Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

d9afd0df0f...be.exe

windows7-x64

8

d9afd0df0f...be.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    01/07/2024, 03:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9afd0df0f47107a0823a16470f3c2af490a994926ef1d63eff7041324eb77be.exe

  • Size

    89KB

  • MD5

    aebec3905f0fa3bc8afb2f87f9b15343

  • SHA1

    1533300e1dae46ad7881492ee0f6074dc4abf53e

  • SHA256

    d9afd0df0f47107a0823a16470f3c2af490a994926ef1d63eff7041324eb77be

  • SHA512

    de4e384ece0973d0b77f44d5abd48aee04208716e0497529ba38c397c439b38642616f919857242088c7a672728ddf1525deb658bcf5a9db10df11745f01aba2

  • SSDEEP

    768:Qvw9816vhKQLro2L4/wQRNrfrunMxVFA3b7gl5:YEGh0o2Ll2unMxVS3HgX

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9afd0df0f47107a0823a16470f3c2af490a994926ef1d63eff7041324eb77be.exe
    "C:\Users\Admin\AppData\Local\Temp\d9afd0df0f47107a0823a16470f3c2af490a994926ef1d63eff7041324eb77be.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Windows\{B8F70270-6EF8-4dfc-8517-79DAFB96AC66}.exe
      C:\Windows\{B8F70270-6EF8-4dfc-8517-79DAFB96AC66}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Windows\{3DCCD137-670F-4150-8917-074012D1B50B}.exe
        C:\Windows\{3DCCD137-670F-4150-8917-074012D1B50B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\{4E305D7C-56CC-48a5-A64D-DEC8E0F192C8}.exe
          C:\Windows\{4E305D7C-56CC-48a5-A64D-DEC8E0F192C8}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2540
          • C:\Windows\{59B3F407-92FA-4a73-A7A5-8C3CF4C9B1B7}.exe
            C:\Windows\{59B3F407-92FA-4a73-A7A5-8C3CF4C9B1B7}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2684
            • C:\Windows\{9D80EB96-A3EB-4275-AA3C-B45DC79D0051}.exe
              C:\Windows\{9D80EB96-A3EB-4275-AA3C-B45DC79D0051}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2836
              • C:\Windows\{6A9AB62A-0E8F-470c-9F4B-86B2293EF835}.exe
                C:\Windows\{6A9AB62A-0E8F-470c-9F4B-86B2293EF835}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2212
                • C:\Windows\{F86C155B-4023-415c-8958-9A14DBAB21A0}.exe
                  C:\Windows\{F86C155B-4023-415c-8958-9A14DBAB21A0}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2024
                  • C:\Windows\{EE3F7027-7318-434a-A6E6-EFB2481AAC89}.exe
                    C:\Windows\{EE3F7027-7318-434a-A6E6-EFB2481AAC89}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1760
                    • C:\Windows\{D99A6E4D-A602-4d0e-8792-2FC66837D77A}.exe
                      C:\Windows\{D99A6E4D-A602-4d0e-8792-2FC66837D77A}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2116
                      • C:\Windows\{CCC766BB-E33C-4577-AC8A-477A854E6671}.exe
                        C:\Windows\{CCC766BB-E33C-4577-AC8A-477A854E6671}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2916
                        • C:\Windows\{6A009F78-435B-465a-B107-5419A7A158D9}.exe
                          C:\Windows\{6A009F78-435B-465a-B107-5419A7A158D9}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1296
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CCC76~1.EXE > nul
                          12⤵
                            PID:580
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D99A6~1.EXE > nul
                          11⤵
                            PID:916
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EE3F7~1.EXE > nul
                          10⤵
                            PID:2608
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F86C1~1.EXE > nul
                          9⤵
                            PID:1148
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6A9AB~1.EXE > nul
                          8⤵
                            PID:2164
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9D80E~1.EXE > nul
                          7⤵
                            PID:1996
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{59B3F~1.EXE > nul
                          6⤵
                            PID:2600
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4E305~1.EXE > nul
                          5⤵
                            PID:1900
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3DCCD~1.EXE > nul
                          4⤵
                            PID:2432
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B8F70~1.EXE > nul
                          3⤵
                            PID:2060
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D9AFD0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1620

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{3DCCD137-670F-4150-8917-074012D1B50B}.exe
                        Filesize

                        89KB

                        MD5

                        aac8adcf4bbf99c869007b3d233fd160

                        SHA1

                        4bc09706a376f7e8bf9f7d42f233ca153698f97c

                        SHA256

                        0153c48dcfc7bd0cae5b37a3bc021f29f59656d863a350a73dc3a98a061718e4

                        SHA512

                        74d429e1075e87f219b844bab6856b1a383bbbaf26d59d727eea39b182f4c6c0703909e44814603abad7c47bfcf61b8ddacd976f3cb99c2a734f961066ed832c

                        Download Submit

                      • C:\Windows\{4E305D7C-56CC-48a5-A64D-DEC8E0F192C8}.exe
                        Filesize

                        89KB

                        MD5

                        1cf4e2c41260a369c213f410597374e2

                        SHA1

                        d0d9fb12b6e61280fb86dd3a27abd8422f60982f

                        SHA256

                        24db87829fd7fa241a660e140d057a262531974cf6c8c3061d471cf10d1844b3

                        SHA512

                        45d8faf9a45751eb2f730d078f5040145d1697ac916c201e0c364fa6737fe7e5d1159ebe11655da56413488a65f3f37b9c7e01429c2d596f2c6ba83d011b3d5b

                        Download Submit

                      • C:\Windows\{59B3F407-92FA-4a73-A7A5-8C3CF4C9B1B7}.exe
                        Filesize

                        89KB

                        MD5

                        7497c4f84e05ca7b7e7c20ee089a830b

                        SHA1

                        a4574c97e6dde57b4b08c87b07ba63f34a88d320

                        SHA256

                        4ec7698d8bd04b9c487633846f93db91e98e128b0db585338adc33fb1aa77208

                        SHA512

                        08c5046e7463ce93f0f6f7ae69f220c87648ec1029e003df942aa1fc51ba3f6c1fc88c2bb5ca5e67335f89fdeac04feaefd905f57631b454244b9bfb43820794

                        Download Submit

                      • C:\Windows\{6A009F78-435B-465a-B107-5419A7A158D9}.exe
                        Filesize

                        89KB

                        MD5

                        4c50f4bbf5de7a9286819ade69866474

                        SHA1

                        48eb1398883dd69de76349880f97651c3e9dcffa

                        SHA256

                        443fc166803444dce31122c7e6c6ebcafb3e66c55e4569a4ae701875259f2e9b

                        SHA512

                        dbaa7b9f5a500c76ce444115d984dbe9a7d3cd1be7a2708a89ee7c51efa445b0a6bf6631d68f3aae32ac66dc7aa20c5171cb4a2f238d9fc17f6efdc538195489

                        Download Submit

                      • C:\Windows\{6A9AB62A-0E8F-470c-9F4B-86B2293EF835}.exe
                        Filesize

                        89KB

                        MD5

                        b0376d673cc2f0caddb922272f5aadce

                        SHA1

                        8734b5ffdffc950bcc589e0f4eca650b30d3de4a

                        SHA256

                        b1b4b1d969e253827a9be45d7d93b04acb4b7fd613eb09e98cd2f1a17028295b

                        SHA512

                        acb43103bdf848a0d7b799c018b157aa6584bdc107a514f25cea73a489ab5f55dd83a26a703afafa8e2351aca0b4b88225e1a64ef50c78b566b018b2d3cdaefc

                        Download Submit

                      • C:\Windows\{9D80EB96-A3EB-4275-AA3C-B45DC79D0051}.exe
                        Filesize

                        89KB

                        MD5

                        6d4153b73e69a5c196fa2b05bc00112c

                        SHA1

                        420f2b4eb90330b41fe2b2549d56ddb4c8849e90

                        SHA256

                        b2290b6e36015a1242adc9965b9a2e23176c8b5e35f9cbfdab49abe80020cac5

                        SHA512

                        66b7a12c3f0eca5c1fa2a77c50aa7e695b212947ab27cfbda111f98ff66ad57d8990b4aaca67ea9483c2e3af52bd3f3e23d18616230f2c4341038b182896c634

                        Download Submit

                      • C:\Windows\{B8F70270-6EF8-4dfc-8517-79DAFB96AC66}.exe
                        Filesize

                        89KB

                        MD5

                        8bac482e58f8f376e9e04cc661a4369e

                        SHA1

                        fac3a29fb63c0f9303093b48b5dbf88689ab17e0

                        SHA256

                        d5c2abdab626d88358301dadff00cb285289c7f5cf0f4e0a9f71f5e0c4f1e63a

                        SHA512

                        16b0f40d1ca2f9101db44cbc35ace8cfdbdec42550c828dfb299a94b816f3a551d399caf271732e4748f4bd9a4e8ce029d6f15b66a427eb1fc74d1cdcea84eb6

                        Download Submit

                      • C:\Windows\{CCC766BB-E33C-4577-AC8A-477A854E6671}.exe
                        Filesize

                        89KB

                        MD5

                        dfc8192e5e5794a0aa50c827f0328967

                        SHA1

                        9707679d63930d3e5e7684a7d720667de2fc311b

                        SHA256

                        13d42503827ab11c01ea1a8e84a671a9c7310929826b7c24de12dcc3f3557121

                        SHA512

                        e5aa0807684af50bdfe3dcd76c162d30de46292989d0a43ec362db6f13de48b5903b7e4690d901429e274881c241e3bfb1702cf8c4eef12e3dcea8ebbb11930e

                        Download Submit

                      • C:\Windows\{D99A6E4D-A602-4d0e-8792-2FC66837D77A}.exe
                        Filesize

                        89KB

                        MD5

                        2c4ea9868d028d72fe267a818b5cc0a7

                        SHA1

                        2a317c26028c447376ed778d9b98a2d8ada4df19

                        SHA256

                        8b5f20f1187af750b6ed4a2157a117242c15c6fc153ce1040359cc1d363ec25f

                        SHA512

                        f2c939433c583e57cf1de24a7683e2a5dbe01f55ebdde5cd9bebdf98d5044c4d65f494d22d33b1f69d24728f1811289a766865a545c9a3d5934adce8577f5811

                        Download Submit

                      • C:\Windows\{EE3F7027-7318-434a-A6E6-EFB2481AAC89}.exe
                        Filesize

                        89KB

                        MD5

                        9277e66519ce2da03f0379e90f5f1636

                        SHA1

                        ff7c5c26accf2106fa10aa88e6bd4923ddf68b4f

                        SHA256

                        61d60b7b3ac8633a7380353f620d35623934a00de2182ffa2b4227ac3ba492b5

                        SHA512

                        713dd0d329c839672a242de69744e518685db442a4a836f5474732e0bcfc2ef82aca66c32a9803cccf3ecbe6c4e8818470ff9b867e2c62926cfdf59c72b10537

                        Download Submit

                      • C:\Windows\{F86C155B-4023-415c-8958-9A14DBAB21A0}.exe
                        Filesize

                        89KB

                        MD5

                        41fe903e436827353a520e00606f4552

                        SHA1

                        022d74524c23b24cb2313835797d06e23455fc4b

                        SHA256

                        d7bd5179a76ca19d1424f2c3f64df3e1c45431560b2d235eecbd81129e988450

                        SHA512

                        3d8b34f7859e9073e97d06feccf20912743203d965abde4b813ca5965202b838e2d331a1c2b98335c5a29df8c473264af105fd9a5b76d557790271e7a216727c

                        Download Submit