Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

6a31c00a5f...63.exe

windows7-x64

8

6a31c00a5f...63.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/07/2024, 22:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363.exe

  • Size

    216KB

  • MD5

    9b835157c613465eceee4ff9778c2bcf

  • SHA1

    2112bc35a0ed21df4ba8ed935e5a3a6b31140e5d

  • SHA256

    6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363

  • SHA512

    8c7d67afcf69ff16c290c8ac153cb68ce1b3f063a2baf7ffa514035b212adb50ca7e846582c19186bb8effc6d037eeb6a6bea2c8c7e241cc244976870ff3c9ee

  • SSDEEP

    3072:jEGh0o3l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGFlEeKcAEcGy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363.exe
    "C:\Users\Admin\AppData\Local\Temp\6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\{FA7F48B2-5412-453d-ABFF-598ECF0CDBF2}.exe
      C:\Windows\{FA7F48B2-5412-453d-ABFF-598ECF0CDBF2}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:456
      • C:\Windows\{53501202-54A1-4542-9C5A-441467F4C436}.exe
        C:\Windows\{53501202-54A1-4542-9C5A-441467F4C436}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3852
        • C:\Windows\{206C3CD6-8DDE-4e52-A151-EC8FB1217228}.exe
          C:\Windows\{206C3CD6-8DDE-4e52-A151-EC8FB1217228}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3036
          • C:\Windows\{CD124140-C25C-434c-93B3-A50315FF03A5}.exe
            C:\Windows\{CD124140-C25C-434c-93B3-A50315FF03A5}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3520
            • C:\Windows\{E7B733A2-8B18-401f-9BB6-0D240B7DDD79}.exe
              C:\Windows\{E7B733A2-8B18-401f-9BB6-0D240B7DDD79}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1960
              • C:\Windows\{AFE35C41-F64C-42b6-BB8C-FDEA291E5373}.exe
                C:\Windows\{AFE35C41-F64C-42b6-BB8C-FDEA291E5373}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4948
                • C:\Windows\{5B43E7FD-1E01-4b8c-9E1C-B337D34EA42C}.exe
                  C:\Windows\{5B43E7FD-1E01-4b8c-9E1C-B337D34EA42C}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1612
                  • C:\Windows\{C7B7EA19-10D7-4b11-A635-1FF3472D32EE}.exe
                    C:\Windows\{C7B7EA19-10D7-4b11-A635-1FF3472D32EE}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1180
                    • C:\Windows\{FCAEBD02-43AB-42fd-9055-CA4EE98294AD}.exe
                      C:\Windows\{FCAEBD02-43AB-42fd-9055-CA4EE98294AD}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1012
                      • C:\Windows\{3CD496C6-563C-481f-9FD7-EF09A5CCACBA}.exe
                        C:\Windows\{3CD496C6-563C-481f-9FD7-EF09A5CCACBA}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4976
                        • C:\Windows\{434AE304-BB0C-441b-A15B-5C7F7E3A73FE}.exe
                          C:\Windows\{434AE304-BB0C-441b-A15B-5C7F7E3A73FE}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4904
                          • C:\Windows\{ACD21663-665A-47c9-B4A0-0AAAD87B031C}.exe
                            C:\Windows\{ACD21663-665A-47c9-B4A0-0AAAD87B031C}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2696
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{434AE~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2388
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3CD49~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:380
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCAEB~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:824
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{C7B7E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4652
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{5B43E~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1980
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{AFE35~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4984
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{E7B73~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3436
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{CD124~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4360
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{206C3~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3932
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{53501~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5052
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA7F4~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2740
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6A31C0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4424

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{206C3CD6-8DDE-4e52-A151-EC8FB1217228}.exe
    Filesize

    216KB

    MD5

    82b50d461054b2ef1e2aab41c509c3d6

    SHA1

    f3497466a2f949e82712d2d10a791403dfaa0b9c

    SHA256

    2e99893c3c832c1a0d26726d00684b5951562e9f3adda62410adf660653a361b

    SHA512

    5d34caf74e103f5c5b0be71e77c7b1b33e48073a9192ee55334e6f636edc4d981d1b908a6e0e31289d58168cee10722efcfd46dde0b51b792c904e32922e0b83

    Download Submit

  • C:\Windows\{3CD496C6-563C-481f-9FD7-EF09A5CCACBA}.exe
    Filesize

    216KB

    MD5

    68151fdc92dd4e585da733b2a7f205d4

    SHA1

    f5c238d7ed06d4294f0111bb97f93c1b1c9fcff5

    SHA256

    5166c6ac509d6adfd1c0dfd22d217d99e0d937a88059b54187e34ae7d9b5a3b5

    SHA512

    b3aaba52fde58f351ca0c02aff0672166bd5f4223cf2a53419b258bf022b4fe1ddf9820b362517e97d9fa50f137ab9d77dc9f07e6484c71f50576b33b0686ace

    Download Submit

  • C:\Windows\{434AE304-BB0C-441b-A15B-5C7F7E3A73FE}.exe
    Filesize

    216KB

    MD5

    4d133c11da093640bb92e1a9e0270f34

    SHA1

    a3463a91fe9ffacacb2945b0b865a6cac873ab43

    SHA256

    c24948d46946a1aa15410d8c07a38a5e8c6038332739d350a7372a4e63f7cac6

    SHA512

    2134d355de53d1fba27d2b25a111094a7215779a0866ebdbf00a789b7e4fda6374ff18aac5c75dc57a4c63791f785b993cd3e1265f113d26a46e864ba0f12129

    Download Submit

  • C:\Windows\{53501202-54A1-4542-9C5A-441467F4C436}.exe
    Filesize

    216KB

    MD5

    50d81c64f9a049c2045163d9f9d0a61d

    SHA1

    d384afe596d89a9c9dfff4d96f6ea6c6cdc7f70a

    SHA256

    31a647bd2f2a3436cd8d646afb5e1d26f0596c8d3fef48f9942da72b5aafc8da

    SHA512

    3cd6b4c0e45bc55365949d92ac20243232d1cee6df13bce2adb52a181f581b2602d58d0aca11770228982359bbaa5badd411eff75e0e7cb15aa0dccd2663efe6

    Download Submit

  • C:\Windows\{5B43E7FD-1E01-4b8c-9E1C-B337D34EA42C}.exe
    Filesize

    216KB

    MD5

    a7a9d5724e6d53a0f2530d4ca4efaa50

    SHA1

    fc09a2761b17795f9a1c26561870309dc51a2b5c

    SHA256

    534a2147fa0a1348249eeaa8abe3951b31f3ba3619aca173acf784d7ec52c2f9

    SHA512

    801c686f023a0001860e27f9307e9faf11ec51e5b41029d15c4886b6c215798f60830f34027e73ee95f97e73bd971cadcd00a252877d42c0343ca4dbe273cd91

    Download Submit

  • C:\Windows\{ACD21663-665A-47c9-B4A0-0AAAD87B031C}.exe
    Filesize

    216KB

    MD5

    f4887053bfd19bf578898de1c2c7b9c0

    SHA1

    1d5a7809a2e27e5bc345e0d9e5d91546aba428a9

    SHA256

    caea92a61cac78ebd0bd93c5b3ddfc4de8d1a9cb4535fddabc3e3164b73e6689

    SHA512

    be2d952077017bc2861c3d9c47b6de777eb90c0f75dcb96cb878bd8e74cabefcb7eb765139b7a3deceb8887c94f9d4c37a369ce3e7f926092d3f536c30f311eb

    Download Submit

  • C:\Windows\{AFE35C41-F64C-42b6-BB8C-FDEA291E5373}.exe
    Filesize

    216KB

    MD5

    59f05badb38ea32c22e6aca341f0fb62

    SHA1

    eb861faf68258f1cd4f6b423726d86cb7710b8f5

    SHA256

    90a2e02d1dd1faee394c4d0f7825082305a3314f9344851b8f5924bbc1851812

    SHA512

    61546d84c1d778fab0ff9bc3b88a060133e7f3119274b385f557bf4e3b467ffcc993baa1783c05d548e4d764d0bd109d812cd91418b0b6f0ed3ef6b0c6786f2f

    Download Submit

  • C:\Windows\{C7B7EA19-10D7-4b11-A635-1FF3472D32EE}.exe
    Filesize

    216KB

    MD5

    4dbb03f489999920ff1f1bbd974f7332

    SHA1

    0ff5c080c8a7cb4bb30cf34f109527560f876a4b

    SHA256

    44a7f79c7e85f0a63d5e05775a5cc8f63a030e4528135838381d79b484049d2e

    SHA512

    7984c28169445a38683e3469afb8aa432f6ada32c9ca623ff78681bfb25146b345865786aa9231ccd46cd304f922fd5be1e92ed77b36c3d5238fae826b150c2a

    Download Submit

  • C:\Windows\{CD124140-C25C-434c-93B3-A50315FF03A5}.exe
    Filesize

    216KB

    MD5

    619fb35ab626e5b1f7d3e1a72bba23fc

    SHA1

    e8ed503608a36bbf232830c89e31ce207d8df437

    SHA256

    9bf57026f1452ae690a6051ed6f782384b4fedaec878d0d9421a81c153ac6ed0

    SHA512

    181ad0e7686232e717157fbaaed74bc4659b72d694e0f606a8aa763577d0516f5d2243e32b4d374bc913d1944d53e63269398cd3cff70520eb310d0c7a7d5c66

    Download Submit

  • C:\Windows\{E7B733A2-8B18-401f-9BB6-0D240B7DDD79}.exe
    Filesize

    216KB

    MD5

    11330117a63067f71fb81cf8c5b70908

    SHA1

    b4e673d0782e8508dded3b7025e9e9e4089c4ca1

    SHA256

    f6fbbf0a7084588ecef2cbb9eb02c177d057dcfa74164fb2767af369fb4db61c

    SHA512

    7eb72a7b619fea5f77cb8f7455fa602dad9c584b7024e73270b9ccce5028e3c895de8c85de4fd22abdd542b5f87e685f1885dfcc17591e3f2c4912b399be4cea

    Download Submit

  • C:\Windows\{FA7F48B2-5412-453d-ABFF-598ECF0CDBF2}.exe
    Filesize

    216KB

    MD5

    8b34c54fa91617dc2f97a9cf43bd1c07

    SHA1

    0288013e174cb17f82a6a92ec16cd83489042e40

    SHA256

    a543150bacaac6b39433f502668d4422d375f02d07fba7a4f930b0ef493c2c08

    SHA512

    3226b50dacdedbdfdbdc20a5a5fe916a6dc37f5065c5578708762d70912cc3b0ad30f724c80710290ef168b8d26d472358b6ef75ed1c362edec5374d1e56310a

    Download Submit

  • C:\Windows\{FCAEBD02-43AB-42fd-9055-CA4EE98294AD}.exe
    Filesize

    216KB

    MD5

    c950c03a86b3f98dbb19de578e36a969

    SHA1

    86d25d3a2cea33b9e0aec525c7b759194cb9cdf5

    SHA256

    0a5e8a615fea8404416e596d812e0bd775de0be7bdc3065c2bf265cb49f15259

    SHA512

    f0fb9143c672ac4e8bfbe27df73e0464d0fa248545d36898d373f9e30342e858e7361ddd9633549a721140802004e01019bb94eab91f19a71c13d88e1a5831f4

    Download Submit