Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

0fa682f33d...0N.exe

windows7-x64

8

0fa682f33d...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/07/2024, 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0fa682f33d57229b8797c1a09e8336a0N.exe

  • Size

    90KB

  • MD5

    0fa682f33d57229b8797c1a09e8336a0

  • SHA1

    1c447304f1f68205cbd65e7c0aaf88ed90301e00

  • SHA256

    9f64da239f64caf981905dcb9cbca1f64c396c38e102f273397cb44f8c050a70

  • SHA512

    8f6516332c6bba85375f6276e26389431d0ce486793b1a1d06e9e0ed4a14bb1cb01b28452a1ab7cd3ba39ff99b54b77e441c0af7896d79850e3338bb9101be4e

  • SSDEEP

    768:Qvw9816vhKQLron4/wQRNrfrunMxVFA3b7glws:YEGh0onl2unMxVS3Hgz

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0fa682f33d57229b8797c1a09e8336a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fa682f33d57229b8797c1a09e8336a0N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Windows\{941D7F72-90C6-49b7-BEE8-818115DA2080}.exe
      C:\Windows\{941D7F72-90C6-49b7-BEE8-818115DA2080}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\Windows\{C112086A-5E43-43c2-9564-74DCA53E7D51}.exe
        C:\Windows\{C112086A-5E43-43c2-9564-74DCA53E7D51}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:672
        • C:\Windows\{3D4AEFCC-0241-46a2-8083-0175E001BF39}.exe
          C:\Windows\{3D4AEFCC-0241-46a2-8083-0175E001BF39}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2512
          • C:\Windows\{D3BA41BA-7D1C-4127-A538-99DF1FAE154D}.exe
            C:\Windows\{D3BA41BA-7D1C-4127-A538-99DF1FAE154D}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3368
            • C:\Windows\{6F27E425-7E73-4ad5-854B-1FD188F5558F}.exe
              C:\Windows\{6F27E425-7E73-4ad5-854B-1FD188F5558F}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3648
              • C:\Windows\{0CE90E21-4373-4522-8107-63EAC250CAB1}.exe
                C:\Windows\{0CE90E21-4373-4522-8107-63EAC250CAB1}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4632
                • C:\Windows\{CDC3FB9A-C836-4e82-AE22-AB61EEA18FA7}.exe
                  C:\Windows\{CDC3FB9A-C836-4e82-AE22-AB61EEA18FA7}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:992
                  • C:\Windows\{D4254A9F-2FA7-4871-B19D-9CDA48B2DA6E}.exe
                    C:\Windows\{D4254A9F-2FA7-4871-B19D-9CDA48B2DA6E}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:348
                    • C:\Windows\{F4F3459B-11AA-4d54-844A-C26973990F4B}.exe
                      C:\Windows\{F4F3459B-11AA-4d54-844A-C26973990F4B}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1732
                      • C:\Windows\{17543455-66DF-47cc-A5ED-1FCA23D72704}.exe
                        C:\Windows\{17543455-66DF-47cc-A5ED-1FCA23D72704}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1784
                        • C:\Windows\{C17C2AD3-76B9-4ce2-B29E-6DEEEDF3F34A}.exe
                          C:\Windows\{C17C2AD3-76B9-4ce2-B29E-6DEEEDF3F34A}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4520
                          • C:\Windows\{C11A3C0E-0229-4ddd-AEC7-7F94898155C1}.exe
                            C:\Windows\{C11A3C0E-0229-4ddd-AEC7-7F94898155C1}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:636
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C17C2~1.EXE > nul
                            13⤵
                              PID:1404
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{17543~1.EXE > nul
                            12⤵
                              PID:4040
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F4F34~1.EXE > nul
                            11⤵
                              PID:1196
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D4254~1.EXE > nul
                            10⤵
                              PID:3020
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CDC3F~1.EXE > nul
                            9⤵
                              PID:1332
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0CE90~1.EXE > nul
                            8⤵
                              PID:768
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6F27E~1.EXE > nul
                            7⤵
                              PID:2932
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D3BA4~1.EXE > nul
                            6⤵
                              PID:1400
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3D4AE~1.EXE > nul
                            5⤵
                              PID:920
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C1120~1.EXE > nul
                            4⤵
                              PID:4164
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{941D7~1.EXE > nul
                            3⤵
                              PID:4688
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0FA682~1.EXE > nul
                            2⤵
                              PID:2024

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{0CE90E21-4373-4522-8107-63EAC250CAB1}.exe
                            Filesize

                            90KB

                            MD5

                            83887250f1281d284660f6cc29d649aa

                            SHA1

                            ba8a94cc5ea09056b59ae738b05b1e4f433a00e4

                            SHA256

                            608d3cb1e356b1035b559f7b3a4e8341fe0df2f76ec51a87f035577cc7625b43

                            SHA512

                            1d0ad407e56808d78ba0dc97f49cf64e20572358287bddf804595f2c892f66040a1bb7d0aa3023c8368ff8f8926bc5db53a6e30863bc143e3e8562034c7a0e21

                            Download Submit

                          • C:\Windows\{17543455-66DF-47cc-A5ED-1FCA23D72704}.exe
                            Filesize

                            90KB

                            MD5

                            97fbf7cba31cfb964a60a2e5b6ff2b8b

                            SHA1

                            65ae199d6788391ccea81b1889afb1098cc0c82c

                            SHA256

                            007a8bf9737e977bb90e19fb41ec8fde24382408852ad2491851064eb8e35510

                            SHA512

                            5edba5d93315201bda29a7fa4ff40258a159fd19edb409d61d9503d4a80c709d526eefbaad2e42ba6f3667dcd457cb225dac846c6ad6b92de6f032154c007b25

                            Download Submit

                          • C:\Windows\{3D4AEFCC-0241-46a2-8083-0175E001BF39}.exe
                            Filesize

                            90KB

                            MD5

                            2c7b95bc878976c8f03d71f3e02805c1

                            SHA1

                            3baa5b21addc95f7578fabea4d52d5843cac0dc6

                            SHA256

                            b93f206e0e2e99f0218802d1e4087f1062f2b919ad03a6c228836606ea67345f

                            SHA512

                            86e7cefd573610f047bff2c4d2c29b4dd99662b5834e41917f92e73eca62e3467e5538a35580c3e293d24887a5334d5f84f8bd010acc787bc41c0f6184fc86e9

                            Download Submit

                          • C:\Windows\{6F27E425-7E73-4ad5-854B-1FD188F5558F}.exe
                            Filesize

                            90KB

                            MD5

                            b7fa3423d18c652dd575e61ab1c58e4f

                            SHA1

                            d231e9ea6ca58fc31f0cd0ddd58685c15369ae23

                            SHA256

                            c74e7613502da1e080aa00d22e56e40b71a8e78c4ff1d0b76aa4cfe3f9fe38f1

                            SHA512

                            fd896e05910bc661fd24fd09d6f388d051199da20b2516ba33e55d15aad7d46459c68fe681379e136397938c78f0a32b5df97cf51834b8cc2cfd71bfb64e9411

                            Download Submit

                          • C:\Windows\{941D7F72-90C6-49b7-BEE8-818115DA2080}.exe
                            Filesize

                            90KB

                            MD5

                            a4c4bccfd96bb5f16bee0ab4ccca8fe7

                            SHA1

                            fde64c85399029634076248a9019c8a4d2bc0069

                            SHA256

                            a4d03bad5e7dc736035c2da8c87d3a835f5330eb89fdc85e9b886a42ce7e1302

                            SHA512

                            94eabc74111738577cc603f6a6c250c0d420e99c2852f4c974995cec0a58a9193532cff493a4e19fa18fc94b8277b1de542ea95c6d0b807ef79c94d3c7bfafc9

                            Download Submit

                          • C:\Windows\{C112086A-5E43-43c2-9564-74DCA53E7D51}.exe
                            Filesize

                            90KB

                            MD5

                            22cb625ec1e30489d600c747df467498

                            SHA1

                            d2fbec90ed6bb066d9bff18fc6fb85941dea9d50

                            SHA256

                            2cb30b21a48820e53c4a407a740d0c7ee789c345d4e66ffa5546b992667b9617

                            SHA512

                            ea6848e007ecfd4ac36a954963ec4c01fcb9489bf497d912e5faadc60a024f75d9b03facbaa3482a80a1eea878fc2c9cfb881e160d4f34381cd7a5dac07d5d61

                            Download Submit

                          • C:\Windows\{C11A3C0E-0229-4ddd-AEC7-7F94898155C1}.exe
                            Filesize

                            90KB

                            MD5

                            26ecfca802dfae4a9ea736169e9fa074

                            SHA1

                            820333ab06997d8c3edcafcf2e453bd122c777ed

                            SHA256

                            4a24d659d3287ce6126ae94fef71f5766f8b2813ad1ff6994c16da4936e74a90

                            SHA512

                            d2c2beb47f9d37ccafac4bf56da68835d1f412587c2f86fe6808b519782597a0d3defb853275c049d6965f6549645bcd9c5f06512997d411cca8d02007b04b7b

                            Download Submit

                          • C:\Windows\{C17C2AD3-76B9-4ce2-B29E-6DEEEDF3F34A}.exe
                            Filesize

                            90KB

                            MD5

                            8004c6291ec8a1ca1f474d8825cdab7f

                            SHA1

                            c361bbd7fbec4a0ac117ea6d36fccb967eab3cfe

                            SHA256

                            e5e6835d6793b0d4919eb00476c2da5711ec1a0fd8786f56c264f165ae88ab3b

                            SHA512

                            5513a8670579389cbdc86bf4c0a48412feaa85a9a1fb3244c7eeea7487bd06f4c43340468fe8e0e638f7147f18f6983968519dec6f8094040c11cd8fafc73b64

                            Download Submit

                          • C:\Windows\{CDC3FB9A-C836-4e82-AE22-AB61EEA18FA7}.exe
                            Filesize

                            90KB

                            MD5

                            946ce8f3362afcb63b959a2206021b2e

                            SHA1

                            0fcce789747c6042f794cd0ef417948f994f440e

                            SHA256

                            cd68b62e128847618d2fffd8c1c959cfbb04f2df2004c43e2e475712abb1c320

                            SHA512

                            82deb5ac05bdfa5419f590be62e6ee9f16b8381236bd2231b87a502aaa292697109ae0261495b5bcbbca51e90fd12200b0b59d3918618f0842f919217721eb2b

                            Download Submit

                          • C:\Windows\{D3BA41BA-7D1C-4127-A538-99DF1FAE154D}.exe
                            Filesize

                            90KB

                            MD5

                            2051f1f153f6af3562d73b0ed2c2e0b1

                            SHA1

                            269297f0050107db8c8ff1472de278ce422ce68c

                            SHA256

                            5331ac5528d09d68376dba732dff365b3f58b26c3add6c7b333fbf94e0d0cd3a

                            SHA512

                            ed0e0b74b5c2fccc6f28047d6dae40d1a29565b951c6426badd9997082a248347ce60dffd3f1806dd52d35f14a6e8f0c6a36de24832f7e7b42d66dc0156061df

                            Download Submit

                          • C:\Windows\{D4254A9F-2FA7-4871-B19D-9CDA48B2DA6E}.exe
                            Filesize

                            90KB

                            MD5

                            631e251fcfef99395be18bb87a5283fb

                            SHA1

                            5f04a52a7b34419442f43840b44165e8354f71ca

                            SHA256

                            0ea10639dc6d5745941cbb1d05781dc7272045eae8364d3338e922ec880d5486

                            SHA512

                            b8e522ac980e2e6f616bc6fd7ffbeb1c3c58f5a1c6e5193ae5dec1113cde1dd9f7ce09ecf92bee02d06bd2f9fadbf3344674d08f07e5714370a327debc799cba

                            Download Submit

                          • C:\Windows\{F4F3459B-11AA-4d54-844A-C26973990F4B}.exe
                            Filesize

                            90KB

                            MD5

                            27e54b3e05f6c2d23a99b15104ac7734

                            SHA1

                            02f99e69d1a0b7709a261ce0db200e9ddea82352

                            SHA256

                            3d2d3d024b0167a3c8e2d950803664ede6244c83e25c2011b5d01eced4542e46

                            SHA512

                            38d83057cf89a150dc9374df3a1ba0e99e2dd71818c241e4a83adb70519e1dc6c10a058d0534bde0086af3e0a652b9415d4762857b5e036e79dcaac76890fbcd

                            Download Submit