Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

56e1da5ba5...0N.exe

windows7-x64

8

56e1da5ba5...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    16/07/2024, 02:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56e1da5ba551a748358720eed8192200N.exe

  • Size

    91KB

  • MD5

    56e1da5ba551a748358720eed8192200

  • SHA1

    fde2f8c1380fdafe7b3bcbb91bd08c327a300a80

  • SHA256

    7cf8b75284e42eb18a0d5b00d5df3c274c3ccbd1db5e7078acec56bf1d38e4ca

  • SHA512

    0cd13b6c756777b74aeb49f2148a81ebcbd7c0e59f6db7d5044a70e8d781396e1a3bd20ccad35cb024f105ccbea64242c138852d5be28a92a0173b32f6421729

  • SSDEEP

    768:5vw9816uhKirob4/wQNNrfrunMxVFA3b7t:lEGkmoblCunMxVS3Ht

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56e1da5ba551a748358720eed8192200N.exe
    "C:\Users\Admin\AppData\Local\Temp\56e1da5ba551a748358720eed8192200N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Windows\{018B27A4-9803-4b18-89AB-CCE4D0A8E621}.exe
      C:\Windows\{018B27A4-9803-4b18-89AB-CCE4D0A8E621}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\{45E3EF4B-333C-4eea-B4B1-D59B222FCAF3}.exe
        C:\Windows\{45E3EF4B-333C-4eea-B4B1-D59B222FCAF3}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Windows\{1636251A-E6DD-4056-A134-6381A6FDAECA}.exe
          C:\Windows\{1636251A-E6DD-4056-A134-6381A6FDAECA}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2072
          • C:\Windows\{E21C27D4-4402-46e6-9910-B361EE5955C8}.exe
            C:\Windows\{E21C27D4-4402-46e6-9910-B361EE5955C8}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2636
            • C:\Windows\{4E3EA360-1FE0-48b3-86D0-65C48B225DCD}.exe
              C:\Windows\{4E3EA360-1FE0-48b3-86D0-65C48B225DCD}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1164
              • C:\Windows\{518D2CBC-30DC-4074-822B-AC9CEEFE64A0}.exe
                C:\Windows\{518D2CBC-30DC-4074-822B-AC9CEEFE64A0}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1168
                • C:\Windows\{C5FE29A2-AF3B-49b8-AB9A-E1254327809C}.exe
                  C:\Windows\{C5FE29A2-AF3B-49b8-AB9A-E1254327809C}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:588
                  • C:\Windows\{8F805C7B-4957-44d5-BB9D-8DFD51B8EF8C}.exe
                    C:\Windows\{8F805C7B-4957-44d5-BB9D-8DFD51B8EF8C}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2020
                    • C:\Windows\{88C8F73D-2798-4642-8FC6-95640B4FED95}.exe
                      C:\Windows\{88C8F73D-2798-4642-8FC6-95640B4FED95}.exe
                      10⤵
                      • Executes dropped EXE
                      PID:2312
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{8F805~1.EXE > nul
                      10⤵
                        PID:2084
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{C5FE2~1.EXE > nul
                      9⤵
                        PID:1604
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{518D2~1.EXE > nul
                      8⤵
                        PID:1128
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{4E3EA~1.EXE > nul
                      7⤵
                        PID:2040
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{E21C2~1.EXE > nul
                      6⤵
                        PID:784
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{16362~1.EXE > nul
                      5⤵
                        PID:2696
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{45E3E~1.EXE > nul
                      4⤵
                        PID:3008
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{018B2~1.EXE > nul
                      3⤵
                        PID:2768
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\56E1DA~1.EXE > nul
                      2⤵
                      • Deletes itself
                      PID:2804

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Windows\{018B27A4-9803-4b18-89AB-CCE4D0A8E621}.exe
                    Filesize

                    91KB

                    MD5

                    5b55d409569eae5144aa6a971b60818e

                    SHA1

                    218b8c42b1caa2ff458348a4b31d2d4c56e67741

                    SHA256

                    6255f09ad5ca0d76df0e44daca114eaeeee94d37f389590e676797bf3e8d92f4

                    SHA512

                    cda7e487ea326e26d6b70a9e8c8242d783a4417fa9d1f7bb7a102ca58a2defcfa829968bb51163ce660b086258f1d140dced840d8e9bd31ec36b9caebf4c8e4f

                    Download Submit

                  • C:\Windows\{1636251A-E6DD-4056-A134-6381A6FDAECA}.exe
                    Filesize

                    91KB

                    MD5

                    c8bd83248ff449b0cddbbeb050377465

                    SHA1

                    8a60ec1617d060500572ab282fcafdb4c7828594

                    SHA256

                    335735cf1545b120d2287368c3e123cec03782d83bd3bce132f3db9e5d76cd71

                    SHA512

                    d8707417f3d0346523a4333f2b315280c048fc7ea05a8dcfc6c1dabede41fb77a995bda74f7677e39ff7f34cb5859d09da1e187719690f19e5fd7e9413061e6c

                    Download Submit

                  • C:\Windows\{45E3EF4B-333C-4eea-B4B1-D59B222FCAF3}.exe
                    Filesize

                    91KB

                    MD5

                    24eb4c963699744e3fd28ca90d76afe2

                    SHA1

                    408d5d4fc69e9cf4c8fa5714f6490a3b10f4b0d4

                    SHA256

                    c37537ff9fcd46d1bf2fc0bf7d1f4a60a6c3796d78d746da3f6cac6f787c030e

                    SHA512

                    db04cbb8eacdff975b9532e81656555813878bbb54d5e3f51b87f104deea42de561913174f8c1c8b37521cf421292fac5ceb3611edee9f64fadd69d07a96c2d4

                    Download Submit

                  • C:\Windows\{4E3EA360-1FE0-48b3-86D0-65C48B225DCD}.exe
                    Filesize

                    91KB

                    MD5

                    e315588519afe3fd591d135c5051aced

                    SHA1

                    18bbb1aaf905c4a4d955467bf495f37473d37ed5

                    SHA256

                    a55c8e99dc58a61939c587886b06a09b2026b171cf6dc7446bc3a633326c22c9

                    SHA512

                    9b94609c8bf9914ee5160fbe43d1ae4611877c707fa1e4b3d09e3fc74582fd32a4bd2999b9a4b03a339ecdea1a70fb90e9069d04cb809be573fe15d24394510e

                    Download Submit

                  • C:\Windows\{518D2CBC-30DC-4074-822B-AC9CEEFE64A0}.exe
                    Filesize

                    91KB

                    MD5

                    af10340ca2e77afad161e33ef2c53dd5

                    SHA1

                    07d9df9a34128bbe61d8898f6a55b7a6065d7d23

                    SHA256

                    91d9d634b39e6e6db123672eaa0fad82f1643f0f9c24cfcd1da7917cbf6dafbb

                    SHA512

                    248bc2f14279b1adcb2eac9471cd2e7558c52fc83bb5bbfb8f2dd1daadb63650242b451429405c2659cf83b0902d80d85972c637002325ce7b50636a5bbea6d1

                    Download Submit

                  • C:\Windows\{88C8F73D-2798-4642-8FC6-95640B4FED95}.exe
                    Filesize

                    91KB

                    MD5

                    58e60e09c5de65406913a96a7e1c1900

                    SHA1

                    8c0f492d88ac96e4e1ad234fa179b9418bc41c5d

                    SHA256

                    bc22b7a249ccc8637f289d5c662afefe8a3f8e6a8699b3b37efee5d2ca712bb2

                    SHA512

                    c63c4eaee72707de35d34f7a55980821e43fe778ea29636bba15448673be7151a95c449ce2767d01a76c7faa88cb1e63948c9e0d1ec543139b7f4e8d7ed43efe

                    Download Submit

                  • C:\Windows\{8F805C7B-4957-44d5-BB9D-8DFD51B8EF8C}.exe
                    Filesize

                    91KB

                    MD5

                    d4b1aca2ea3aec3ce4fac21df7259b40

                    SHA1

                    b39ab166fb6b2379ce86dee1a0c2960eec72d2f3

                    SHA256

                    83a0b2c2b9db2d3ee46a4839d109a7feea5d1f430ce62e00b172045ce07b7258

                    SHA512

                    08ca8f155b16aa9bbdac9154cc90f75c30dd865bcce3412a0dd9d192d2dff6ff8f96d6872b3575ccd82b7e4b1746b9e7ef54dd032076dae66a013a0541622c24

                    Download Submit

                  • C:\Windows\{C5FE29A2-AF3B-49b8-AB9A-E1254327809C}.exe
                    Filesize

                    91KB

                    MD5

                    b870bbbc4d47b763d69cc8e17fcdc536

                    SHA1

                    118579402561c29971d034ff3fb1aac1295a8ae3

                    SHA256

                    5aa4d680afaa51bad844b94a7ff418d1316720135dc9eb59b4bae8094473cefd

                    SHA512

                    c87d48356faa434c812a9880c07d38c79a792bf7bd1743072cdaf470b9feaba1131db958f49eb7f31715eaa9025365cbcb41842e6c57c3e5163aa24878ef7bf4

                    Download Submit

                  • C:\Windows\{E21C27D4-4402-46e6-9910-B361EE5955C8}.exe
                    Filesize

                    91KB

                    MD5

                    79c4f644e69cc0eaf5ec3247fa7d37a0

                    SHA1

                    318274731ab552d9d6b5850e49a4a4e4d39af3cf

                    SHA256

                    19ecdaa700135f60b0faad986d8f39ca74ef357804fbe9b1654cc853a9be1df8

                    SHA512

                    a1a7378c7e7c3840280ec407fb9b1e17bf600258e88024423088fc21da2dcfa68a04100ef7ba213432acb62ce12320013b4fc29ca25fcf8f454ed32689ca85ee

                    Download Submit

                  • memory/588-69-0x0000000000400000-0x0000000000411000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/648-0-0x0000000000400000-0x0000000000411000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/648-8-0x0000000000400000-0x0000000000411000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/648-3-0x00000000002F0000-0x0000000000301000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/1164-53-0x0000000000400000-0x0000000000411000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/1168-61-0x0000000000400000-0x0000000000411000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/1704-17-0x0000000000400000-0x0000000000411000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/1704-9-0x0000000000400000-0x0000000000411000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/2020-71-0x0000000000400000-0x0000000000411000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/2020-79-0x0000000000400000-0x0000000000411000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/2072-34-0x0000000000400000-0x0000000000411000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/2072-27-0x0000000000400000-0x0000000000411000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/2312-80-0x0000000000400000-0x0000000000411000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/2636-43-0x0000000000380000-0x0000000000391000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/2636-45-0x0000000000400000-0x0000000000411000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/2636-44-0x0000000000380000-0x0000000000391000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/2636-36-0x0000000000400000-0x0000000000411000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/2896-26-0x0000000000400000-0x0000000000411000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/2896-18-0x0000000000400000-0x0000000000411000-memory.dmp

                    Filesize

                    68KB

                    Download