Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
19/07/2024, 12:51
General
-
Target
29.exe
-
Size
319KB
-
MD5
e8e59836a0fe2dfebcbde148711b5d56
-
SHA1
cd8fbf0dcdd429c06c80b124caf574334504e99a
-
SHA256
2960a2d4d2fd6b7b85b8e3ea4c86ec0c13b93bfd3754a7e772a2c74f564b0009
-
SHA512
0d0673c64f9e9e1c75e10ce6d02c4b5530831d1659ada88acf951e2bcbd56c38f0c59674b3eb7837fd882b23499eb350f2925fd67d3fdf51992d9a4312a02309
-
SSDEEP
6144:CZABbWqsE/Ao+mv8Qv0LVmwq4FU0fNoy6BJXCcOS8W78U2kGHF4143nip:kANwRo+mv8QD4+0V167XDOSDN2JF41me
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
9b0P96R6nBreNQrU3Cte
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 33 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 33 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Hide Artifacts: Hidden Window 1 TTPs 1 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\29.exe"C:\Users\Admin\AppData\Local\Temp\29.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden powershell -c C:\TheDream\RootDesign.exe2⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -windowstyle hidden powershell -c C:\TheDream\RootDesign.exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c C:\TheDream\RootDesign.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"33⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"35⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\TheDream\RootDesign.exe"C:\TheDream\RootDesign.exe"37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122KB
MD54dd7de6b45e46f8219cc73e9a934c0e7
SHA11c9629aeb0e6dbe48f9965d87c64a7b8750bbf93
SHA2561be40e8ac11d6da8045bd03be3e57f0b36b6ab7dc390ff7208a0a4e7688b6b94
SHA5125565da2ed0e5a9670dc4f909177ac324c3e4e02c449968a115653eabbdbcd4023e60629ce381268fe7f9d005dc2021fb896fba1ec659e30766fd485e7c54e3dc
-
Filesize
147B
MD5d8cd589b53f6d74942d98d4c82512aad
SHA1ff031dee15b3c980c360d52879928fbf8763c218
SHA256821f223eedc119c7aef598145adacac40f23ca881c1e46c89b7d2991206fc879
SHA5123d1f9d8f44320582191a79544c7e92984a719baa843c4d434dd352274b36e2c4ce2fd0635d35e3a7c8e3816a3e0f4d594dee1aea4dc39f559baee9de07d9d1a1
-
Filesize
162B
MD5dafb6093983599cc82131eba6af9bbbd
SHA14d5473a2e30f861de5c4660df14493165dbdb752
SHA2562fc206c8f04c43dcd4bc812ab6c12d07a0ef7447b92118ae835ebc6c70322664
SHA512ee21dd5493c03906bd32599fca7fa855aab13b1c081800b4712aef0e5f6df5efbf5a83d845f06b441b947f80baa37896a0ca34bf40931361ae08aefc2ae1818c
-
Filesize
177B
MD53351ee38cfa00c4cc3000d5598ff682f
SHA10a41c241373539c0f605c7bfbd8fabb91b531f50
SHA256153b89ecbd299f2784654af31dfbc453ed9cbb056d0b1cea555ade58e959cab6
SHA5124c53d08d4a590d85443c4bdf06d4f8a93d0190dc7f39f04776a86c47e2eee923ee68b9648924756a6df117583142148cbf1b7b3a5892b47aef0fcf5a65e40a58
-
Filesize
192B
MD58daeb4ba900bb5e03eab746a865ad656
SHA1a8526976747823e663406671c732cc673a8998b8
SHA256a52722599320b9f43fca351277e1037d24be2717476f94dea828740fc85d0c7d
SHA512d1de28852bbd5540e5380db837f8826225c53cfca526192fbf04b614366089c857d9b91c121da0f9eb54fd1f142e268c4a4c3348b0a1cc499cb0422addc49541
-
Filesize
207B
MD52c2cf75a6eebe3a18e39f3cc3b3526ad
SHA16f84185d58143f06bfa1fa2731a3f72ea61a65be
SHA256c17dc344d54037839cd3aa3f42eb6bbf0c4e8f56a70c096dc0e16c779a5136cb
SHA5125cad3db7c248c69c26059d5e3b78892114f9506f197414d4a0052aecc47526eeac9530c94fdfc47c0617e8b3a1316a15155bbf20a533e9aedbe8ef0dd7905dff
-
Filesize
222B
MD5713b9c938fdca30556ac7adaef6a798b
SHA1a7de02d3fbf13530680dfc8207f7418ddf1b9261
SHA256dbd75bbf6c55e920dfe85e4143eb37e3a712cf0e1284d0708654754e98da1203
SHA5126af08b5a22b846732ca8bdec06e353e7ee5a25274eac401391aca72647f848259197b35b2cfad5525a0f0d38f898cc2702bbb98821ca3381f48cc163b6d66cee
-
Filesize
237B
MD5f745284d52bf303eb21dd335ba68861f
SHA105932030f4f9fec8a081bdb4bdcb8bf052812714
SHA25697502347a779a78f5321a640533ac1d6e47b6ba9ba4fbf4fae82e05cdca02dcf
SHA5121c747b96164dabc213b056355e6e9b86b1ed15e7bc3754545e6078f9a0d8b5574f0e126eff0f2e79dec37a71f0bcc51dfd58e170324d6846d8da33ef7c434077
-
Filesize
252B
MD57051d3d0b3ea82763db5cfb114cb8e73
SHA1d7b91e3c8ff7a4ba138863f2be523a3ce5ac39d9
SHA2560e52e53705a90716120178c3f5233cad45f8ce976372c703b54af0437df24729
SHA512bf10efd94bea2204376f14145261ec6681768d8e56ed8e7ed3893c75334a33ef758c9a3d6b6726f29ead04836e6f9c43808ddc911ed4826d076f01f82332cef3
-
Filesize
267B
MD59794c29029f19be205f04b79740c16da
SHA11c75286cd39bba60e410d46ab79e41f5634a5e9e
SHA25670e85fc21d705babb7d66fea5a866341548554e0708f66a0f1629ad53b4deed7
SHA512b5aec94ec02a89fcb4dc58256f1f64da21fa99cd5eb4f0afe07ad5a5492d618362bfdf97b87b3a4d4c90d16a56f551488cb2340ae0aebe8ff8abe5a607dd29a2
-
Filesize
282B
MD53bd7927e142b931f02fdc92b33d65b03
SHA1ca4e4ac12dd327a40670c67e4a4fa9ad10fc898d
SHA256ee37628000ed1c410d32bf0770d110badd4a759c1ab93e0e98543f0e4a1bbdc8
SHA5129edea2a1e350a978bf3fa0759a9854f408fd84d1bcbe8d696bf18d6b48a971d29a72149c8663600c3f400351862a680723c09f3363c5ae8c0311e1f209f64aa5
-
Filesize
297B
MD5dcc987eb71cb6c19a50c76a4ee823503
SHA1f1c2288fb20e41d49f8a7a56675c6aa4941f78ff
SHA256fbf76e9d2db3fbf2f3689008228f07b3a3f96261150c5de910301460686863d8
SHA51296e882c04cbbb25550d441d7fe51905a1e60b55952d67d767939b005f76d4c69a7153b04f32598d71c213aa38c7dff95419001ea3a4ccc94e3e3aeb67cc483b3
-
Filesize
312B
MD562a70841255614df72f2197a664cf302
SHA1ccd03b0f8b3476040c42a53c23a07dfa3acdcbcf
SHA2566e92e462b0a5c16c2c8096dfa846cba97d578f7037754c42550e25f676f2c991
SHA5125b5b6f0a4f0eb2a421ea5f3d04d1eb27d9061be6c04a36bd31e63a2b9f15e51114735df35c0cedadbfb4cf786401773eafd64b5b83ea488d8c0526265eb63020
-
Filesize
19B
MD57453af0163269cc7d73f0ab6249f0c44
SHA1efddb08025b7f1265a26c2f975ef9eae79a30914
SHA256f602f95f04559a02e9db7ad17a8bbfbfcb88508ea3088287206cf49559aa78e7
SHA5128a295f780cc5d4b7a6e5193043b37bae1d905ed0353d248366b27215d3b2cf71d298aa0a83124ab1312fbdfae21c61a4a8e582183f90b8d762bd6defd00befd0
-
Filesize
42B
MD58e2f3ea44a3109cd7c997e341fbb0848
SHA14e806989b5115e78fc285343c32799a0d956dd58
SHA2561c05146ad5bfa97d97d9b9954a414e1574f4e880fe158935742c56fbba0dad97
SHA51258fcae865fc791960488dadb19c03f9740dd2bb591bddb784f81aa19b5165bad19a90f48d76a9c664bddb099cb2c7190db73d22b5a438fca90363cda847103a7
-
Filesize
57B
MD53e61e97c146d665ae013525ef2efc2bc
SHA120573ac5f24d92395bb180ec0163a462358e32a8
SHA256c4c26827fc0cd29c87cc2285256468c5e2b0fa10aa221bfd4f8ed5e0e4fed445
SHA512353a7fd519bc7806644086b41c1ce18db4479139a07b69f67d59e9441e2fc96959a97b7f7a046948c2dcb43aabcde06186e8c9671e672f5dcd63a44793e5bb9a
-
Filesize
72B
MD5b1516e5042906a480ceff78b8fbaaad0
SHA1d04d9615958c75c158ffabb683b10fb54a2927e2
SHA25669878e3879aa1e03e2b7f87fba6363f2c483b2ba59063f5b2ec9703b1e3de520
SHA51272318e5732b3d08dde165ecba91c7de2f88f4514a91d9a06cfa3e2cfe40acf1789ce2920722c1d84b407438e61ceacfcc57d78f2951bffe1531a6e0e9fc3ebc4
-
Filesize
87B
MD5d78719fbc5e9f62664c9f9293bc428de
SHA152cd5018fca896f468b2eb12fa11e5506e7f01af
SHA256fc36e711346081bad59231ce666766186f0a9eb2900a4dd298d2d031997eda9e
SHA5122e2a2b9408e0075130a8a711c671563408778f100584ec25b6c7088376f7ea646a04d7179d5aa5f2f042e63628ef4a17288591cdba268ba11a185329a9bbc73b
-
Filesize
102B
MD50807686feaa4927dd069eacd9033bd6f
SHA1881a2f899685a08ef9ae966de52ffb4a466252ae
SHA256e3d77fe6df37322304fbd84f0f2151c8a61dc552b81f9c1ab5795f7f8259ae3b
SHA512ae5fc7e51697635bf9c91f79d3a731cd86f1b488a0106e385a8145c8fa43b7b02e54cc5c6fcc24e2f4fd53a3c576ccf9b997ddddfa602f2cdd832a43410425cc
-
Filesize
117B
MD5db862b536fe918ae2db5ceef2dadcec2
SHA1246f2a25a6b843881b51238ea2f04953ec9f55c1
SHA2567daae2af54fce003adc5eebe944776ce62a782ee467f91a7a3c70228b20dd4de
SHA51288c4d5d525d5ecec596c879ccda97c29b48657d3476dcb4c4c2c04e5dc402551b6aa8a53c4b10e8abfbccdc62ff852266bb1b8c1f1d7320c9f060d05f94f8215
-
Filesize
132B
MD57ced0b3f9f1274597368d8fecb485583
SHA1b9ba92fe52804e9d639e89007fed2aedfa92c0d7
SHA256fa45407c8270888036aefbc2dfcc0dab66833e64617adc495e3279545d0d489b
SHA512c5464fb5eafa3117894ea520d12802b6a939771ec2f3954ca20ce1504a6af530cc9b5c2d5e90e6f3303631ea43d33fe52373c607399e224bd31669c21ecd4aa3
-
Filesize
1KB
MD596cca7a6ce0df83a5eaacad47f26e6c0
SHA1a203126275c74e9974ba23a1269e8f5104b134b3
SHA256e29461f622da1d1f9e37466f5dc1f96bb10621454cffc5fd4dc73ae2f973d344
SHA51211dc5cfdf4ed957fc8ebc4894ff8e2cbbd64864032159625bd6b92daa16053cad12cb61c17416a55b76c3722174cf751bd108665402ea426225670589520cacb
-
Filesize
1KB
MD528854213fdaa59751b2b4cfe772289cc
SHA1fa7058052780f4b856dc2d56b88163ed55deb6ab
SHA2567c65fe71d47e0de69a15b95d1ee4b433c07a1d6f00f37dd32aee3666bb84a915
SHA5121e2c928242bdef287b1e8afe8c37427cfd3b7a83c37d4e00e45bcbaa38c9b0bf96f869a062c9bc6bb58ecd36e687a69b21d5b07803e6615a9b632922c1c5ace4
-
Filesize
11KB
MD50d5ef7a198778abe7f99b7694ef39525
SHA1b7110fe6dcc9ded5db2b9051be4b7639956da962
SHA256a576871a3e9f1f14b0f2cf9515b0c07d109c2311baa3f8bffa2460ee3a83b926
SHA512d33bca0b825eada371c864027e4dae1404c2bcfaf231cc5d07dc1a275d8ecd74d7a66a8860febd65e88ea119ba5071d5d7967089a88e57f0f311ec6f9971dc05
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD57bd81fbdf14eec36d9010d939c543eed
SHA19ecf838859c6deede5704bd863414f2ce2c9d997
SHA2560bf9b889297388aeca93fc5da8e2c1e59e921c4e78fd24f3086fbb8fcf52e75d
SHA512e31fdbf19bf23a5f0eaaa7969afadfb84a8492e7c69de439bf2706d0ed93d014c8486b690bbb98c95fdb0eeeab4c5e3a83622400a3ef3d2c0d4ef903c1986d52
-
Filesize
216KB
-
Filesize
24KB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
152KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB