Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/04/2024, 23:16

General

  • Target

    8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe

  • Size

    216KB

  • MD5

    1e66159cc53bd746bbebea594023123e

  • SHA1

    8df5d5f9ed90b130c529f29b24e045deffb4cdb9

  • SHA256

    8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe

  • SHA512

    f4e505c27fa982da82e0774727f578891f6653856b3bc3363f3e46a59c6adc8f98afce7a1c6905868454deed337fccae51357f7c832e53f9c8fd1e55eb7abf2e

  • SSDEEP

    3072:jEGh0opl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGLlEeKcAEcGy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe
    "C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe
      C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe
        C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2516
        • C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe
          C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2420
          • C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe
            C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:984
            • C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe
              C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1064
              • C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe
                C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2728
                • C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe
                  C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1948
                  • C:\Windows\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe
                    C:\Windows\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2180
                    • C:\Windows\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe
                      C:\Windows\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1532
                      • C:\Windows\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe
                        C:\Windows\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1964
                        • C:\Windows\{066E9405-A88F-475b-B516-A11BC7FF20DE}.exe
                          C:\Windows\{066E9405-A88F-475b-B516-A11BC7FF20DE}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2636
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AEFB0~1.EXE > nul
                          12⤵
                            PID:2076
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6EF92~1.EXE > nul
                          11⤵
                            PID:2064
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{00EA5~1.EXE > nul
                          10⤵
                            PID:1480
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{30322~1.EXE > nul
                          9⤵
                            PID:1700
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C6028~1.EXE > nul
                          8⤵
                            PID:1476
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2A462~1.EXE > nul
                          7⤵
                            PID:1840
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B9BDB~1.EXE > nul
                          6⤵
                            PID:2376
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F6F00~1.EXE > nul
                          5⤵
                            PID:528
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0FACE~1.EXE > nul
                          4⤵
                            PID:1472
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{68F22~1.EXE > nul
                          3⤵
                            PID:2508
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8E1359~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2496

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe

                        Filesize

                        216KB

                        MD5

                        f21dd0c54ffdd702af0ec41b37573c33

                        SHA1

                        4f0ceef4fdce62eaf327f36797546d5afe9a8fc4

                        SHA256

                        362c69ca0640db50dc4227c67221c69becf7ef66f0adcff0672b7c06499fb8fc

                        SHA512

                        fd80fcdb70e8afae3d0e5fd35bfe8576b4df7591185c470109bd56885c63f4515d6d7a5b642b474e96c5abec46c37c280a4c657aa6145ca50bfc8ed0a9f3d7b7

                      • C:\Windows\{066E9405-A88F-475b-B516-A11BC7FF20DE}.exe

                        Filesize

                        216KB

                        MD5

                        b21530b4588e71e37aac540ecf945240

                        SHA1

                        5015cfd40393818a5ec3bfb4aab18a0ce2b665f3

                        SHA256

                        e4cd0cac4659f54250063d3a70639d069689bcbcfd0eefb32fb4c0dcac8c45cd

                        SHA512

                        eb7a90288ea01425ab25951b30c9a6c580fce12946ba42760b8da3016562980e61034712cbff9bc0e2c7e6e7461bb18663623959520d7182a3be792881db9e27

                      • C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe

                        Filesize

                        216KB

                        MD5

                        94f2a84bc53615bf08316f280f5c6c57

                        SHA1

                        ecd1f265fa288f0ccc4a5ba0f6cf88b687005867

                        SHA256

                        542a23cc31a8659742cbcad7920a2a8917a3315fc72b173921d13b8d42141671

                        SHA512

                        b07faa27e978efa291707f962c5d842e0efffb12a980c4c23a87b66f5bceac7337beb90dba4f0a571a41fb99d3a2da4bf4f1b640b588ba323d147519d3eff8ab

                      • C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe

                        Filesize

                        216KB

                        MD5

                        9a503735f186c5f1c7a547005e5627b7

                        SHA1

                        619e166763683bfb463a3358e3c67aacee6fcd85

                        SHA256

                        4feb3beedd9bd9fc33720e3a12a961e331f2c22fe3da740d1978466694d220ac

                        SHA512

                        afedec6a3466b063d5355543a85f9eaec0cb0ec33b47f3ce2ec71fff98b8e968047e7a55f1eeaa471d7df4216a51f2a8c4741497e7ca65236fd7d376f213966f

                      • C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe

                        Filesize

                        216KB

                        MD5

                        05e589f625b0564ee3ba8589566abbbe

                        SHA1

                        3f93475a6ee68e484edc62d2b3f643d2bac9a0b3

                        SHA256

                        ea14ce9eca5bf6f7386a64a42d301feaaae39c1fd22c78e118e6c41fb6dc0a43

                        SHA512

                        3aec7139e083aabc7093351c320b153a01d407b8418d3ade6911576f047f0970edb4e3a3f2b3764c44e8cbba8b35f80465c2ff194c3863e9f90ad1ec3c82ef88

                      • C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe

                        Filesize

                        216KB

                        MD5

                        9f6af2fb1d6bdfad030cf037b58f526c

                        SHA1

                        719038e916328846a8d183ed5699779df2a38703

                        SHA256

                        633f799f66dcfed1b298eb0c634e0e9bebcd9364ea13cf887028257022321145

                        SHA512

                        48901a80bf1b20e0914584fb046f77f11dd1b7f4d9925f91046ebf573ea5f654c83330ae5b05b803d91cebff7c86718ec47c4ccfee4076f8ff70a8f8c7d4b3c4

                      • C:\Windows\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe

                        Filesize

                        216KB

                        MD5

                        72a3aa1705cdc4a4af341ec60211718a

                        SHA1

                        a5ce790f066a99e024bf5a9486d08e49ee8b2098

                        SHA256

                        0d049330559c85e516ed78dcae2671793eb21d3f449eb288d0b058df2ca87d29

                        SHA512

                        7103b8f67378a324df8955d4e8f57c9a5dd502aae58da76f62a3630ed59cfc16638755b457cee0710a7e88ecace9c2e1c86c66571c330fb7e078a000197d0fd2

                      • C:\Windows\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe

                        Filesize

                        216KB

                        MD5

                        77037ec05af61aea53de36d4e550a4fd

                        SHA1

                        453e6a2533a0aa993149e52426b52e0eb4eda2ba

                        SHA256

                        5276464f860d4cd8126aabd5df38209986650f2664e4fcfdaeca9d01c2ff665c

                        SHA512

                        352d1cd375a0684cf1a6cc689458b0888ecae691984baa8c4e881b14dedca06e5283d53f1d54dfe80aea00675568665ecfaf62293c9d04ea46bb4b22dd0ec32a

                      • C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe

                        Filesize

                        216KB

                        MD5

                        8d6aa06fb642f30330b4e79a226eaa13

                        SHA1

                        0c34adaf6d5a785fbae62a8414b141bddcde1c38

                        SHA256

                        905d83f96d25a9a2cb8692bc37e1bcb8ad5e0ca6e4d052c0e8ff00070425e75e

                        SHA512

                        18fdae530af2bef6728c0e13c16b18bf03707642db468e9af216a0db5294d10371bc301b1f4866959bbc157830937e552bb127dc8f76ad22cbd4577972fd573d

                      • C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe

                        Filesize

                        216KB

                        MD5

                        0731f0f975ddfb10e480fc924b0e7dcb

                        SHA1

                        a8fd2d42489450b2c641784657c2d085a03881c8

                        SHA256

                        090532feae0e8530aebbce4abf2c31d7221f153523df869d8ca29ae8d8bd8539

                        SHA512

                        124c273e82e104012265598d623f8d75eb05121aacbb43cd546110a7e9509709b1ecbd0bda4dec0518f15e4a3c8dac310cd6480b88fa118e760953099ccb9534

                      • C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe

                        Filesize

                        216KB

                        MD5

                        137ebfe52a54c96d59bf193492e8e49e

                        SHA1

                        576d57b325c59b1c0927b16af8ee78392a413f23

                        SHA256

                        b283bcd47383a5a97d7ef1b515419e1b752025ad190befccbcc9b0ef4ad83f91

                        SHA512

                        aab549d86c0008baaf626cb6c6f14e82968d6f23ec67f2882883c94445442efbc671b5302b997fd44f30be7560f69eaba898262adc2d266e060f7e740a5e74f7