Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

58e7fc589a...6b.exe

windows7-x64

8

58e7fc589a...6b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    04/07/2024, 21:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58e7fc589a3c05771ab63c2dfa4754b931e0ef4d18a679f973943efddb59426b.exe

  • Size

    90KB

  • MD5

    4511d44ebb6011fcd1159a1a297b4f39

  • SHA1

    85375dc2a261eaa559f21a7a8be48f29d166328c

  • SHA256

    58e7fc589a3c05771ab63c2dfa4754b931e0ef4d18a679f973943efddb59426b

  • SHA512

    a71ae08abd9db210126059abf558fe6c7a143496d510be1abf9db92a12d6ea8aa7d3166dba14db9ef3ea5c87181275901ecc7611dba2ac4f03ff619fee69c6c1

  • SSDEEP

    768:Qvw9816vhKQLroR4/wQRNrfrunMxVFA3b7glw6:YEGh0oRl2unMxVS3Hgl

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58e7fc589a3c05771ab63c2dfa4754b931e0ef4d18a679f973943efddb59426b.exe
    "C:\Users\Admin\AppData\Local\Temp\58e7fc589a3c05771ab63c2dfa4754b931e0ef4d18a679f973943efddb59426b.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\{AF844EE7-70C8-42be-8546-018D5904AA7C}.exe
      C:\Windows\{AF844EE7-70C8-42be-8546-018D5904AA7C}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\{2533F393-E2E3-43b2-9079-C3A6416935F4}.exe
        C:\Windows\{2533F393-E2E3-43b2-9079-C3A6416935F4}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2364
        • C:\Windows\{0BA920A8-BB67-4e44-8187-E7C1336A8403}.exe
          C:\Windows\{0BA920A8-BB67-4e44-8187-E7C1336A8403}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2360
          • C:\Windows\{95E6A248-7D9F-4587-80EA-E4B4309D3345}.exe
            C:\Windows\{95E6A248-7D9F-4587-80EA-E4B4309D3345}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3004
            • C:\Windows\{8667B6DA-CC3C-4cdb-893E-BFEB0B1501B4}.exe
              C:\Windows\{8667B6DA-CC3C-4cdb-893E-BFEB0B1501B4}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1928
              • C:\Windows\{AE17A831-9232-466f-A45F-B151A3E1F7C2}.exe
                C:\Windows\{AE17A831-9232-466f-A45F-B151A3E1F7C2}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1600
                • C:\Windows\{D0B0D8D2-70F9-4e30-8A46-92EB54BD5127}.exe
                  C:\Windows\{D0B0D8D2-70F9-4e30-8A46-92EB54BD5127}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1644
                  • C:\Windows\{12F0914C-084F-4ef4-BB1D-3090EB1F5082}.exe
                    C:\Windows\{12F0914C-084F-4ef4-BB1D-3090EB1F5082}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1648
                    • C:\Windows\{975DD46B-63BB-4235-9920-11A61344DAA4}.exe
                      C:\Windows\{975DD46B-63BB-4235-9920-11A61344DAA4}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2968
                      • C:\Windows\{D6724EEB-A70E-499f-94E8-4EDD16FA94E3}.exe
                        C:\Windows\{D6724EEB-A70E-499f-94E8-4EDD16FA94E3}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2884
                        • C:\Windows\{E08DC862-A6D1-4229-B0D4-0C80B5B01EF4}.exe
                          C:\Windows\{E08DC862-A6D1-4229-B0D4-0C80B5B01EF4}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:796
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D6724~1.EXE > nul
                          12⤵
                            PID:692
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{975DD~1.EXE > nul
                          11⤵
                            PID:2808
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{12F09~1.EXE > nul
                          10⤵
                            PID:2848
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D0B0D~1.EXE > nul
                          9⤵
                            PID:2408
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AE17A~1.EXE > nul
                          8⤵
                            PID:2404
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8667B~1.EXE > nul
                          7⤵
                            PID:1968
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{95E6A~1.EXE > nul
                          6⤵
                            PID:1236
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0BA92~1.EXE > nul
                          5⤵
                            PID:2972
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2533F~1.EXE > nul
                          4⤵
                            PID:2692
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AF844~1.EXE > nul
                          3⤵
                            PID:3024
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\58E7FC~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2060

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{0BA920A8-BB67-4e44-8187-E7C1336A8403}.exe
                        Filesize

                        90KB

                        MD5

                        0d55d818fbb51d3886455bd4fd46f062

                        SHA1

                        6c2483ad1d0d7fe144dc0755c25d641e3f2bd741

                        SHA256

                        92c0fc2bfb684cddb59eb8f70eb82daf314f8b9dc4e039a77c386ef6bf1bf1a9

                        SHA512

                        8de543fcfd0b5d17b3bc5c407f4e79fe43c667eb3d7449b6577fd82e4075f0d31586f809efff23435b2bdcd5f0db4546786249d78142fc67541287dec245c469

                        Download Submit

                      • C:\Windows\{12F0914C-084F-4ef4-BB1D-3090EB1F5082}.exe
                        Filesize

                        90KB

                        MD5

                        a85bba324c48cc0ce8ba646bbf6c77aa

                        SHA1

                        6e09c7622dd017d13f11f5a5616a184d634cdefb

                        SHA256

                        97be366f2c71c386ae74711e21bf95ac712d8b1065da20891dc59e3e5c137d6c

                        SHA512

                        64566c8e20075f887689cc49495ea2590856766cbe0d2a65d3feb961ca36c95302cd8a8676a779eaa8f9dda09c63e00cae12b0c5d59c6fd4fb913cfc6df590d6

                        Download Submit

                      • C:\Windows\{2533F393-E2E3-43b2-9079-C3A6416935F4}.exe
                        Filesize

                        90KB

                        MD5

                        383a1b5df46bb00ffa5fa34c5a397715

                        SHA1

                        21b888af3bb85c6982f5e4a8c4902892438800a8

                        SHA256

                        c4283842a64c2caa9fd40d3bd0ff3bbd3e8c5a36128f55be797933090fbd3ba4

                        SHA512

                        c747b6c0670660e15b8cc6afda0e0e9c59c03f097d456234de4fe79990ad75aa4229a32a335f2802deb113a4e261d52f4813e705af9256ab217bc0d870f2c91e

                        Download Submit

                      • C:\Windows\{8667B6DA-CC3C-4cdb-893E-BFEB0B1501B4}.exe
                        Filesize

                        90KB

                        MD5

                        03e2fda90f8d8ac0a40dd4a42959c1ab

                        SHA1

                        48e5c8919e0204ab7c4d13603b0e719709989824

                        SHA256

                        a18919a0bdbf24f5592071774e0b9b04bdf5a4e6c86a898221e665119935b78b

                        SHA512

                        4809322b57abf59e69e9fc942955e0c66ca3fc540da3aa1f17034a2d13b1047393e33efef4ebcec6373c7aecabc5ada26195768218a27591671364b0971fe7d9

                        Download Submit

                      • C:\Windows\{95E6A248-7D9F-4587-80EA-E4B4309D3345}.exe
                        Filesize

                        90KB

                        MD5

                        d529414e9f41a4760597ba121941277b

                        SHA1

                        fcf7808b46cef4fdcceaba4ec8ce042705a7868a

                        SHA256

                        cea4bd6afcef209c9494fc4850ed5b053a89c429e3883b18e0a62fd9a4afe2d0

                        SHA512

                        21b0c8b4b260a242d5866549e38ff942cfc458ca711525abba03a22d8a2e6af385dd4fb6851459fc80763d2dfb1c4238562fa77e35d071f4b6067e010b1decb9

                        Download Submit

                      • C:\Windows\{975DD46B-63BB-4235-9920-11A61344DAA4}.exe
                        Filesize

                        90KB

                        MD5

                        a6a8ab220d52e63fb9b74a5be897854a

                        SHA1

                        b5235272e277fccb295a1f37246d8251ce03c4a8

                        SHA256

                        ac92541e552c96732e71a06b128736314e73c237032726b5a0b14ca30aae25f3

                        SHA512

                        99e4dcc40bcc2a752ff9bc8a605d556e6b6bb823d087bdef7c8047f52d539db4ca8ef5d8bf027f039f2a8058192f92d029a24e761bfe2ef6d44c822634996ffe

                        Download Submit

                      • C:\Windows\{AE17A831-9232-466f-A45F-B151A3E1F7C2}.exe
                        Filesize

                        90KB

                        MD5

                        02bd3d55cae3986d5fefbed5217a1f39

                        SHA1

                        0d70fad2f64f1073591c431f3ce50ac1dd351692

                        SHA256

                        6de38037c500fbc162547f6aaf5841c8d218ac7460a7de58d7d21f30a19d3d28

                        SHA512

                        70fbd13269c34402bc3ac2317be1389bc080a63182d376b36929436b9979e994d90c7f86979e9e2e8778f99410fbcd77368c9aa10c6e1e69eaf1d6d085da1660

                        Download Submit

                      • C:\Windows\{AF844EE7-70C8-42be-8546-018D5904AA7C}.exe
                        Filesize

                        90KB

                        MD5

                        85a6b1ac8fd047718f615457591b7203

                        SHA1

                        69477a7033bd120c521c92ea19e8add84f193642

                        SHA256

                        8f20d7eeee886642c3ebda2461e0673d80b1d31a49795907b1344d2e2072a345

                        SHA512

                        529b0d4be5871e186570612afacdd6f95559a293de32371fb3e9a6a329f80a1df900de5a94975b5bd5fdf9154ba0a8e14a487c9f583a9ad4f2e6e39c15d38c94

                        Download Submit

                      • C:\Windows\{D0B0D8D2-70F9-4e30-8A46-92EB54BD5127}.exe
                        Filesize

                        90KB

                        MD5

                        fc6999edfe3796d723a4dfb9db319419

                        SHA1

                        dd17eb8bd05a82f14d839fbac5543aea9284284d

                        SHA256

                        afbf0b54baf0c3793a5afc174033a01dce96b009718b3e00d5de709fb9fe4ff8

                        SHA512

                        50faaaf1b0193118af5a565cf817fd6254465bc905456c530e1edf412ac70ef0888f1f216b455a55a372c5a373e0673d2e7978e2317e2ace1161950db2545700

                        Download Submit

                      • C:\Windows\{D6724EEB-A70E-499f-94E8-4EDD16FA94E3}.exe
                        Filesize

                        90KB

                        MD5

                        ae79b74885d069e917c65934964180bf

                        SHA1

                        27cad69ed5e85ef258c74c9b49685969942d39f7

                        SHA256

                        f994bd7a0f94dca15bdc3197166cc5ca5b063ca72fc88e199dbc78abd262d9b7

                        SHA512

                        367614c61fe6c10650e3dc6db92bd4e3d5bc0bdfb2017c4b98e85d8947df9a022a10117740761457d43af047a7ee8b27a8aa46d9c907e18ca83eab7149007c0c

                        Download Submit

                      • C:\Windows\{E08DC862-A6D1-4229-B0D4-0C80B5B01EF4}.exe
                        Filesize

                        90KB

                        MD5

                        6f6ad8ca305ed6bbce6dcd496e259f0c

                        SHA1

                        cf3faf979f3ba0cc042d9dfa610282d3d6e44990

                        SHA256

                        ea8a9cfb0025a06b2c66485b33dabc016fb8a65c7507a141863f24b15f0a1f39

                        SHA512

                        54f46f71de9078e6436bee6a3348ab093b6450b0e5567c3ae9a0a2fd15e004be5c541f1c5111e52cdfce2340c40761eb7b5dec2e5e57b362adf43b759532e2fa

                        Download Submit