Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
48s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
01/07/2024, 03:24
General
-
Target
d9afd0df0f47107a0823a16470f3c2af490a994926ef1d63eff7041324eb77be.exe
-
Size
89KB
-
MD5
aebec3905f0fa3bc8afb2f87f9b15343
-
SHA1
1533300e1dae46ad7881492ee0f6074dc4abf53e
-
SHA256
d9afd0df0f47107a0823a16470f3c2af490a994926ef1d63eff7041324eb77be
-
SHA512
de4e384ece0973d0b77f44d5abd48aee04208716e0497529ba38c397c439b38642616f919857242088c7a672728ddf1525deb658bcf5a9db10df11745f01aba2
-
SSDEEP
768:Qvw9816vhKQLro2L4/wQRNrfrunMxVFA3b7gl5:YEGh0o2Ll2unMxVS3HgX
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9afd0df0f47107a0823a16470f3c2af490a994926ef1d63eff7041324eb77be.exe"C:\Users\Admin\AppData\Local\Temp\d9afd0df0f47107a0823a16470f3c2af490a994926ef1d63eff7041324eb77be.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{DBB94B55-A450-491d-852C-56A245F2D9A7}.exeC:\Windows\{DBB94B55-A450-491d-852C-56A245F2D9A7}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{530C48AB-4644-4a29-AA2C-65A592678471}.exeC:\Windows\{530C48AB-4644-4a29-AA2C-65A592678471}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5E0F2CAB-8FED-40f8-A278-286DE4570D9A}.exeC:\Windows\{5E0F2CAB-8FED-40f8-A278-286DE4570D9A}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8757FA03-2135-4b04-B060-D7D8EFAC803B}.exeC:\Windows\{8757FA03-2135-4b04-B060-D7D8EFAC803B}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B51AFDA2-F4D6-4be0-BA5E-98E6D7D7C951}.exeC:\Windows\{B51AFDA2-F4D6-4be0-BA5E-98E6D7D7C951}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0E54D0F9-F4F0-4430-8EE8-90D42D9E9174}.exeC:\Windows\{0E54D0F9-F4F0-4430-8EE8-90D42D9E9174}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B5A6C0BA-038D-4e7b-8642-EF7C2AD141B5}.exeC:\Windows\{B5A6C0BA-038D-4e7b-8642-EF7C2AD141B5}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3519E27D-BB08-4753-903A-60132D4E5352}.exeC:\Windows\{3519E27D-BB08-4753-903A-60132D4E5352}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D954C19E-CD83-4558-9E57-ABD27F6BE115}.exeC:\Windows\{D954C19E-CD83-4558-9E57-ABD27F6BE115}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5EBB0B4B-7457-4272-8AA4-6D7DCBBB97B1}.exeC:\Windows\{5EBB0B4B-7457-4272-8AA4-6D7DCBBB97B1}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{625E534A-E085-4789-9E00-D24031ED8E05}.exeC:\Windows\{625E534A-E085-4789-9E00-D24031ED8E05}.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\{4E4BE132-60AC-4ff0-9266-C404D5DF3F90}.exeC:\Windows\{4E4BE132-60AC-4ff0-9266-C404D5DF3F90}.exe13⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{625E5~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5EBB0~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D954C~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3519E~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B5A6C~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0E54D~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B51AF~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8757F~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5E0F2~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{530C4~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DBB94~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D9AFD0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD52c990dbffd9d885698df138347907f66
SHA138e4e4926b0690c61380edb5b910719fde87fa79
SHA25664fb0b76e3864a7a7012d6ac2aa8dcfc00a7bb788698eca19974b24df8453bb0
SHA512f2754b5866e3f9bce3d9d6cb9a99ef5d8cf1dd8362d5b818f490019e189633208b81988d0eaf7ddeae0f986a52702406a6a89e3752d4b51d04cd9c007192278e
-
Filesize
89KB
MD575ad5ee29322560c2cc5b839920c180c
SHA1afc870a0dc672e4f057b55db402a46fbc5ea8e38
SHA25634d88a76f0ed3be10f73226409c80f1e3eac3941f839b7ecf2cc87e62aa8d236
SHA512c568d3d6189372b237ba314659e551399d096bb49e44f707d8adeb49e135c34576023bd2fade74870ffab30684946fe0f15f59397de09b4ea42f34150d9fa654
-
Filesize
89KB
MD5317e1d97ffb07a102f2cd2cf6c50382e
SHA1a95d343a3d76c024231233a22705021123c87cd0
SHA25669bd20ee0381d6ae84591f9455e9af9db768e288b855c438fa79d8bac4a4ce88
SHA512d5ff58765d58d1f048b142203036e53abe2fe51264b9169da9df2177fcca4e6a526b5db7b967db25a86cee1eb8afeadac9887dba54d7742eb9f19734051f77aa
-
Filesize
89KB
MD5de40801a1aad88b425e79e2f5aedcb48
SHA1f8b030a69ede949e77ab1ecddcdc714d79fed247
SHA2568a7109d89065e1b1993dc54aafb15fc0b720c69a63c860605660557e68ae8bfc
SHA51278ba86f9134db2b963040eaf67c429ab733a44db83cf3df34dfb87b6e9d6c2b7c5ed4fbcc3cfb6468f5fc0f82f6c7528d63eb9df715527f7497c0febab1b9f4c
-
Filesize
89KB
MD56e15605be5a2c52349b21149503c9a74
SHA12dc0f8cff2719c4df1851ee4b2e83db6a51aabae
SHA25604ba8408e44e66b2d5a1392ebaa8ae126943cba23ba24f4a038d2fd85c6ac652
SHA512a3564ba0875b5aa9777b9c43b75deffd0a134c3d42ed94f0683f276cb6c3cf61fd0ce7f5e4e795529e05e2d994f6b2b394188ca40875695934d28261eeb419c8
-
Filesize
89KB
MD5a285aa2e3ae9a35d106c238151379f96
SHA184c3b83aa420786d74edb2bee0ba8782364b0f73
SHA2569553b7cdeacba181fba2c3de0993da3f3afec52cd8b9f0a7dc271f05cb799b50
SHA512283511cbeba87bf9431cfa7bc463aedc405d039b3aeb081d7152e562b0367cbc6d7de24bed7c5a2e4a7e4448b0b125692caa61c3524fd7698c562ee1cd205e5d
-
Filesize
89KB
MD50bff623cabfce9cd716593f93fcdfc5f
SHA1ff0011d9fb394e9ed9caf7a1fa619c75263f7354
SHA25602cce2d38ccbcf6232a469e1f8930952292a1cff7c6f1dd1d3be0318c8bb16e5
SHA512a9873f90313687119db16c796651e221d5c0cab5521a4e9af16e9409c38e5d84692088f28e2c971c2465de9587417ac7b2787a6ee2d31ad3cf31444ab6e0e1b9
-
Filesize
89KB
MD528d01e1f1b52b55af8e5e893d013a7f7
SHA1c2a55e1b0a0bc140c601a6694a94bab655580e2d
SHA2568733d554b256411c81d4d2f060ca2c81870d4e9aed253e5f43bfc57711ee658e
SHA5120fbfefc4413330cd08fb7dbaa4b2d0849ceb4f4ca9ac693b690514132023ac8a616459490301d2207e10fc2082a4efaa1015c0729d23e672e1326fc830be1379
-
Filesize
89KB
MD5a54ab742c2d08a01d217be08c83c40e8
SHA144c18c93f19b0652ece0ec4a67dbb85e1a5175b6
SHA2562eae3089baaf18174c711af48fdf0bfe69ed62b996840a31ae6e79fdc919bcb0
SHA51286497348c0bdf368d84b88358f4453fb47823345be3a6b06411bb047d566518e4749490b5d992cac8d4503d0ef61cb15866ab05148729f4532daf0ae1b7e66d0
-
Filesize
89KB
MD52ab2660268e14abe4eba06270e162464
SHA129aec500be2954de29212c23486d9bdf573ee681
SHA2565a7d2c6360128a4a93d5c4b11b1fd0d8a2906ded42a81f3d18b49b4fd5a98b1f
SHA51229f0cd5048a070b25993b8d956d6abcb6fc9540081766cbe79ec419de5f46d1fbebfbc0313087f0b05f7982d00a6039bf2301b0dbd9de4b6334acb6637f6e904
-
Filesize
89KB
MD5ad2f995211879ef0e5daf1bd2397a090
SHA1a71805c16bb007ad21840286b4ad75e2e9eae844
SHA256587256de9e36ea6c71118b9bf7fdf4e81c0fab4cd22ba59ccda01711a44bdadf
SHA5120e53d465d059972aabba7a35d7b0b7b698c537912658bbfb2931f6d471148d7f330e1eb26e12fe70a69e8952128697dd40a477d85d5694abac2cd5fd5a99f0ca
-
Filesize
89KB
MD5a4ccf3d49c1b1a8791c7c8f7a18b0cf8
SHA1215fbf388153f105d11f2b5d1880deb294f2321b
SHA256cb427aca9aa7b7b2a9d27c979fd07dcafc1d5d0e1b7734045271d188217d4949
SHA51297dd4d36d833b3d85147cb9ad13a046754db2ba01898e3d5c18f32b75bd8f189988d941f1809519f25b660f290f8ac43d8ce4a6a75417f8981f42b8e7c16920d