Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

7696421b95...0b.exe

windows7-x64

8

7696421b95...0b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    05/07/2024, 02:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7696421b95628297fb70568fe413a30b.exe

  • Size

    216KB

  • MD5

    7696421b95628297fb70568fe413a30b

  • SHA1

    6589ba00a75425f6d1b6f774efd07971205f933e

  • SHA256

    49da9344d88869b93c3dddfd0800f78daa6906d2ca50aaefee6e4fa282c867fb

  • SHA512

    e7edf11d020370ce34cc83cf8509884ee522ce7961278f639ed26d1b784ee5dc1fd5a3788f7d135f0921cc6da3fe4d4ff82b29f1d6caf66893556cfec4cc64e7

  • SSDEEP

    3072:jEGh0o8l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG+lEeKcAEcGy

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7696421b95628297fb70568fe413a30b.exe
    "C:\Users\Admin\AppData\Local\Temp\7696421b95628297fb70568fe413a30b.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\{34301B7B-C0EA-45ab-80DC-1D21E8F32BA6}.exe
      C:\Windows\{34301B7B-C0EA-45ab-80DC-1D21E8F32BA6}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\{B8C4AF84-E44E-4f1d-BD0E-F7FE67B7102F}.exe
        C:\Windows\{B8C4AF84-E44E-4f1d-BD0E-F7FE67B7102F}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Windows\{E9170C79-21B3-4bf2-958E-955AD6CEE4AB}.exe
          C:\Windows\{E9170C79-21B3-4bf2-958E-955AD6CEE4AB}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2932
          • C:\Windows\{9E75282F-18E7-4509-B12C-D82CBC913DAC}.exe
            C:\Windows\{9E75282F-18E7-4509-B12C-D82CBC913DAC}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1584
            • C:\Windows\{F4735F0A-8BC9-48d9-98D0-1501C2DAAA7D}.exe
              C:\Windows\{F4735F0A-8BC9-48d9-98D0-1501C2DAAA7D}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2700
              • C:\Windows\{E98A5CAD-3BA9-4ac7-BCCB-7576D6758527}.exe
                C:\Windows\{E98A5CAD-3BA9-4ac7-BCCB-7576D6758527}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1448
                • C:\Windows\{20357AED-C9CC-463a-8A67-D85D81E915E9}.exe
                  C:\Windows\{20357AED-C9CC-463a-8A67-D85D81E915E9}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1356
                  • C:\Windows\{08A7D44F-0E42-436c-90CF-53FDA57E6900}.exe
                    C:\Windows\{08A7D44F-0E42-436c-90CF-53FDA57E6900}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2016
                    • C:\Windows\{EA2A99C0-FF1F-4977-8CAF-91CE26D59ADC}.exe
                      C:\Windows\{EA2A99C0-FF1F-4977-8CAF-91CE26D59ADC}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1952
                      • C:\Windows\{0F459E66-8484-4596-8662-8F15EAE88ECB}.exe
                        C:\Windows\{0F459E66-8484-4596-8662-8F15EAE88ECB}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1744
                        • C:\Windows\{3CFA0989-9D43-46fa-837F-4D6076B8F779}.exe
                          C:\Windows\{3CFA0989-9D43-46fa-837F-4D6076B8F779}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2712
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0F459~1.EXE > nul
                          12⤵
                            PID:564
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EA2A9~1.EXE > nul
                          11⤵
                            PID:268
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{08A7D~1.EXE > nul
                          10⤵
                            PID:1620
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{20357~1.EXE > nul
                          9⤵
                            PID:2024
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E98A5~1.EXE > nul
                          8⤵
                            PID:1316
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F4735~1.EXE > nul
                          7⤵
                            PID:1572
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9E752~1.EXE > nul
                          6⤵
                            PID:1880
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E9170~1.EXE > nul
                          5⤵
                            PID:2044
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B8C4A~1.EXE > nul
                          4⤵
                            PID:2500
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{34301~1.EXE > nul
                          3⤵
                            PID:2676
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\769642~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:3020

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{08A7D44F-0E42-436c-90CF-53FDA57E6900}.exe
                        Filesize

                        216KB

                        MD5

                        c33791f6b5ca58e85ef9bcd46528f0f1

                        SHA1

                        6f50fdbd98ca9cd67b251589c594bf94a7337016

                        SHA256

                        440e574b2cad356bf1b5c05bd88bd53e157bc328a9fdd32ef44adbc5d6f3ebb1

                        SHA512

                        7e64a87cb42739972faf35e6fa77ceb5cc0f8cada17cb71ef5b4377e12404a1ff6c2947a330bf8e30bc68df3db693fdedfd22edbdef2e8819707ef67dae4e698

                        Download Submit

                      • C:\Windows\{0F459E66-8484-4596-8662-8F15EAE88ECB}.exe
                        Filesize

                        216KB

                        MD5

                        ee8db9731469aa66da8d3a7864034a1a

                        SHA1

                        391d1e66f00a58e243ed2e9c68a30d494dccee47

                        SHA256

                        880141efa6515dd0c9ffa88ca5814a6442ae3da60678572fbe80d30ff5a0c1fb

                        SHA512

                        42b20665ad8e953047d4e48f8da96488a7fd54c8a9c7105142792515f05838b725ab961fac407cc043bbd1957b1eb1a8b69b76636c15a5fd75ca77b3b1287cdf

                        Download Submit

                      • C:\Windows\{20357AED-C9CC-463a-8A67-D85D81E915E9}.exe
                        Filesize

                        216KB

                        MD5

                        ba863bcae263ba0a166acffa50a50f90

                        SHA1

                        cf0f4ca4d74c0f7ab8e475baf566675574b938af

                        SHA256

                        0dd7ea35415504e4bbe9a9b78e6a6cb9f164956193347dcf78105df96c343e83

                        SHA512

                        03b173fea72376d14d218a001678d22bdf8e8f1a3b4d1a65fa5c6270c1a14a0068bd6ba4d74f06feab853f77bf5707160d40074ff9da9d85b00bf403a7ff86fd

                        Download Submit

                      • C:\Windows\{34301B7B-C0EA-45ab-80DC-1D21E8F32BA6}.exe
                        Filesize

                        216KB

                        MD5

                        dbe3fef2645d9160d9461e432ef19537

                        SHA1

                        2c9e4a1949b75f4a2f1253a10d44eccc2c70577c

                        SHA256

                        e715ddc615dc12b798d165b3c359f24833f9f44b822bdccd5acf6ed0f128ea2f

                        SHA512

                        3b51392926e75e21daaf111d7ebefce3c7887ba0ac86f695a49ef1214246a81e87ebe7f22ad8bcfec1edaf073d4e8c0c0faa24bdcc4376d19e9cf829affdaaa8

                        Download Submit

                      • C:\Windows\{3CFA0989-9D43-46fa-837F-4D6076B8F779}.exe
                        Filesize

                        216KB

                        MD5

                        45ab7c467cc8061f31454eab7496848d

                        SHA1

                        7f97048f73bd9f0405126f3cf2478852bc2616a4

                        SHA256

                        0ada2abcc15d6c5673f875d353fde1163fc2f82f58487b9b52e85234fa626ba5

                        SHA512

                        0c79ed6f0664f5e003ad1228649034e7245f680f9a9fb04bd253cf53f4d6158905b5664593e5f806a6bb7c9a9962d3fa1b48c07acd1c231b0a2be55d46540375

                        Download Submit

                      • C:\Windows\{9E75282F-18E7-4509-B12C-D82CBC913DAC}.exe
                        Filesize

                        216KB

                        MD5

                        0ffc0c6098df03df2aee9032158bde9f

                        SHA1

                        5368c129a905f6e57a488febd5d1c13422453927

                        SHA256

                        6662dfb4d672d95a26640316d60b7e55bf90f2ca20ce487f28403cb1b30f72d7

                        SHA512

                        df5c4321663ec51010c47a62ab4dd6f6743c6abeb3ef91c89daafa568fa8c80589688c6a9b12d54c105190e8273156e7735eb6084250e3527ce0b98f95b631be

                        Download Submit

                      • C:\Windows\{B8C4AF84-E44E-4f1d-BD0E-F7FE67B7102F}.exe
                        Filesize

                        216KB

                        MD5

                        cae431fab4db957e06a3535cf242f2d7

                        SHA1

                        968563a2b2d1f5a34c6cf47cc206930072d32618

                        SHA256

                        049da0c7fa4790dbe60ff8583177de261df27c206c7ab44f8eb3e50a47b3031f

                        SHA512

                        9752e58370798aeff1510af37043dfc780a10d8e2b89505c9f5f8edde5826be250b1e4fab77afa0be214c5304d787afed177f20bd5ebd1d8bf869f45fec078ab

                        Download Submit

                      • C:\Windows\{E9170C79-21B3-4bf2-958E-955AD6CEE4AB}.exe
                        Filesize

                        216KB

                        MD5

                        c0a1c412f0e6bc809c8618e52970384e

                        SHA1

                        49ead54a8dbcde43886f229821fb55be73e4b318

                        SHA256

                        4570a1ee26d96a24ecf7ae5ad19655660a18d2153c9e700d49dc51bc92fc55dd

                        SHA512

                        a64087eb7cc00749e824e6ef3c93e65bdb50d5b560c69eb3f1ba7b655c95e4c148fbc68676446c4a5fba6428b2c9735377173fea38a99cd60e07e0a7d292c2fd

                        Download Submit

                      • C:\Windows\{E98A5CAD-3BA9-4ac7-BCCB-7576D6758527}.exe
                        Filesize

                        216KB

                        MD5

                        5378360dd8e3c06ea9c809ed89c07cd8

                        SHA1

                        2e131e87629e0d08e434836b8e51194693260588

                        SHA256

                        c7fdb4cddc46c3b9045a45eea710f295b2f11f55dcf7df649436916b41fc17f8

                        SHA512

                        c5f7cf586a44a101c6f6463475ca30b9cfdfdb623cc776a3b36f2ce434780c92564d5f8b3470a2cbc14106ff2d0a4a5c853b97ea8a238f7794b4a609e5fcbb2a

                        Download Submit

                      • C:\Windows\{EA2A99C0-FF1F-4977-8CAF-91CE26D59ADC}.exe
                        Filesize

                        216KB

                        MD5

                        36eb98725a76078e2ba6a16934aeeb22

                        SHA1

                        4d83549cfa277af208f2a00962e0a0cec7d76a24

                        SHA256

                        21e8cba039cd8103c7e874f651be0266719506b497ad9bfaaf9f3fcc1e26ee61

                        SHA512

                        4bf9890f64353814388e8b3d75bc31245400c595154eddfa9e4351451f33d7730fc624c3a6dba74d4373b9fc5577da3b764465e6a3de9e6edac28c2380443305

                        Download Submit

                      • C:\Windows\{F4735F0A-8BC9-48d9-98D0-1501C2DAAA7D}.exe
                        Filesize

                        216KB

                        MD5

                        73f7a4920fc7c73934e39a8a3ad3d58a

                        SHA1

                        0a5e12316b3c43dec48c9afd01b27f58b090b6c5

                        SHA256

                        de6304015f4b920b783fbc924e32768042c770e2d0342a7615e89aa8bd7f4e96

                        SHA512

                        d7bcaf70e3bcbb84ca86d56631ae15b2e95d5a4071125feeb0fc1942ccbef298988a1be27545d0eca6f01c9a271c1bea8fb990e824199b02d7e26c4093ff0ef0

                        Download Submit