Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

0970699890...13.exe

windows7-x64

8

0970699890...13.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/07/2024, 18:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09706998901c2ebd071ca05cbc5ec81921ba9d20ead1cadbc8654735509c8113.exe

  • Size

    116KB

  • MD5

    99c0caf5c211b625eefcfd223264e044

  • SHA1

    afb066c5f47c7c7989a2bf78a68f37204de57ea7

  • SHA256

    09706998901c2ebd071ca05cbc5ec81921ba9d20ead1cadbc8654735509c8113

  • SHA512

    f34693273e7fa80aca3c01d542ea75997415cebbf82e86b3ae2d1739d26991d4617989ec37fb0be79335a285c675a76e6ee0aeb097ed720646a44344fc871814

  • SSDEEP

    768:Qvw9816vhKQLroe4/wQRNrfrunMxVFA3b7glwRjMlfwGxEI5nWAwxt6sDntNiLJN:YEGh0oel2unMxVS3HgdoKjhLJhL

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09706998901c2ebd071ca05cbc5ec81921ba9d20ead1cadbc8654735509c8113.exe
    "C:\Users\Admin\AppData\Local\Temp\09706998901c2ebd071ca05cbc5ec81921ba9d20ead1cadbc8654735509c8113.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4520
    • C:\Windows\{0A28CF46-0D90-4e85-937A-27070008ABBE}.exe
      C:\Windows\{0A28CF46-0D90-4e85-937A-27070008ABBE}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Windows\{5E54009E-7515-467a-8985-CE89BECC970B}.exe
        C:\Windows\{5E54009E-7515-467a-8985-CE89BECC970B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:324
        • C:\Windows\{2B57FE5F-3A65-4c64-8094-32DFEE717B07}.exe
          C:\Windows\{2B57FE5F-3A65-4c64-8094-32DFEE717B07}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:556
          • C:\Windows\{C81C9DA1-6444-4983-8E1A-877099943655}.exe
            C:\Windows\{C81C9DA1-6444-4983-8E1A-877099943655}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1688
            • C:\Windows\{5ED60392-3295-49e5-B7AB-C79511291A44}.exe
              C:\Windows\{5ED60392-3295-49e5-B7AB-C79511291A44}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4148
              • C:\Windows\{BF18BDA0-2DB6-4a0c-B620-86457CF2FD0F}.exe
                C:\Windows\{BF18BDA0-2DB6-4a0c-B620-86457CF2FD0F}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1272
                • C:\Windows\{CF6D8527-BD95-4895-B2E6-3DDAA913779F}.exe
                  C:\Windows\{CF6D8527-BD95-4895-B2E6-3DDAA913779F}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1608
                  • C:\Windows\{D939D4A5-13A4-45ed-B7F8-D85F8146476E}.exe
                    C:\Windows\{D939D4A5-13A4-45ed-B7F8-D85F8146476E}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3988
                    • C:\Windows\{F620D9B0-6F0E-44aa-80D9-273277E4E833}.exe
                      C:\Windows\{F620D9B0-6F0E-44aa-80D9-273277E4E833}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4008
                      • C:\Windows\{CC532636-C49C-4d57-88B7-ECA39A55CDDF}.exe
                        C:\Windows\{CC532636-C49C-4d57-88B7-ECA39A55CDDF}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:5084
                        • C:\Windows\{E15BAE0A-08AA-4880-ABC2-9DBB1A4BDB2C}.exe
                          C:\Windows\{E15BAE0A-08AA-4880-ABC2-9DBB1A4BDB2C}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:472
                          • C:\Windows\{6838F9AC-6BFE-4b68-8353-9E52C0B8A859}.exe
                            C:\Windows\{6838F9AC-6BFE-4b68-8353-9E52C0B8A859}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4932
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E15BA~1.EXE > nul
                            13⤵
                              PID:3456
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CC532~1.EXE > nul
                            12⤵
                              PID:864
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F620D~1.EXE > nul
                            11⤵
                              PID:840
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D939D~1.EXE > nul
                            10⤵
                              PID:1588
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CF6D8~1.EXE > nul
                            9⤵
                              PID:2076
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BF18B~1.EXE > nul
                            8⤵
                              PID:1912
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5ED60~1.EXE > nul
                            7⤵
                              PID:2460
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C81C9~1.EXE > nul
                            6⤵
                              PID:4628
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2B57F~1.EXE > nul
                            5⤵
                              PID:4100
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5E540~1.EXE > nul
                            4⤵
                              PID:4688
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0A28C~1.EXE > nul
                            3⤵
                              PID:3240
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\097069~1.EXE > nul
                            2⤵
                              PID:3996

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{0A28CF46-0D90-4e85-937A-27070008ABBE}.exe
                            Filesize

                            116KB

                            MD5

                            a891f9c2c57d71b05d7c43ac8ecc5bda

                            SHA1

                            57f353c671cd92cd871412ee5160c8ffd900f32c

                            SHA256

                            e9cf128833b53cf3bfdc9df1bea70cafff1163b94b72a632e4d61cd67fcee416

                            SHA512

                            3f6958ca4a5f225514c8a9a9c3459ce7e0561bb3d7919d01bf5bde1c45db911f1f060c8c685c29df17ae0636ccdc13176fdcd80778e1626c7c9ca9922b2039c3

                            Download Submit

                          • C:\Windows\{2B57FE5F-3A65-4c64-8094-32DFEE717B07}.exe
                            Filesize

                            116KB

                            MD5

                            6d1feaa87f55a981a26bb87dc3f597e7

                            SHA1

                            3c6aae953d5b3924fc30cdf280bb1439378824b5

                            SHA256

                            4445e194b9841e5efea3408a937d878a47667204e6fefec209960e43329b77f5

                            SHA512

                            690d258fa15dd3b936c73be1f9b1a3a0a9d5019ae01895fee8ddbdac4784119d6c678055a1db3a4b2b768644a32efa975266097e38df87d8413565703ebb3be8

                            Download Submit

                          • C:\Windows\{5E54009E-7515-467a-8985-CE89BECC970B}.exe
                            Filesize

                            116KB

                            MD5

                            4720e358f9d8cb4128176a5041f19952

                            SHA1

                            2a543e60e762329775ec3fb4b790f5fbcbe385bc

                            SHA256

                            a47f324365bf4d3549c52d78db85098872b89fb8671f56d9bae21cdc12003926

                            SHA512

                            790f8250f2fa48c5e57741ee5aaf537592983c746a581d2213891f8e1bfe92c2d10be170fd149a34a7bb024986b7263c9469bfe204b27bc7123fca5602e39bad

                            Download Submit

                          • C:\Windows\{5ED60392-3295-49e5-B7AB-C79511291A44}.exe
                            Filesize

                            116KB

                            MD5

                            90f3970807a8d9e3d37ceaa03f7f2500

                            SHA1

                            f49f40f5d891026a680fcf513d979b9b2b6918da

                            SHA256

                            3ec052ee0864f767522aa4d8587df23418ce54aacf5e14bbf9a0c99af0e3873d

                            SHA512

                            aecbbae5d55ce2cce265dbbe43a123e7ee4128dbee400b361a6e8cd73e34fbd67bf956e282f8d6f8843b66c574d35bf2446684b67b0e943b97de3b3a5d280685

                            Download Submit

                          • C:\Windows\{6838F9AC-6BFE-4b68-8353-9E52C0B8A859}.exe
                            Filesize

                            116KB

                            MD5

                            e840bf17f2e3e47a1e82f9fe40322d74

                            SHA1

                            42805c7d257600430bdc9e862c0ec79f94b6d45b

                            SHA256

                            3434768492482c299c44c5d858ae4ec5dfcede3fd99437b831ebc1943c050f1b

                            SHA512

                            c7e5fee6df3edd27c8f1d50707a17e7bc00d48e7c2b35e9f11de27aa324e1cfbd684ba62427feba1a76ccaa88bdcb2c8f04b71d1d74f471fb1501ed841baa28d

                            Download Submit

                          • C:\Windows\{BF18BDA0-2DB6-4a0c-B620-86457CF2FD0F}.exe
                            Filesize

                            116KB

                            MD5

                            904f5dea9c347c3c58a397fda2e5cd29

                            SHA1

                            2895f2f21fab169832d8b05ec9cacc4584a8ac68

                            SHA256

                            5f42c2548de4c5292a869cf92580e1932c6baef3de25352a5e786b962212d7c4

                            SHA512

                            d52f3b35cf8d298af9e8b9f5307bd6709768aa775511019fc30ba8c091fe76c1ce5e8915791e2d4e585b93d6a20f37b6b8ad48ed1232c814e789b5ada0ac22cb

                            Download Submit

                          • C:\Windows\{C81C9DA1-6444-4983-8E1A-877099943655}.exe
                            Filesize

                            116KB

                            MD5

                            e5f4a743d65a54c48993b53d3599530c

                            SHA1

                            3c301b594e3bb8726e9aa592cd41da6186520d43

                            SHA256

                            4ab6c007d7be4106c6180c56051b733b5f58d58ac41a5e6aa4bcdd44c475cc41

                            SHA512

                            04f32c38a337752ffe42c93405469a1992a3c667aa949bd63d3d9ac498689794e772a825c0506c0072977db24a97e4345ef67a982e49e2d225a142c11a53f746

                            Download Submit

                          • C:\Windows\{CC532636-C49C-4d57-88B7-ECA39A55CDDF}.exe
                            Filesize

                            116KB

                            MD5

                            0b450803785659c317c6bc05751e8a13

                            SHA1

                            b117392373b55d1234ebfe79190228cef80afb2c

                            SHA256

                            6378241db22ed04502a2552b3b6f88d500b71f5402c471ef9fd6fad874932edb

                            SHA512

                            0433bb6f298274b4fbd94f6d321b5c3dee485d5bca010ee0d2cb633cb95c586937c8bd95c3ec9ce94281bdd365e45e90e53232e147d49c5f2355784158d16738

                            Download Submit

                          • C:\Windows\{CF6D8527-BD95-4895-B2E6-3DDAA913779F}.exe
                            Filesize

                            116KB

                            MD5

                            523fe7ad4d88a40e82f28c73bcaa319d

                            SHA1

                            ce41ec379e018e629b6a442f62491fa82cbab464

                            SHA256

                            c01e6a1a658b7e97090024c2be3f0d2e87d01561d57c245c41f14be46372acf2

                            SHA512

                            8ff0b4e7fb0d6c9912759a5a4d5e7c9093283c73f3da7e98c5b8545c0a1371087766a7d1058d88a4d7dc5dc546718680cae8a7092e7c5719fb981019cff1185c

                            Download Submit

                          • C:\Windows\{D939D4A5-13A4-45ed-B7F8-D85F8146476E}.exe
                            Filesize

                            116KB

                            MD5

                            abb1383a422f76b1bd609d6b2093f46d

                            SHA1

                            d181174664f77cb1ff77fa6e1213a61e2b1ddc36

                            SHA256

                            9f578f3a6275fb919bca4e8ba99558ab2e9e66da641fc2ad151bcfdde8500c33

                            SHA512

                            ffc032e92584f1ec3314adf586ddb07439a9b1eeb854fe670ee0eeb530d5eeed28fe26fa91bad619c45a0dff27a4002013509166a2631e9187226b8672e55b3a

                            Download Submit

                          • C:\Windows\{E15BAE0A-08AA-4880-ABC2-9DBB1A4BDB2C}.exe
                            Filesize

                            116KB

                            MD5

                            28f11f2eff750eb3e2827f60e20e39e8

                            SHA1

                            fddd3e6ca8de745b49a8b9e29b5d0a2e7fbc258d

                            SHA256

                            87c5528d4436441b7748c09091388fd9b530b984a9a2629dda5cc6bfe4453d0d

                            SHA512

                            3a7d0e1d63d8b899d33096a4005826f5de670e75306bbad27146f2804ddb6ebc6d20b2372f5a411b0749c7842b3e7e74d4cd5358ca3aa98e03c605ba3e12809e

                            Download Submit

                          • C:\Windows\{F620D9B0-6F0E-44aa-80D9-273277E4E833}.exe
                            Filesize

                            116KB

                            MD5

                            3ec36b48d5f914c66df75cf0e9615205

                            SHA1

                            51c3b5734cb6ff661477e5fa386b27071a67af10

                            SHA256

                            01c8b1ceb21a924c9f759b57121a0990d910706737dd8b6c0206bb36443f9293

                            SHA512

                            dfc3dd8931ea8dc2912c6c135f5feba7bf499b58978252f9079a6a0967a53758462d8404bb96aad3027734bc72fd4bfdccfe6036d4e62531602f1fa04fd7f746

                            Download Submit