Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

64de30bfe3...0N.exe

windows7-x64

8

64de30bfe3...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/07/2024, 08:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64de30bfe3019e6bff78885e7c62f090N.exe

  • Size

    90KB

  • MD5

    64de30bfe3019e6bff78885e7c62f090

  • SHA1

    bd873aa9f02932cca2cfdae6ccfc7d4a5bc4db86

  • SHA256

    d8b9fb74a5042f32bde6105eb99f260be83ecf710f0e166180bbc1f76e1afd6f

  • SHA512

    e65c5bbebdb19cd7ccab1944bea53723cae6c111c3cc28268274353d2e38576c556671c3b723d9d0b4f6bfea7a38c19bd677b4da69f2e1d9a0c436a180f1e70d

  • SSDEEP

    768:Qvw9816vhKQLrod4/wQRNrfrunMxVFA3b7glws:YEGh0odl2unMxVS3Hgz

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64de30bfe3019e6bff78885e7c62f090N.exe
    "C:\Users\Admin\AppData\Local\Temp\64de30bfe3019e6bff78885e7c62f090N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4464
    • C:\Windows\{93D9C800-6BB3-4c97-A988-183AAD1E45CC}.exe
      C:\Windows\{93D9C800-6BB3-4c97-A988-183AAD1E45CC}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Windows\{EDA342C7-2DE1-4b59-9446-3661EF560336}.exe
        C:\Windows\{EDA342C7-2DE1-4b59-9446-3661EF560336}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:372
        • C:\Windows\{7AE094B1-3C66-4b33-AD7E-6C099942B21F}.exe
          C:\Windows\{7AE094B1-3C66-4b33-AD7E-6C099942B21F}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4436
          • C:\Windows\{D02951FE-6785-44ba-A2E8-2D83D8FC5252}.exe
            C:\Windows\{D02951FE-6785-44ba-A2E8-2D83D8FC5252}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:636
            • C:\Windows\{CBFD1952-56F9-4b80-B517-7D7234DB2AA6}.exe
              C:\Windows\{CBFD1952-56F9-4b80-B517-7D7234DB2AA6}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:5060
              • C:\Windows\{465BDA2C-820E-41db-A25A-40CE2D138E60}.exe
                C:\Windows\{465BDA2C-820E-41db-A25A-40CE2D138E60}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2848
                • C:\Windows\{BCCF87D7-9A94-4226-B49E-E2194BB54E82}.exe
                  C:\Windows\{BCCF87D7-9A94-4226-B49E-E2194BB54E82}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4812
                  • C:\Windows\{2F1660AF-290C-48b6-B52D-0C6B3649DA9B}.exe
                    C:\Windows\{2F1660AF-290C-48b6-B52D-0C6B3649DA9B}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4240
                    • C:\Windows\{75D1BBE1-1D1D-4b55-B4E2-C3F9BF94A757}.exe
                      C:\Windows\{75D1BBE1-1D1D-4b55-B4E2-C3F9BF94A757}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3152
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{2F166~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2504
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{BCCF8~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:848
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{465BD~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1608
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{CBFD1~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4160
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{D0295~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:680
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{7AE09~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:820
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{EDA34~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4652
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93D9C~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:976
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\64DE30~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{2F1660AF-290C-48b6-B52D-0C6B3649DA9B}.exe
    Filesize

    90KB

    MD5

    af243ac81a2252a447aacc3b93f6b225

    SHA1

    b0831987276f4e5c37423870e5e970b08d783400

    SHA256

    7931a15ae80ab32bd90f96311d7159c952e23c82504bab65e4a8f0c9ed27c878

    SHA512

    a31e05a96b83ada5f43f1e9f86d173ad41375112425db7650d067790bbe47b815049388c8042cc64c8823327a5dff1c63962c69bc4fec3ae8086c6b6ac11d1dc

    Download Submit

  • C:\Windows\{465BDA2C-820E-41db-A25A-40CE2D138E60}.exe
    Filesize

    90KB

    MD5

    d8a235b465e6c94614a6329e501692a2

    SHA1

    913af2e81682a63766c9ded2283a5f0ed14471bd

    SHA256

    8a72d275a6206918d9b2fb76e4d9294158d8228b3ccbd0039663921d9ac71717

    SHA512

    e98ae29ec2c6dd5854ac0dfbedcd8108d976eba8dab032ccc91a3547b452d9f8118bca239ba4ae906538d8ae3855448ef730bdd866bbb6ff63449894207457d9

    Download Submit

  • C:\Windows\{75D1BBE1-1D1D-4b55-B4E2-C3F9BF94A757}.exe
    Filesize

    90KB

    MD5

    6d0bfa0dc5c050484d16b0a2b86bed8e

    SHA1

    d25a8b0d621c575741c5cb0d52e4308b018b2547

    SHA256

    0cb7cfc595c5e02bd86165b35768fa268fe2629bd06bce4a7e177dcc777f96e9

    SHA512

    fafaffe87ba8af9f062f7fe49ba959bf8094c80eed6857bce578b925257504d32453404ab95db5a7e320b2e7f3490d86ad11ade32458a9f07a80b7255c0e8d05

    Download Submit

  • C:\Windows\{7AE094B1-3C66-4b33-AD7E-6C099942B21F}.exe
    Filesize

    90KB

    MD5

    5edcdebecd86313ebb0076ea22f7c670

    SHA1

    c5bfe77784f31bc1b03f99eb5df6a6e81f6bb2bc

    SHA256

    2c313186044d7d48bab3c69e7d3940177f92ca9419f8041702b47d5ae3e5f1d5

    SHA512

    cb345532abe3e143fb387a4f356c66a2e1c628cb7a90fc442b4783c2246c30f481d3219c2631f955ade5d8bfa39bab2a8a7ed8ea730af98ea172f2fe58ae6aa0

    Download Submit

  • C:\Windows\{93D9C800-6BB3-4c97-A988-183AAD1E45CC}.exe
    Filesize

    90KB

    MD5

    09beca9cb0551e6659cc147c97c71d52

    SHA1

    6c72234d0ae625996a0ab8e99bea6c492bfe519a

    SHA256

    73c033cdfad519d206d314874c45c4bf825071bf727a223fe03aea615a3125c2

    SHA512

    81018a72d2e1187c97a9cb290e127dc1aaa01b7e0c2c077ad094b4b2665e0be49ce11f7e8775b132ceb8b29c4b02476a8b8d6e9ee520ed9f0c85d8918ea012d6

    Download Submit

  • C:\Windows\{BCCF87D7-9A94-4226-B49E-E2194BB54E82}.exe
    Filesize

    90KB

    MD5

    e3da5142deefcb4c3b66c8d523a94b3a

    SHA1

    f715c0666fe9867276a19fcf395de91b5de04c88

    SHA256

    39a4a9a41d87f53bf6e35aea6b06893a7c864ce54d92a3d795f5d8f52b5aed20

    SHA512

    9a3de54c19c7e573550a8be694fe0eb29772eafcff1f1e9c1264b7fab1feb669309efb15e92212038706cd001a6e3812013c695b805d6d0da82fd4e1f396feed

    Download Submit

  • C:\Windows\{CBFD1952-56F9-4b80-B517-7D7234DB2AA6}.exe
    Filesize

    90KB

    MD5

    2f4a68e37d81bdf166f7873c0c8de248

    SHA1

    13cfb2a6174d74c5338dec14fa6652e125bfe095

    SHA256

    f212425fbe59725ce09aeeb4192be4e22b0a4ca9144c81dbdddbbaa478783977

    SHA512

    8751e9bb041ed23a7c17edf811d8845104fe853e56a8c6d0268f86209f323211560d71e12f26e06398c33057a2641a5a978cde870bc718d576f9e94d9cae454e

    Download Submit

  • C:\Windows\{D02951FE-6785-44ba-A2E8-2D83D8FC5252}.exe
    Filesize

    90KB

    MD5

    ecec42c8cafb109498d986c0fcde517d

    SHA1

    2688b19c41b1117106e63343cd4caa5305609bcf

    SHA256

    c912b754e0a29f2b1105f6b739272556846c0e45f5d3bfeab8821ca07a082f63

    SHA512

    660ee5bc914d44e614721663f9c3cd959f44fbc571ea1a15b829a20c108c06ccffd4d037df0f25f69bdb4505e623cc13b73221d2ce30636970b537e8acf26f49

    Download Submit

  • C:\Windows\{EDA342C7-2DE1-4b59-9446-3661EF560336}.exe
    Filesize

    90KB

    MD5

    00c16a4c392027ef7fe43170325b953f

    SHA1

    512b5cb062c7758742378b6cb649d29ceaedf427

    SHA256

    fa47d456feb43bb40b7ee1b3e08e5be7edf3164e137d086f6d0a37d92a6445fe

    SHA512

    bde9ce99c1b27b09bcd0e8a479d61671316b7826813620d4aa0127a06ac6d833befccf896a5f99db246e65aae76431c2aab05cc63eb9332bf9462776597aeb48

    Download Submit