Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

7594ce258f...0N.exe

windows7-x64

8

7594ce258f...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/07/2024, 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7594ce258f46e0eb7a44b946fb98a420N.exe

  • Size

    60KB

  • MD5

    7594ce258f46e0eb7a44b946fb98a420

  • SHA1

    025e43c58df90d20c753db54c3ea83d7d82a1296

  • SHA256

    b0e6c97556c456edfb8a643f85e50e129be6dd5eab5ab617a6c8402f6512f873

  • SHA512

    04c5a55984435eba06b112cc799aaef4bd348280c3700d3fd9ba837e9961d5cc9a64a4598bbb63eb0cd49d6f8c7aba62a2686a8e9238e0dd0788d21d5d825c93

  • SSDEEP

    384:vbLwOs8AHsc4sMfwhKQLroN4/CFsrdHWMZ:vvw9816vhKQLroN4/wQpWMZ

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7594ce258f46e0eb7a44b946fb98a420N.exe
    "C:\Users\Admin\AppData\Local\Temp\7594ce258f46e0eb7a44b946fb98a420N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\{3C37066D-8768-48e2-93BC-842D1D8AE607}.exe
      C:\Windows\{3C37066D-8768-48e2-93BC-842D1D8AE607}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Windows\{76F9FF53-B720-4b82-9AC6-CFDBB64EC95C}.exe
        C:\Windows\{76F9FF53-B720-4b82-9AC6-CFDBB64EC95C}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4928
        • C:\Windows\{7C68889F-1022-4a56-B099-3DEB0EA5E7DF}.exe
          C:\Windows\{7C68889F-1022-4a56-B099-3DEB0EA5E7DF}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3772
          • C:\Windows\{E7D7D8F4-B83B-457d-8BCF-1A5E6036087B}.exe
            C:\Windows\{E7D7D8F4-B83B-457d-8BCF-1A5E6036087B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2212
            • C:\Windows\{AF3025B4-34DC-4431-B42A-A0857447D81C}.exe
              C:\Windows\{AF3025B4-34DC-4431-B42A-A0857447D81C}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4376
              • C:\Windows\{3E408467-C4FC-4216-9C5A-DCF393DBCDE7}.exe
                C:\Windows\{3E408467-C4FC-4216-9C5A-DCF393DBCDE7}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1468
                • C:\Windows\{A00E1186-EFF1-49d5-8E18-A5A434EFFA80}.exe
                  C:\Windows\{A00E1186-EFF1-49d5-8E18-A5A434EFFA80}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2800
                  • C:\Windows\{768D4288-4FA7-40f4-AAB6-D7D6E2185670}.exe
                    C:\Windows\{768D4288-4FA7-40f4-AAB6-D7D6E2185670}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3896
                    • C:\Windows\{171B7DAF-C7F4-443a-9B31-24E165D8B5AD}.exe
                      C:\Windows\{171B7DAF-C7F4-443a-9B31-24E165D8B5AD}.exe
                      10⤵
                      • Executes dropped EXE
                      PID:5108
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{768D4~1.EXE > nul
                      10⤵
                        PID:3172
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{A00E1~1.EXE > nul
                      9⤵
                        PID:892
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{3E408~1.EXE > nul
                      8⤵
                        PID:3876
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{AF302~1.EXE > nul
                      7⤵
                        PID:2844
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{E7D7D~1.EXE > nul
                      6⤵
                        PID:4532
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{7C688~1.EXE > nul
                      5⤵
                        PID:1592
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{76F9F~1.EXE > nul
                      4⤵
                        PID:1148
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{3C370~1.EXE > nul
                      3⤵
                        PID:1388
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7594CE~1.EXE > nul
                      2⤵
                        PID:2268

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Windows\{171B7DAF-C7F4-443a-9B31-24E165D8B5AD}.exe
                      Filesize

                      60KB

                      MD5

                      cdde689b6da5e603d4d34d7b134606f0

                      SHA1

                      96d6336c1b203257fcd1cef4e7ef2c1573e02bfd

                      SHA256

                      2c131beeba5e5627fad3c5df2a484f168856b837a5abb8ff50c819d8797e84d3

                      SHA512

                      3f79364f235be04c6634e94691738e354634889732fa27b1d6a74723d5af2eaa066eab81b31947323f48fb6619c71c459f8f34d16c401ac5133d95ccd265ba90

                      Download Submit

                    • C:\Windows\{3C37066D-8768-48e2-93BC-842D1D8AE607}.exe
                      Filesize

                      60KB

                      MD5

                      542df49bf1b78737daa7dbbcbdf155d0

                      SHA1

                      08106736049d9092c5c981da7ddb223d1039d28b

                      SHA256

                      b9ba1ae74b40a821c8eb42449731cecad5d703fdd95c66bb51d9156f217a6f23

                      SHA512

                      652eb2dad7248caa62bb93db79d1573cf3db7190073312cae63a45feb1512afe3c7abc1d6b7092942ba7b941421982eb54c93e1ce43ace114d3cd087428c6bd6

                      Download Submit

                    • C:\Windows\{3E408467-C4FC-4216-9C5A-DCF393DBCDE7}.exe
                      Filesize

                      60KB

                      MD5

                      d93b5508327e2f40bec9416424ec4357

                      SHA1

                      af240ee23a3f92bd2a76165807b33cff9bdd65cc

                      SHA256

                      22138503490fa1e5f35abb6e796f5cdf964b68e1b8896127faddc100385d0633

                      SHA512

                      bf0dd98456ef1386b8d343b6ede7af5743269812106f0a0034928dcaa7b02c282a2acc4d11ebf76dd745ec59735ea4896b8fe058d93b9860e700054cd6cd16cd

                      Download Submit

                    • C:\Windows\{768D4288-4FA7-40f4-AAB6-D7D6E2185670}.exe
                      Filesize

                      60KB

                      MD5

                      e851ee055cbd1b6ba42566f70cb087f2

                      SHA1

                      b6a8f6f5c3dd83b41468681029543e218eec6332

                      SHA256

                      c61530717c521f42ba805e6e1a3e43d8de6d6cc9d953d9927a1d1021968ca154

                      SHA512

                      ef8405214910110f0af03e000434c83638260af9b2a5015a7c686a54b5630ce296f26f1bf662a90c055504bdd34fc4e6f79d7835ceef8120bf165733c9ee08cf

                      Download Submit

                    • C:\Windows\{76F9FF53-B720-4b82-9AC6-CFDBB64EC95C}.exe
                      Filesize

                      60KB

                      MD5

                      314750c58cdb39b0bf38c5a1f3247834

                      SHA1

                      edda654ca689de5f2fede7ce1205c04b3ea13059

                      SHA256

                      a48e1455130629e20d6b701d1b0e4c180109b3253b058e8e964dd0b142cab01d

                      SHA512

                      8551a77c89d85d6520b23e88ed05b21255e40e5ae3e595991791731e321f0e6ff316f09b20239e1e2cc0f7a72812f5ff8c9e1dacd398c3e10d2da7bc8491fb61

                      Download Submit

                    • C:\Windows\{7C68889F-1022-4a56-B099-3DEB0EA5E7DF}.exe
                      Filesize

                      60KB

                      MD5

                      2f6ed82931e7ac6d506db7c2de97f8a6

                      SHA1

                      0551c0d02deed5b545aa219d6280154f784f333b

                      SHA256

                      059b4ea2afcda03205401b9daac7e25059616286256719b557bdbc774a01acac

                      SHA512

                      e5a0d1dd1008a6ecfb552f4926c46c5930756666e0768a3c83a257c549d66e723e0c8b5a656c5a4dda6a8dc9cd92fd1ecba632a229fc5f2e23e2221fc77d4288

                      Download Submit

                    • C:\Windows\{A00E1186-EFF1-49d5-8E18-A5A434EFFA80}.exe
                      Filesize

                      60KB

                      MD5

                      2e415bdfeb2c9689d5c232ffe462a19e

                      SHA1

                      8bfb91b5d71ff205fe8fd6682f6e73e45783e769

                      SHA256

                      5cf1b9edbf375144cad82e175b217a705ac1539218c545ee295f4820faa404d6

                      SHA512

                      7f875dc406d0d54949a813275010de345733cf5649502a6e686178c0685ff0cbc622b8e05420ef4b3bb28d2da5b22303114cba5be865a8ed5d133a1ac1260a98

                      Download Submit

                    • C:\Windows\{AF3025B4-34DC-4431-B42A-A0857447D81C}.exe
                      Filesize

                      60KB

                      MD5

                      7e12049a31c9c7123ca82805a4c051ea

                      SHA1

                      c8361b35e1677117923c8f8922b231b27bbc541f

                      SHA256

                      d97fba19a1d0011752b1b25d45b30636614a9f7c89ffef053de17b25c5afaba5

                      SHA512

                      de3337df8da86ebd64fe6b2413873bcb92bd5c978cc9c5ea184a5426e2f807aaa9adcabc7eecffc25234a56d23cf2381056e6e22ee5cf83ed99c552ab6804534

                      Download Submit

                    • C:\Windows\{E7D7D8F4-B83B-457d-8BCF-1A5E6036087B}.exe
                      Filesize

                      60KB

                      MD5

                      b9aeef34350dcaf195d301a7163cb6d5

                      SHA1

                      29fc9506e8e700d9a1782113c4f0fa18d1d2cdc4

                      SHA256

                      c8f4a9b592ba04e3cca5957b72c1143b87b34bd1f14e1151d08c766c570ae16d

                      SHA512

                      509dc6a1369e08cfd397408c286ee53e2a608aa323c28f22b1c5e47f382bf788e1ab32dcc8d61c9fb215ddf4a151951ad188a9dc975f1829d2fdf07b3b5c323f

                      Download Submit