Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

867d9af89c...ae.exe

windows7-x64

8

867d9af89c...ae.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/05/2024, 00:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae.exe

  • Size

    60KB

  • MD5

    0b2f7e2bd23a01fce020b2eedb65d4a0

  • SHA1

    2cf019777c4e0aa6214c96292130dfc405539c9f

  • SHA256

    867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae

  • SHA512

    dde1a5c339d8a398ac49277c8672506fc229361346ab6bce6484933da60b2f74f7348be040421769a9a737891647b6dbf1e8cd899ae847b96a2dc093d95a0d56

  • SSDEEP

    384:vbLwOs8AHsc4sMfwhKQLroBBKT4/CFsrd:vvw9816vhKQLroBu4/wQ

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae.exe
    "C:\Users\Admin\AppData\Local\Temp\867d9af89ca9558e7661b89fdc8d6b3f24545dba6012d27f7b8b387bdd4615ae.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Windows\{25D41920-9F3C-4cff-A602-ED256D9BEF3D}.exe
      C:\Windows\{25D41920-9F3C-4cff-A602-ED256D9BEF3D}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\{B3D11928-30EF-490a-A643-738EC4E48D50}.exe
        C:\Windows\{B3D11928-30EF-490a-A643-738EC4E48D50}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4540
        • C:\Windows\{215C423D-2AF2-49ca-9AC9-CEEEAF21AC38}.exe
          C:\Windows\{215C423D-2AF2-49ca-9AC9-CEEEAF21AC38}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3288
          • C:\Windows\{937E7DC0-A6BF-46fd-A242-1F394AF7692A}.exe
            C:\Windows\{937E7DC0-A6BF-46fd-A242-1F394AF7692A}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3028
            • C:\Windows\{E5855E7F-847A-4584-9317-619465B0D85E}.exe
              C:\Windows\{E5855E7F-847A-4584-9317-619465B0D85E}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3156
              • C:\Windows\{76904736-A28D-4fe4-BC7B-C22D613BA103}.exe
                C:\Windows\{76904736-A28D-4fe4-BC7B-C22D613BA103}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3668
                • C:\Windows\{0AFB429B-6601-4d7c-8E55-F7C54ED11F46}.exe
                  C:\Windows\{0AFB429B-6601-4d7c-8E55-F7C54ED11F46}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1204
                  • C:\Windows\{CAA2F77F-AD53-4748-874D-CBC821FB7E42}.exe
                    C:\Windows\{CAA2F77F-AD53-4748-874D-CBC821FB7E42}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2420
                    • C:\Windows\{8B2286E6-DB19-400d-99B5-EF1811058D95}.exe
                      C:\Windows\{8B2286E6-DB19-400d-99B5-EF1811058D95}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2796
                      • C:\Windows\{4268C26E-3C00-4235-AC86-764258FDD61A}.exe
                        C:\Windows\{4268C26E-3C00-4235-AC86-764258FDD61A}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3580
                        • C:\Windows\{ACA9D494-88EA-4272-B4CA-4C91B8B5CBB0}.exe
                          C:\Windows\{ACA9D494-88EA-4272-B4CA-4C91B8B5CBB0}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2444
                          • C:\Windows\{3E8BF828-0DD2-4ac6-886A-FA4BFCFEAA90}.exe
                            C:\Windows\{3E8BF828-0DD2-4ac6-886A-FA4BFCFEAA90}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:548
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{ACA9D~1.EXE > nul
                            13⤵
                              PID:1540
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4268C~1.EXE > nul
                            12⤵
                              PID:860
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8B228~1.EXE > nul
                            11⤵
                              PID:3724
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CAA2F~1.EXE > nul
                            10⤵
                              PID:2436
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0AFB4~1.EXE > nul
                            9⤵
                              PID:2496
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{76904~1.EXE > nul
                            8⤵
                              PID:2696
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E5855~1.EXE > nul
                            7⤵
                              PID:1088
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{937E7~1.EXE > nul
                            6⤵
                              PID:4004
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{215C4~1.EXE > nul
                            5⤵
                              PID:1244
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B3D11~1.EXE > nul
                            4⤵
                              PID:3148
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{25D41~1.EXE > nul
                            3⤵
                              PID:728
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\867D9A~1.EXE > nul
                            2⤵
                              PID:4948

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{0AFB429B-6601-4d7c-8E55-F7C54ED11F46}.exe
                            Filesize

                            60KB

                            MD5

                            3e1b8d9a774539dcaf127082be94756d

                            SHA1

                            5b4e8621a17c956acae3d23b5f65deaf961fd14b

                            SHA256

                            bb9c192fc02b974f9bfe02e60b85693f87d494569c3554567f853a912efdbf61

                            SHA512

                            dbabb5a855b7dce88e9054412c90bb837c8c6825f8a8a4a0fa14456b82874d1b1877b1ef689002dc51243c5209d01c27811c3aa94b40572e7262d1665ee840ef

                            Download Submit

                          • C:\Windows\{215C423D-2AF2-49ca-9AC9-CEEEAF21AC38}.exe
                            Filesize

                            60KB

                            MD5

                            b8303ebb4132042e10781169da4a0799

                            SHA1

                            32bbf6fb67fd3f59aeb183f0aedd1b74d5e66cc0

                            SHA256

                            6708960e3fed6881505f1826a1982dec1a7ec541493373674e327e96bfd6471e

                            SHA512

                            2ada436ad88ef1fd56eb5475309fa86239cb5064c29874d722ac651b347dd242f434b64589e03a36024e29814ac7f272fd4a5d9abcc55a8504f58d7eb712633f

                            Download Submit

                          • C:\Windows\{25D41920-9F3C-4cff-A602-ED256D9BEF3D}.exe
                            Filesize

                            60KB

                            MD5

                            77604586db74538225d542666afeb410

                            SHA1

                            e608c727e2596df72cbeb43edffd9434813ba1c1

                            SHA256

                            d0f7f0497309a8281e68c33cd1783262fb44b63493f16f5b959cb54138322cb7

                            SHA512

                            4febcbaaddf503479038823c1dee61ba98150080e48c4d825d55ab46466653b7243b0dc6dca581cfc65da3ce32f9b47689c9d666ddd0729cb8fa58911290423a

                            Download Submit

                          • C:\Windows\{3E8BF828-0DD2-4ac6-886A-FA4BFCFEAA90}.exe
                            Filesize

                            60KB

                            MD5

                            e2eb55434d1df732b47a66fc362e0cdc

                            SHA1

                            a31fcdffb0e98eaf525d6337acc7f7facb91b608

                            SHA256

                            3bc9ceaa12ae44b5e11bb6a3a91ca16758970d30efe8a2af4de8c891cd8389d4

                            SHA512

                            5703d7c37fc23d8d0c7bf63d5a9074c23402c19ca6fb84915edbf61e4f2a9a02cb19d021e72ea1301ef019b7ce181fac54b9d637ce3dc2761885cd4e2d9251d0

                            Download Submit

                          • C:\Windows\{4268C26E-3C00-4235-AC86-764258FDD61A}.exe
                            Filesize

                            60KB

                            MD5

                            fa7fb7a2a81e9c725a4238da2f3aef95

                            SHA1

                            7e82769137682e430e2befa2f0570bc198c0905b

                            SHA256

                            cd9e644d844fb095cf1cc5f6c6bea7844b9d29e43047a225e891926267c366f1

                            SHA512

                            aeb25e3cd02b8aa90029f28eb427213f1b5327bebb2f52f1a350afb30d0f5204da04647619f772f379374aa1514b1124a79ab3226c3bfb326535580693fbaff2

                            Download Submit

                          • C:\Windows\{76904736-A28D-4fe4-BC7B-C22D613BA103}.exe
                            Filesize

                            60KB

                            MD5

                            568eaa918ff4d0278cd06af9ac8dd3ed

                            SHA1

                            af9e8a59325b39a9e9b753a406a06c197c9b98a2

                            SHA256

                            087cf6568144dda3dc8f4fb7555d4ebb87f357daeb3ce8f5cf60da38f204f871

                            SHA512

                            1c43ddf3c5492e98058453f7e1edf82c237a4b4a905c297e8a88f31e8ea54b45afb8e3efc4385c7fa73d8feb6f5b87be1b385b05b2d1d408e94714e2616ccf27

                            Download Submit

                          • C:\Windows\{8B2286E6-DB19-400d-99B5-EF1811058D95}.exe
                            Filesize

                            60KB

                            MD5

                            9955dd3aaced5aa4dd28860a73e2d651

                            SHA1

                            de7b5619452904862a8eeac33e7858159107927d

                            SHA256

                            c7e867ab83bca4986d49aabd2ea185175869650a1b7a6916ea27130e11f309a0

                            SHA512

                            0dad129c8d0f096cd31687d8eeef76ee629b487ed8feaf96b0a3304e90d85bb3e0345ee1e945ff2f0bbc0f791d25f8d7369b16ace1bb275fbd081d1cdefcd967

                            Download Submit

                          • C:\Windows\{937E7DC0-A6BF-46fd-A242-1F394AF7692A}.exe
                            Filesize

                            60KB

                            MD5

                            819ad19f9e502e7b4c4c1e53f74b5a5e

                            SHA1

                            72125f91f11db4fc3901a96d0470d0d6fc607fba

                            SHA256

                            e07aba81c7309fef89099331f84e511be4f0085625bc92aeaf323df77b4bed9f

                            SHA512

                            3ca8e2309d1f7098ccf0e654aee3ecf1ec142d7aee4d3ba013daf6c45c9b6a6e56ae82ce4c31baa174bc9296d290b2b979f9cc8f133688e279934792d161b42d

                            Download Submit

                          • C:\Windows\{ACA9D494-88EA-4272-B4CA-4C91B8B5CBB0}.exe
                            Filesize

                            60KB

                            MD5

                            33d686715d6ea4f9ca22891f75326bb0

                            SHA1

                            54ea0762fcad41335cd5c5adb8c9adb79fe88fe3

                            SHA256

                            7e9679af7dbaac8048b5d2b2620b29ea95c7bd64f92cad3e9e164c875cf49da1

                            SHA512

                            11c2a248c6ae5513ff5c3b56f2a40555c2b2ebd41b8620b3652c6a6568a3f011394b25fa14310267562b272389ac971b5c8b55a0032316222d33404f2696958b

                            Download Submit

                          • C:\Windows\{B3D11928-30EF-490a-A643-738EC4E48D50}.exe
                            Filesize

                            60KB

                            MD5

                            df6cf6f81025e5590a9109ffc5ba13bb

                            SHA1

                            69f933367dabf7c156558134f84aad7aaf99ecf7

                            SHA256

                            3658dae2a1894ba7c098c9a6534c2c8f1c1545f268673e0c0610284a5b46a9e2

                            SHA512

                            809b8afe038a6456e070ee31093d1064b2dc2ca6879583156c5598a50eff3439552ad68a1945850ea9428c7aae9a21deb5b185002f71b7d06cef23e83eb9c71b

                            Download Submit

                          • C:\Windows\{CAA2F77F-AD53-4748-874D-CBC821FB7E42}.exe
                            Filesize

                            60KB

                            MD5

                            c22cb6820f92740b96b366f4af795210

                            SHA1

                            496dc35abba35c81f459686b92f42a1bd111c167

                            SHA256

                            fae41b2f2d6715dde8b7cb73663d5c18828ed561ddbb1b02f82a756d476cfad6

                            SHA512

                            4235aad127c1152ee138220672d3d9d0bc391e435f213b60c1a81607cd8fedfe23105f1f350983b245615aeb2b5a01c762c8c246fde36d2754028e73fc78ca43

                            Download Submit

                          • C:\Windows\{E5855E7F-847A-4584-9317-619465B0D85E}.exe
                            Filesize

                            60KB

                            MD5

                            e3f981b2f1a832ea0c385e2800e5202e

                            SHA1

                            ae1752462ef4a171e293c59b196da0a8504ea71f

                            SHA256

                            119b207b9a61e3fdf03e03317b36d86c2563075560fa54cb870a1c4138a6e5e5

                            SHA512

                            379302f0151af800371b8a45b39b3f6ce4a00385682ac3aade3a8b96cce3c3be49032f1fc91bb9092629fa4a64dbbf5b19b3b076db41d94ccc61feea0d0ed8d5

                            Download Submit