Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
05/07/2024, 21:57
General
-
Target
5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b.exe
-
Size
79KB
-
MD5
0c8d320a1db1aaf29599053baff755aa
-
SHA1
d6aadff847e0f3b7c23c8d1cf75154c4427a30c5
-
SHA256
5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b
-
SHA512
8ea4751c8a7a6395806d5c3f9509cfb520d0af1899646b8e149e3f225912f134b189fbb694cfbb478f5278c926d9185e7c8335fb35bbf52c61de1c6945910baf
-
SSDEEP
768:4vw9816vhKQLroK4/wQzXOQ69zbjlAAX5e9zz:wEGh0oKlGizbR9Xwzz
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b.exe"C:\Users\Admin\AppData\Local\Temp\5951c5a830d9bceed02ef5bd8a31158d878310c839e2b9208bbc659121b2169b.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{50BB4542-DF13-4db8-B163-25AA1508EDDE}.exeC:\Windows\{50BB4542-DF13-4db8-B163-25AA1508EDDE}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E3E8CEF4-26E6-4066-B656-6E9A645191FF}.exeC:\Windows\{E3E8CEF4-26E6-4066-B656-6E9A645191FF}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D93B3DBC-010F-4121-9C18-DE99CC3B7D96}.exeC:\Windows\{D93B3DBC-010F-4121-9C18-DE99CC3B7D96}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5792C002-2234-480b-9CB9-6777361016E0}.exeC:\Windows\{5792C002-2234-480b-9CB9-6777361016E0}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{FE753539-9B8C-4564-A98D-C17BEA9A68A0}.exeC:\Windows\{FE753539-9B8C-4564-A98D-C17BEA9A68A0}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D7113E89-3FAA-4d8e-B3A5-D4C956BBFACA}.exeC:\Windows\{D7113E89-3FAA-4d8e-B3A5-D4C956BBFACA}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E12E39F1-4A6B-4dcb-B153-1DD6C3024779}.exeC:\Windows\{E12E39F1-4A6B-4dcb-B153-1DD6C3024779}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D652F90D-0E16-45f7-98A9-AEF786B20496}.exeC:\Windows\{D652F90D-0E16-45f7-98A9-AEF786B20496}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{40680F4C-E230-42c5-B606-588EB31BF2F6}.exeC:\Windows\{40680F4C-E230-42c5-B606-588EB31BF2F6}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D0BD1C9F-258C-43bf-AEBE-DA2AE2E707FA}.exeC:\Windows\{D0BD1C9F-258C-43bf-AEBE-DA2AE2E707FA}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1EE04062-02FA-4510-9370-C892F9B24490}.exeC:\Windows\{1EE04062-02FA-4510-9370-C892F9B24490}.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{50439C6A-0BD4-4b5c-8232-730565584709}.exeC:\Windows\{50439C6A-0BD4-4b5c-8232-730565584709}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1EE04~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D0BD1~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{40680~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D652F~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E12E3~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D7113~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FE753~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5792C~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D93B3~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E3E8C~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{50BB4~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5951C5~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD536fe1c392996c7d9a83d0542cf8dca31
SHA182ada1f8959927e2b6caf535cc614ce0701b0140
SHA25698c3ed4054feb01f74dbce31101fb623d2841e95509d2a99d66ed497527b734c
SHA5120a74c734c4c650ed0a535736e52bc2e7ff37f8e247c263121998e838e6acdb066624990a5758fd7d245add2c04b1ab58328f2a6a53989b57a4388890a950ef23
-
Filesize
79KB
MD5678e8958f10175bcf02a7f1813c5c6aa
SHA1d0698cbd79db530027a0de39f77db77b237a45ce
SHA256dfdf8074194742b6070c2181dee3410d065928b032fe05172f0775a92da023e8
SHA51238ff5a75f1efebc03c609f98a0f2d56bfcffc85745d8a8927303177287f50a0871b6eb6f6813caf35929f2442a3281c48ef1d65f7f4ed789bea8cf5af09118d8
-
Filesize
79KB
MD5df6d14c9d79257d993ac8e7308d47006
SHA19eca52025a7071df4e4765b2bb01b45dbf1e4311
SHA256d24822c3c49feeba9aec7d4a661950413f37e84f56057adb9d00614af794af22
SHA5127bbcecd33b361057e7862cdf5c5421e782b1fc082f968d292c7beb3152b71c72a44ab028353b15d6437dce756b018c42d1780cbced4a44be10c854c8d8eac98c
-
Filesize
79KB
MD520fdb2d89b7c26ee9f2cfde116c69fb0
SHA1b182d9a33665d0e47d9d492a42da1ea18919a350
SHA256bf42136d6ae629c71ab61fe7dc65c190d6f11643114e8c9b148504a6ae7df4d3
SHA5120c665625a3549d01808e4dc75f436d2afa13c02092d97d10433df728d5ca679acfc02183ca33286e3c9c4192ac175008aaff62ba090445eebc234a9b5b463466
-
Filesize
79KB
MD5754a9dfd6b72887cbf542d70e09b6b8b
SHA103530d5110ee0909f6d10d0410c1cc21f7c9d665
SHA256c3d01c6dfeb636ee337ad0bb1680c31fa36c0a926584eef654bdaba2a06564ef
SHA5124d99e2867a4202f54c9e83a6f225e53344f22476153c8294c22178067c30e98ae9892044298afd4ec657777e26782eac1372ac6524b0c96f8158f7240c3f1f40
-
Filesize
79KB
MD5685e4790dadc1a1330c2defce5e38584
SHA101ab30d6f8f15a71194fae95483362c5cb144131
SHA2562f5ce0ec4275f0ba50d9db7075e5bf560e87d20f2a151308d99955df6b451de7
SHA5127c6b77b1ea32cc95ca1380bed230df0cac5e650596d5e58c3a7f70eefa250b2d3bf23b57f8849ffa19cb85bcf6d7653be4198da0e03706a688891a4d84a9fe62
-
Filesize
79KB
MD5b8b0a9c3eaf8bf31de1eee4d2c2a159e
SHA115184a6dc8b2fee7f7c4d36c00468e2df90603bd
SHA256b8aa00303d5daf8c2d60ce791e4602904593d2c9736f3ebecf56e95cc9485e94
SHA51243f4520040ee628d83a70aeda4f20902a470eb9d69429204bd22d9f4ca43dba724c8abc7879e307af2e24d9c4c76d90e306bb14cda64a0d06fd34a815eaeb878
-
Filesize
79KB
MD5c1867addb31f68aff075ad62d8e9e212
SHA1077d8fda52d00c3cf430c1fc062cde52f88d0e58
SHA256325946e46168af22b6e227fb929d032f16feaa2a284740c780a13d0a27cc98d1
SHA512c3361c9798499440ccf0195edc9a85515be945688056958eb9536e2f11d45324ec140ec03d04c7702d1e07cab7c4690392fa7a110d85a4b020336863cb237f8e
-
Filesize
79KB
MD53b84fabd72bed7bb504565fb3b188f6c
SHA160d91629e557000f5a1f2110234bd8ec17ef3801
SHA256a15feb1eb067674d3d6986c9b6179e4702d4165da92cfff385b583078e603e53
SHA5120a9ef4b5da9a85c80d5d59f3cf347e026179e948cd00b356ef5188f651db2874e7d697fcc51518e0adc19394c8a4664c377f43722eb89cc63bc5e6571eeb1f0c
-
Filesize
79KB
MD5de307542afd04e9c9cb3cb7fc52fee92
SHA154fcbf356256d30d0dd10738d008afc0925edc07
SHA2567ba90838d41381d1d44190bdce5864d6d1d677de63e445c632fee7f97d4c46de
SHA5125890b28ad8b21f8aae09cb89251b3d4fecc57fdc647b59480688d7602387846c618cd1ddec94d72402b21767cda6cfffe482483c79f5ca4f67d4fc38ab63336f
-
Filesize
79KB
MD5ce1fa2ae437c28ee6442e1a4022ad914
SHA10d7cc981e113aee6cfc9e2b1f8600848b275243d
SHA256bb42205c9f6fb844667ab4772106c1d5c06eef1d729dfea2d95c8d4baa903c7d
SHA5129a1ea82989614205fe65b877ebbff5a40a384f351bdfaba23d26e3fa43a3f87e1c7aa4951b757d5cc59a0115154bf81d6d0076d094b113a113c9e9dea4cb73ae
-
Filesize
79KB
MD58ae956503eac2b7081226bba6852a00a
SHA152a1492ef5eb84ac6a648f5a51569504a65bf132
SHA2563022c20c41faa085d29b5d772efecb4dc6c5dd1d366cb917b1ffd5a27046820b
SHA5125bc8eba8cf50ed6888b6dc87c2d177f9ef50d105f06723efc82ad521fa4d6ed7c10fd2892ed267ab095aeed95a5f635ff073e4707917a661841a5666ea22f3cb