Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
06/04/2024, 00:53
General
-
Target
a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6.exe
-
Size
259KB
-
MD5
a8b9fb05ab44dfae70e85051e7990152
-
SHA1
e09c0b71e518e5be8bb65da21e5da61cc00e5e02
-
SHA256
a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6
-
SHA512
66fa16c55bce8b43291580f7bcc7be6eb109ce1d7f60d4f7c61a761abfc85f8c851ab067bf5d83c9739a22139c695e84179c2a02f8b8ef244eaffb0f6f4042d0
-
SSDEEP
1536:GxtnE6acoso8vzxoSBUES5SwziMYiHzhtAia5QrMsQtCnt8qiJPQsZSTorlN33nI:K/vFYi9yQct1iJPQSrl1LtYFroxTSf7
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 34 IoCs
-
Checks computer location settings 2 TTPs 22 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 22 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 45 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 45 IoCs
-
Suspicious use of SetWindowsHookEx 23 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6.exe"C:\Users\Admin\AppData\Local\Temp\a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cce89.exe"C:\Windows\system32\cce89.exe" killauto~~a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\641ax.exe"C:\Windows\system32\641ax.exe" killauto~~cce89.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\be4aa.exe"C:\Windows\system32\be4aa.exe" killauto~~641ax.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\2ee73.exe"C:\Windows\system32\2ee73.exe" killauto~~be4aa.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ce996.exe"C:\Windows\system32\ce996.exe" killauto~~2ee73.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ead9e.exe"C:\Windows\system32\ead9e.exe" killauto~~ce996.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\6e3ee.exe"C:\Windows\system32\6e3ee.exe" killauto~~ead9e.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\3d5bb.exe"C:\Windows\system32\3d5bb.exe" killauto~~6e3ee.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\86b4d.exe"C:\Windows\system32\86b4d.exe" killauto~~3d5bb.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ea0ad.exe"C:\Windows\system32\ea0ad.exe" killauto~~86b4d.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\b35ba.exe"C:\Windows\system32\b35ba.exe" killauto~~ea0ad.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\a7531.exe"C:\Windows\system32\a7531.exe" killauto~~b35ba.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\x7834.exe"C:\Windows\system32\x7834.exe" killauto~~a7531.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\b253x.exe"C:\Windows\system32\b253x.exe" killauto~~x7834.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\01ed1.exe"C:\Windows\system32\01ed1.exe" killauto~~b253x.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\x1c4e.exe"C:\Windows\system32\x1c4e.exe" killauto~~01ed1.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\482d0.exe"C:\Windows\system32\482d0.exe" killauto~~x1c4e.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\25b42.exe"C:\Windows\system32\25b42.exe" killauto~~482d0.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\eedbb.exe"C:\Windows\system32\eedbb.exe" killauto~~25b42.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\d4de4.exe"C:\Windows\system32\d4de4.exe" killauto~~eedbb.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\654c1.exe"C:\Windows\system32\654c1.exe" killauto~~d4de4.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xd3d4.exe"C:\Windows\system32\xd3d4.exe" killauto~~654c1.exe23⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
259KB
MD56c217890092d6c4e17206d028c4aa42e
SHA1a0d67c776c12daf848711c51580f02ee5913b0b9
SHA256bd8e52b3f1248a394d2fd442cf06ec7bee589b72b91ace4846724611d0b9ce35
SHA5123cb5948dc65d7d3662a24777a2f81a69b1e783dffefb841bf63a166585e5565a6983e1521bdb3d155b4b2dc2b549342d6ac9ed12b71850bbed802cd05afa3dba
-
Filesize
259KB
MD57491ed9bd5e7eae9936374abf23815c3
SHA14be74a509dd000c2d2158e01862af8d5c08148d9
SHA2567ab2edc884aaebfd7400a5762fc7a0ea1ef0bd260cb7bc1e28519c37b57b00d0
SHA5124eb818c7dd768ed58aba1623cc5acf676b70274b193cf746903b0ef12808dc35ca5f1a34c60cc6f574ca8b1a526878968e1a6bae59332b4b153d9fcb9e52cff3
-
Filesize
259KB
MD597820432f0e8845164b8c8cdbfe2de26
SHA176847bdd707ffe511263fc6addf131a15949d89e
SHA2569ac24a4a8fab950c58446b70163620f613b962c9c174eb71ad568cfc87193021
SHA51202f1854219d622330982bc91c111222d489d7bbba2b1cccccc87c16ffa877b80ddbb478be05712c202d74ecf31b6f8fb1625e3acd2c3bc3a0a079bb57c81d5bf
-
Filesize
259KB
MD561662c80a5bb3a08136bd7fdf5835aa0
SHA10a0566fa8f657a5e9a4a193876f05dc54ef06505
SHA25688707cdb05c4ff7b5e5be57ced0f0ea3c78a1f06ee3269a67854bbf396485650
SHA512e1a520a639051e0dfb0df41dddb741ff300983ac6c23e24856fdf54f3b1bc867fe9691ce4d27c3fe8a6ae9528878a75388b1b70c3a0194a068fc27322bb6a573
-
Filesize
259KB
MD5a763056fc6609e55dcfb20cae687978e
SHA150c42517411bf769d79005bb1447151ef008e7de
SHA256e79f3baa98e64711408e397710338ec680fb8a13f15493eb0fa3d070c13c186a
SHA5128fda0f2cc65ddd8e0091bfe3350e17e8712e99ab82850726380ec8ba0087bd6bdfcf2be2eec7cc0901857651fd7577e3cc4b285a6a94d765eb62e0d39963970e
-
Filesize
259KB
MD5889e8078e81ad7cee745b227d9c159e4
SHA1895ccc9a525e03787b5a8083f8101f86d0db5f7e
SHA256ddb3b34284eebcca3ff5a4fc882a02ed48e88cbe14ab1c8f3abcbb9fcfe98caa
SHA512791c3e203615cc93880b86ddfd62c30d2cf32543e3d21ade906a71fb0f901b33effeafe94d4942c88da95d8326f858e7cce3dca2b74bf98f7239c3542d9e58bf
-
Filesize
259KB
MD5e62173bd983436264b23101a091d967f
SHA1eca8dd1641665982ee91dd8bf7c21fb41f6a182a
SHA25646da78fe7e23e9f212bfb266d6448009f2f130f2d26509883cc448f90c330743
SHA5128ca85e568031448e244ddf75ad8ef9bafc2b248f1c65f22a974176ce5670c8632f4e2c21c6422f45d28fd4b237932deaf58fee20d52a64a6bc9fa9887019922b
-
Filesize
259KB
MD567af4fb82e09dd05edae6bd67e5a5fdc
SHA1b045c0f3c35eed7ef30d8fdd63bb8cc204821403
SHA256d621769131973c2fd72e57ab9b77f2373788234da9082cd3edb16709d42a840c
SHA512c746e31cda97c0190d0d39136f6cba60ba772a6ce7fc68c76246246e36c404c0ebbb20a9c7abb033a7a179bea817e9bb7437e8bcf25c61eeb2aeccb4cf2a3d45
-
Filesize
259KB
MD5a19ed2812f506550678d717f8b9a6db6
SHA10f789ef029c2f5a17c3bf3c1e9619efa40a12fe8
SHA256ef03340306670070d4d817fc995656e6ff882c40376cec70a37408a647c33ebe
SHA51273b6a48ccbfd0440899ee52530f2b0fd30af0be11ed73422b163bfc99db89cf4858799fab653ec9ef74e01a4fff2a6d3897a74638ead37c40dd559e616a03406
-
Filesize
259KB
MD55189b2f105cd43e9cbfcecf042024563
SHA12165c798b9f6d830afcb368276170917bcf90fc6
SHA256ead5ec564bbfe77764a3fb678bd1d16408decbe74ce662875bfa66da62639c5c
SHA51296622d78216722c3cdf1d40eaea536e2fdf17f8d7db6a63bf66587d8ee0d42b5fa72441aeeacd322954d56e2234588eff03e0419cdca85ed889d7d27783392f7
-
Filesize
259KB
MD5a2710b1672e29bf1ad6602241774fdab
SHA172d971322deffa0b2944c82c387d8cb7acf79198
SHA256703ae7b99b9b89953b22589808827431a47087890b29f3de10a92969155da06f
SHA5129dd84fdd9b08ec2c2ea67d63590293c5f46bbe891a7f099cfb8ea13eef7e2153681528794048545dd723fe4ac567d69112e254c248d4eaade5c5d51db025997d
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB