Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

16da9cc536...05.exe

windows7-x64

8

16da9cc536...05.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23/07/2024, 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805.exe

  • Size

    90KB

  • MD5

    bc08dbd347cb80d2a8a64f7a0882664e

  • SHA1

    4168c56fa574e48e81fa3e1f5b964e2f9ea7c6c7

  • SHA256

    16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805

  • SHA512

    9acdb07d6b1292ec362e91136665fef83747d2fdb3aa89979c036ed84b0a1c1ec8bd16ff414112a7e83f47910606cc7b14bf16e8480a606874e15d16b2fda06d

  • SSDEEP

    768:Qvw9816vhKQLron4/wQRNrfrunMxVFA3b7glw:YEGh0onl2unMxVS3Hg

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805.exe
    "C:\Users\Admin\AppData\Local\Temp\16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\{B69A08B1-182B-44dd-87B4-5B29B3EA0CA4}.exe
      C:\Windows\{B69A08B1-182B-44dd-87B4-5B29B3EA0CA4}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Windows\{2034556E-4DE8-4f48-A127-E8B02B75C2BE}.exe
        C:\Windows\{2034556E-4DE8-4f48-A127-E8B02B75C2BE}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Windows\{EC32B84B-0E99-4f1b-899C-EA90938A668D}.exe
          C:\Windows\{EC32B84B-0E99-4f1b-899C-EA90938A668D}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3032
          • C:\Windows\{43808AF3-6199-4bcc-9D8C-BA0D5FCB6746}.exe
            C:\Windows\{43808AF3-6199-4bcc-9D8C-BA0D5FCB6746}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2844
            • C:\Windows\{F1DFF4F1-5E14-4d6b-AF1B-C6830A9EA41E}.exe
              C:\Windows\{F1DFF4F1-5E14-4d6b-AF1B-C6830A9EA41E}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2240
              • C:\Windows\{3913E112-A0EF-4c8b-808C-5158C46FE16D}.exe
                C:\Windows\{3913E112-A0EF-4c8b-808C-5158C46FE16D}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1272
                • C:\Windows\{B012F137-254D-413d-9953-D1D1DBAE2C1E}.exe
                  C:\Windows\{B012F137-254D-413d-9953-D1D1DBAE2C1E}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2920
                  • C:\Windows\{B0B82265-DA2B-4869-A916-72B70158AD6A}.exe
                    C:\Windows\{B0B82265-DA2B-4869-A916-72B70158AD6A}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1444
                    • C:\Windows\{A0971FF7-B4E5-46d3-87B8-8389CA5E2DF5}.exe
                      C:\Windows\{A0971FF7-B4E5-46d3-87B8-8389CA5E2DF5}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2992
                      • C:\Windows\{460C6104-891D-4ff8-A602-B84DD5515538}.exe
                        C:\Windows\{460C6104-891D-4ff8-A602-B84DD5515538}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2480
                        • C:\Windows\{E09913A1-4DDD-413b-8CFD-9D8C45332C94}.exe
                          C:\Windows\{E09913A1-4DDD-413b-8CFD-9D8C45332C94}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:444
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{460C6~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3060
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0971~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1168
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{B0B82~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2220
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{B012F~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2956
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{3913E~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2020
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{F1DFF~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2640
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{43808~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1828
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{EC32B~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2576
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{20345~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2616
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B69A0~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2804
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\16DA9C~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{2034556E-4DE8-4f48-A127-E8B02B75C2BE}.exe
    Filesize

    90KB

    MD5

    bef88499bd70b8966347423cc35b51da

    SHA1

    7e3a6746dda5713ef3ba462172caf3102c02f1cd

    SHA256

    ab95f6618106b614c7d259e8ce40f0e69e79e638b13e99c95f0413dd186ff686

    SHA512

    6ccecb076451d98e0cecf52df0bd184987fe3cd50106be311670a93f3848b3760d71b6ee0ae9ec0afdfb857cb52ae065c4df30f3107ca4eb292fc97e3cf11bc2

    Download Submit

  • C:\Windows\{3913E112-A0EF-4c8b-808C-5158C46FE16D}.exe
    Filesize

    90KB

    MD5

    46afa4a7ac94f0f7acbe3e9ad50c9770

    SHA1

    703176ce895c5cec994d4e60d152ff43cec1e739

    SHA256

    4e5c4c8edca5456300fff0817df03757314ff4bc13eeff2d4c450f715ded205c

    SHA512

    c6cd2a24e081f58e535c6806963ee5f305c5ed6222dd1874d932e41efa9b6ca68ebd7d5b0e3a48eea296651c73e5493ab47e3d42743d5f73ee17eb7fb6bd8cf1

    Download Submit

  • C:\Windows\{43808AF3-6199-4bcc-9D8C-BA0D5FCB6746}.exe
    Filesize

    90KB

    MD5

    d60a8d33b24d338d462ef9118839b92f

    SHA1

    d0a63ded0ef416c623e8b91d4b31316a48a1fbc7

    SHA256

    32c13e7b8ca254c28a22edf1b613198708cb1cca295a4b81778f3ea412342745

    SHA512

    7896b99ded6e9db319b6b890019e5bc97e7a8a8631b27e56c60dd054c34df9ac9a4c7e65f2c8313fc287399d43beea83cabfad9025c040e45386cba4e7b8df6c

    Download Submit

  • C:\Windows\{460C6104-891D-4ff8-A602-B84DD5515538}.exe
    Filesize

    90KB

    MD5

    50f7ae990995a3856e496d51735a4e1f

    SHA1

    ba429badf86ebee24cbf1336805d5b5c3e16e0b8

    SHA256

    dad6b6033a640748dfc2fa8cee63f8988659672b812063ede70e051cfe537e6b

    SHA512

    22f5fb9ffc30473dabb2dd53046a57d0f309546486b30e2e6c688729c7551252b5e3dbc0cf1162ae543dfc1d565d879155a475337c09989545b6a6f167fb9ab4

    Download Submit

  • C:\Windows\{A0971FF7-B4E5-46d3-87B8-8389CA5E2DF5}.exe
    Filesize

    90KB

    MD5

    aef961d79643cfa2d2662e81571937a3

    SHA1

    7d4e2eddbae1dcdc8aa3f66c3a7b6bcd0a504f96

    SHA256

    2fa07fe0c539b4bd9e281b0da36cce6fd4d5574ecadf283e95d8aac3acba295b

    SHA512

    b258863ed3802e6d52ab0af74fbd94d92cbfa9c7616488c53fabb7754d607aa5f71270f6154f448797aedbe50f09df280873e81216218e0fef334f8e9484b350

    Download Submit

  • C:\Windows\{B012F137-254D-413d-9953-D1D1DBAE2C1E}.exe
    Filesize

    90KB

    MD5

    1f5c871148bdcda44bde89591f996261

    SHA1

    bcd09a7273e38b32d3b8fbcd5036537cccd717cd

    SHA256

    584b8dc3149b3d2c834f79fab1ab48238ff316067a07ba977b536ca64894d0fd

    SHA512

    e3f79ca57ac3aeeb2e737b2a4d34bd8126aff017a555f43e7b68bae8e7d656b09e8562c0dc1d0a69524f469b3b51f97a36a486f879fc41bc6118256d33a5f7f2

    Download Submit

  • C:\Windows\{B0B82265-DA2B-4869-A916-72B70158AD6A}.exe
    Filesize

    90KB

    MD5

    7ba4857fdeaf30954fbf395f7e5e100a

    SHA1

    3d3128a93522dc3800f0a939630c2aa7905d8b4d

    SHA256

    c7a70ee63db5182595c94f71d4d81d3fa9071751394df5c6c251e49a066d4c9e

    SHA512

    a1d73804c321f0e2043ff808f27dcb2fdec1d4552f9055708a6b143624c07bc369bb0024eebf14ab19ac98aed1278572602451a7402dc9dd6bfe951baa518107

    Download Submit

  • C:\Windows\{B69A08B1-182B-44dd-87B4-5B29B3EA0CA4}.exe
    Filesize

    90KB

    MD5

    9d89fa832443d9c6825b829c780c8f41

    SHA1

    5518b4b41211e129b41a37f2a5baae496b44dee6

    SHA256

    078ef8ad8f33ec71220f0e8a9d9c3f7aadc89f1e4648d68ae8985419e7c71f8e

    SHA512

    93b88e84d1d60ae1f1adb97bc456c02dc3b67999005dbc0cc4f5a9c34714cff7499f6557e1cc2e6ef56dc9a32738ee15c091ab396793f8173770d42bd835eede

    Download Submit

  • C:\Windows\{E09913A1-4DDD-413b-8CFD-9D8C45332C94}.exe
    Filesize

    90KB

    MD5

    dde22680f408fe3158d0f880bc821dda

    SHA1

    e1931e3ce8a9e7dde944030615b499e80c1adb05

    SHA256

    399ba8fffe1396654546260430e56c08f7f80d0a78a20941834daa16aea35542

    SHA512

    6e9c85c3f5ff1f15c7a847922c39146b26353b2d5d7e7e2ec2e1399a06ff2aa7dc6335c7946086e1df03d05129e70adc01b9f20904ff60d9292e2bd3e4354ea7

    Download Submit

  • C:\Windows\{EC32B84B-0E99-4f1b-899C-EA90938A668D}.exe
    Filesize

    90KB

    MD5

    2f2705825b1d71de1daacd16e925168c

    SHA1

    859cdb94bb667e97b7dbcace254edbefe5e4224b

    SHA256

    8990ec1c45341a1265b03e7db8c6e4172ad6446a092186d7d4586035536bd0f9

    SHA512

    5fd47e4e1084ecef533ce6e3501ea2f4d01b5bf2d195260fd7d953e8f5103e6514ac7130404a91c722bac13f92365a8ecda4e7eed60fbe469afa0f4ccd1784bf

    Download Submit

  • C:\Windows\{F1DFF4F1-5E14-4d6b-AF1B-C6830A9EA41E}.exe
    Filesize

    90KB

    MD5

    a1a14aeb5390bcaa489883ca6147c468

    SHA1

    a083ec61740b4a7d8f6aa6ba905e69403e388f77

    SHA256

    0dc5410165d86309da8dc470aaefad4bb4fb586afd31698339afb28a251b8cad

    SHA512

    6c3d1a8be5f7ae8db58eb56ae88954457a2035485700a1512e2e6ae6fc0b5e0bf0db6c0bcc7e59ad363b5630cadc902a866211e6160394c487106f82bf3145ee

    Download Submit