Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

15d4d4a02b...c0.exe

windows7-x64

8

15d4d4a02b...c0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    08/07/2024, 01:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15d4d4a02b095380d7335c704f434ec0.exe

  • Size

    64KB

  • MD5

    15d4d4a02b095380d7335c704f434ec0

  • SHA1

    613d47f8f1127bfafb0bc0fc586f871a6ec4c797

  • SHA256

    71535ad3f9b1b6a350d932b557af1e7499b1ff062061bd37106bcd64a527ae5a

  • SHA512

    7e4f6f6c387a4a052381089ea4e2a2d1a2120b2e63320a442810bb304d2417ec18a8002faca8b91b701e6d74cdab70c16249f8437014586bb1582c7df45e3c41

  • SSDEEP

    384:ObLwOs8AHsc42MPwhKQLrow4/CFsrdHWMZ/:Ovw981QvhKQLrow4/wQpWMZ/

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15d4d4a02b095380d7335c704f434ec0.exe
    "C:\Users\Admin\AppData\Local\Temp\15d4d4a02b095380d7335c704f434ec0.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\{F999404B-A5F9-43d9-A954-5EFBF1EB6FD4}.exe
      C:\Windows\{F999404B-A5F9-43d9-A954-5EFBF1EB6FD4}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Windows\{7955B153-7559-47eb-B750-FAB10C3254AE}.exe
        C:\Windows\{7955B153-7559-47eb-B750-FAB10C3254AE}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Windows\{D2EA0ABF-6396-4e8c-BEEE-77576E16D42A}.exe
          C:\Windows\{D2EA0ABF-6396-4e8c-BEEE-77576E16D42A}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2468
          • C:\Windows\{7B72CAF9-4A87-4a21-B2C3-329899264292}.exe
            C:\Windows\{7B72CAF9-4A87-4a21-B2C3-329899264292}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1848
            • C:\Windows\{49A994B1-D6DF-46f3-8F70-EF00E4B94AB0}.exe
              C:\Windows\{49A994B1-D6DF-46f3-8F70-EF00E4B94AB0}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2916
              • C:\Windows\{306F3093-BC99-41d8-BF0B-8029602D7AA5}.exe
                C:\Windows\{306F3093-BC99-41d8-BF0B-8029602D7AA5}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:272
                • C:\Windows\{8E697B93-5908-4192-8FA7-D38D01DC1D0B}.exe
                  C:\Windows\{8E697B93-5908-4192-8FA7-D38D01DC1D0B}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2700
                  • C:\Windows\{483D66CC-7E26-4086-AA6B-44BF564FE717}.exe
                    C:\Windows\{483D66CC-7E26-4086-AA6B-44BF564FE717}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:864
                    • C:\Windows\{EF82FD85-376E-4e3e-9F9D-DE7536F58BAA}.exe
                      C:\Windows\{EF82FD85-376E-4e3e-9F9D-DE7536F58BAA}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2088
                      • C:\Windows\{C937C903-DE04-43bd-AFF2-7C2F6994F374}.exe
                        C:\Windows\{C937C903-DE04-43bd-AFF2-7C2F6994F374}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:656
                        • C:\Windows\{A7F07781-8F4C-4940-97C4-33CEC4C485B4}.exe
                          C:\Windows\{A7F07781-8F4C-4940-97C4-33CEC4C485B4}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1860
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C937C~1.EXE > nul
                          12⤵
                            PID:1296
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EF82F~1.EXE > nul
                          11⤵
                            PID:712
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{483D6~1.EXE > nul
                          10⤵
                            PID:2868
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8E697~1.EXE > nul
                          9⤵
                            PID:2052
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{306F3~1.EXE > nul
                          8⤵
                            PID:1532
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{49A99~1.EXE > nul
                          7⤵
                            PID:1996
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7B72C~1.EXE > nul
                          6⤵
                            PID:1428
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D2EA0~1.EXE > nul
                          5⤵
                            PID:2536
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7955B~1.EXE > nul
                          4⤵
                            PID:2488
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F9994~1.EXE > nul
                          3⤵
                            PID:3004
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\15D4D4~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2112

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{306F3093-BC99-41d8-BF0B-8029602D7AA5}.exe
                        Filesize

                        64KB

                        MD5

                        098cb12540f10243b2f88f0c6a4bab46

                        SHA1

                        09ee34f388a507c7e87bfe049de1c7a760e54b52

                        SHA256

                        e4c676bb565a9d5ebb2316416f25d6ae2b965bbd819a330f9b85e56dd812b9f9

                        SHA512

                        77013dac1ad45ec00c7bebb34b602677f2d6056ce09b4cdbe28fa7e12464bc3447dd006c2a5bb06b6da4fcfccac04768a2d9eb73b415d3a5aae674b71412d532

                        Download Submit

                      • C:\Windows\{483D66CC-7E26-4086-AA6B-44BF564FE717}.exe
                        Filesize

                        64KB

                        MD5

                        e88cc121bd391ee68ec74bfbf0bbeb21

                        SHA1

                        b55407451e905ccf5cd211022eef1828d0ddaec4

                        SHA256

                        a0cd0acc5da46686b71dbbe9e434b8a3c0e82990881184b4efa25cc02cf84225

                        SHA512

                        2fa3f06c7ac82d144a9c6c06eb2aaacffa1f74b6b05c09e5397ae1bd596afd79bdcc4cb25116f087327f3fa30f762e0a07f1b3c500230fd2c135bf9569a294a5

                        Download Submit

                      • C:\Windows\{49A994B1-D6DF-46f3-8F70-EF00E4B94AB0}.exe
                        Filesize

                        64KB

                        MD5

                        dfb6b16fb2c0d532537cf8e3fcac8b49

                        SHA1

                        6cdac5f0de72f43688a3c80a26949098c9b27ed9

                        SHA256

                        114d1bbba8050203d259f1018c3b054ea57c8b0538252ccd1a4ac31971308942

                        SHA512

                        4053f6e1bfcd2c84093caae723d7c67b04d7caf27241d12211b75f0bbf797433f0848540efc962cd15f7720d28b3bbcb826ac00c416aa7f5c4e0443ca3ddea1a

                        Download Submit

                      • C:\Windows\{7955B153-7559-47eb-B750-FAB10C3254AE}.exe
                        Filesize

                        64KB

                        MD5

                        380a5e8c62c107684cab38d580adfc83

                        SHA1

                        d57f45ad07489279e6164ed672121cd23b8d5476

                        SHA256

                        b598f14a6d3d5ff3ca35bf7e428896033836d83434ed58ecc349409a30c0c9fb

                        SHA512

                        a9840fbb93088f829b35dd31ec7347eddbdf877ff62d337705d5c9def8548d2f0db684898317d613c9a914bf646cff7988017e87b986e1807d69d835d727f2b4

                        Download Submit

                      • C:\Windows\{7B72CAF9-4A87-4a21-B2C3-329899264292}.exe
                        Filesize

                        64KB

                        MD5

                        3e0248136a55ae553e48e438d8314750

                        SHA1

                        e12b0806e9659688dd93ce805d74398a17f1a8b5

                        SHA256

                        efb6794f6041028173b3938968980c7d3cb99cc1de1360be7657a83ab92c1d45

                        SHA512

                        1e6e5454a3c56346efd9222e2654ec09e2fce467611df83c63de3abd4fdf99c68618745644f809634112fcc3c0ce9b60ded840b24c5a52525add7aff010d6c47

                        Download Submit

                      • C:\Windows\{8E697B93-5908-4192-8FA7-D38D01DC1D0B}.exe
                        Filesize

                        64KB

                        MD5

                        486f36194e28a1585990a662a435858f

                        SHA1

                        e1276a6c2d9b6899a0c0f54ec2dfe6e34e8e42bd

                        SHA256

                        7b76fce73f058c6d78e92c3467a6346324b0a2fc3ea346328579078b63318a68

                        SHA512

                        cc9c98c3fbfea57f71f345880481cb245135205e7a3936a2b7129cb4a17386fcc23a2ee042c4a07b632bcfb7367773b3b0fab37252f7992c07e9ffe7ed0c4cac

                        Download Submit

                      • C:\Windows\{A7F07781-8F4C-4940-97C4-33CEC4C485B4}.exe
                        Filesize

                        64KB

                        MD5

                        7ae4d9ad00b5f4f5448c9778e315a917

                        SHA1

                        58fcc79eae7c9dd5966adf88473b7372d5edbfe2

                        SHA256

                        ad849de8ced50b02e3089c9f6d61b0be181bd442f5c68d29be29f622d905e54a

                        SHA512

                        b9126115febd5b7a3b9615766d660903f90736c537715f222a5e2aa46b051956d8b639fd6ea9bdd1cc8f5fdffa76eaad6cca01e5253447aa04661afb083c4bed

                        Download Submit

                      • C:\Windows\{C937C903-DE04-43bd-AFF2-7C2F6994F374}.exe
                        Filesize

                        64KB

                        MD5

                        eae45b47c8017c991dc4bef03df31f82

                        SHA1

                        9c27ae80bc99eefd8a4debd0bb685f73e75ffcae

                        SHA256

                        6d8bab953a5689c2adf0cf8fdf18c5fc405172d14c6ec0953d8e340228363b7a

                        SHA512

                        0cb201d8fed1188a8104be8d21a4c8406e09317716658dd305022c9c5b51ba104793db966cabade34eb2a12301f2e78b0609a80bebed647fc54bc55c2d5429ec

                        Download Submit

                      • C:\Windows\{D2EA0ABF-6396-4e8c-BEEE-77576E16D42A}.exe
                        Filesize

                        64KB

                        MD5

                        d34b890285a9d8f3402ac48ae3cd0372

                        SHA1

                        5010f88d3522d339114cd22f40fa6baaf1567cef

                        SHA256

                        4a85207139d2649db815c98d5df9bce505e20a44e609abd2ce375c5f2c499af3

                        SHA512

                        e77e6a953de4f1a1c0037b06825767c45c8128e17ab168d47907d8a67ee707ae89e7fd5496f1767c91d4ae3c9a5cf3750fc26f5e5f075591aace3c915b3054a6

                        Download Submit

                      • C:\Windows\{EF82FD85-376E-4e3e-9F9D-DE7536F58BAA}.exe
                        Filesize

                        64KB

                        MD5

                        60b61f2ad55600f3e8156772390a98aa

                        SHA1

                        1190da860f73bc989277c245a4815f52f497b2c3

                        SHA256

                        c7b7cc02b6267e5a78d9439ac76011f98246aa7194015898a9e6689dc5b10426

                        SHA512

                        864b2d6692097664c5822104a8c814229e277ee4a47de6a4c3223b252e49cf6ed6572fa61af547577656204e00f4585e89bf508a43d59f3dcb5135b1dc5da3b5

                        Download Submit

                      • C:\Windows\{F999404B-A5F9-43d9-A954-5EFBF1EB6FD4}.exe
                        Filesize

                        64KB

                        MD5

                        def9b4eb9673a0522c4467fd0e7fb106

                        SHA1

                        fafde7969ac96bced144b2dc6d6c41950d541d5b

                        SHA256

                        df5fc69cf22fecbbdf7f3a1e2f940b764f91573afd31de62d75250dc7914ab7e

                        SHA512

                        5495e963e1536a9fd95231d586a7ace2f21022aefc5946e66f1263a95d3b5e5cd57efb0a794167228e79411b5f6fbabcb6d80fd386a67d6a04219ccfaab598c1

                        Download Submit

                      • memory/272-67-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/272-59-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/656-98-0x0000000000270000-0x0000000000280000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/656-100-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1688-0-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1688-7-0x0000000000270000-0x0000000000280000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1688-10-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1688-8-0x0000000000270000-0x0000000000280000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1848-39-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1848-47-0x0000000000280000-0x0000000000290000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1848-49-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1860-99-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2088-89-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2192-9-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2192-18-0x0000000000270000-0x0000000000280000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2192-17-0x0000000000270000-0x0000000000280000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2192-20-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2468-38-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2600-30-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2600-25-0x0000000000370000-0x0000000000380000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2600-21-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2700-75-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2916-58-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2916-48-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2916-56-0x0000000000300000-0x0000000000310000-memory.dmp

                        Filesize

                        64KB

                        Download