    • C:\Windows\Logo1_.exe

      Filesize

      33KB

      MD5

      828e2b4217fa5d1af64ed5e53cc9c32f

      SHA1

      c4c9897302233cb01f5297a474273b9fc3dfe8b0

      SHA256

      dab472637885b769458d9bca73a6d7d43708337a651658029b6be881c0770123

      SHA512

      577324c9ff48421ce990fe851c0c0ae772cff4456c8a2afcbb9cdc4ab33921a6135f3a18599c8302277ca419a6897859544765ac6496519c3a998190b00c78e2

    • F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\_desktop.ini

      Filesize

      10B

      MD5

      2c51e5c30f050245287a14eb60e30d30

      SHA1

      b59cbcb7f2c8f7f05c0fa80fd351595af1996f0e

      SHA256

      9310f08a28e46a620f4a99b4e12bf599760f5229b2ef0eb6c8e0be72b4197b88

      SHA512

      fb572888fe5c33c9d5f2ee5d138172a57b57e8b3e8b8eca76dea964e99f72692fe4fea9da946d4e5a4871f3c004571a9ea11ef77e3ef100d45f4a806ce2eb5c5

    • memory/1080-8-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1080-18-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1080-2699-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/1080-8916-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2352-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

    • memory/2352-10-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB