Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    138s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26/07/2024, 05:04

General

  • Target

    e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe

  • Size

    90KB

  • MD5

    b818cbc08350fa84e9851d85c2ee88ae

  • SHA1

    47ce228e0989c98425de8f1dfb774fdc6edd7e3e

  • SHA256

    e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204

  • SHA512

    af0c5c52bb4ba0340fb95c507321fd4279d64f5514a7401a33d3284159036400a7c7a9dda1a1f259217b679de5c8efe8bd17d8938784fb9111b5362d7f1d0814

  • SSDEEP

    768:Qvw9816vhKQLroM4/wQRNrfrunMxVFA3b7glw:YEGh0oMl2unMxVS3Hg

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe
    "C:\Users\Admin\AppData\Local\Temp\e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe
      C:\Windows\{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe
        C:\Windows\{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe
          C:\Windows\{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3004
          • C:\Windows\{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe
            C:\Windows\{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2640
            • C:\Windows\{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe
              C:\Windows\{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:996
              • C:\Windows\{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe
                C:\Windows\{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1616
                • C:\Windows\{EA43E890-A880-4b70-970E-653B874380D5}.exe
                  C:\Windows\{EA43E890-A880-4b70-970E-653B874380D5}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2808
                  • C:\Windows\{E98F00B1-16F8-4c9d-B25E-25038A4BBC8E}.exe
                    C:\Windows\{E98F00B1-16F8-4c9d-B25E-25038A4BBC8E}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2976
                    • C:\Windows\{9328F258-02A8-4753-A9CB-0545654ADF3D}.exe
                      C:\Windows\{9328F258-02A8-4753-A9CB-0545654ADF3D}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:568
                      • C:\Windows\{3198862D-2807-487a-BB45-E8334FE1D2EC}.exe
                        C:\Windows\{3198862D-2807-487a-BB45-E8334FE1D2EC}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2552
                        • C:\Windows\{F9EE1185-19E6-48e6-92BE-82A33A6D4937}.exe
                          C:\Windows\{F9EE1185-19E6-48e6-92BE-82A33A6D4937}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1044
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{31988~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2180
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{9328F~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2144
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{E98F0~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1268
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{EA43E~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3036
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{947BE~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2856
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{74657~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2348
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{32BEE~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2864
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{B80A7~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2692
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{54714~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2796
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{245C5~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2756
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E79EED~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe

    Filesize

    90KB

    MD5

    281c7067732bc9d3adb6723fdf03a307

    SHA1

    70ac9d8e46a439796a7e3403471efff7ff3d0666

    SHA256

    b13cfc596e31a02d8274fb3cd253608994d5fb50e56c5a46d351e67180fb10ae

    SHA512

    eac32a6f58143d084adc5ff9b8fba4e11760ac4defeade0d5c4566c3f032fb3b1e71c7cf08178dec95cb798e44d3184115fe1aa04cdb52c0742dac751bb36469

  • C:\Windows\{3198862D-2807-487a-BB45-E8334FE1D2EC}.exe

    Filesize

    90KB

    MD5

    7fa9097ee4a808dd220e31588a3017ce

    SHA1

    885eca1c90b1e1c40344fe93c8c0b28f3460ade0

    SHA256

    d8a09f5d7315760fdaf602c46a08d22418e649c67a2af99960f01efc05a10f66

    SHA512

    bf8eadacd0dea56d9c81e6bfa83a375106bd6b23cbe710aa50f8bd4d8f0deb82d690bea06232539d850fa99f9925e6722a06ba572ff450f54fd9842dc2089536

  • C:\Windows\{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe

    Filesize

    90KB

    MD5

    244482c0118c7f5eb82779a67c9e0774

    SHA1

    132dbe0af36ff7e488c31c57979f0f76d8ee98b7

    SHA256

    cb74ce2d358bf8fa89e95e354019aa69632cd8631344939525b9549297403503

    SHA512

    7d44b604ade365a28f60709b2610afc5a30fd2bf95a68ec0043db05fac62d7cf2dddf223424ff84b20215256e36b58704ba5c61120da1382793bfb5eec5674d9

  • C:\Windows\{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe

    Filesize

    90KB

    MD5

    3d895c63fae7f94dbad33804a9ff1e99

    SHA1

    0b1ee733bcefd1f5e23c1c4d2cea80f7b6f328a0

    SHA256

    b5719074d82305b68a7487a005915f7a03b2e3b2e003023012ba8e89ce3bb547

    SHA512

    373c440e9d9d77144c7fd5bbf5fa294f8cafefdc3d38b6cbb3c837ca3b3a017390f9b795a20a9dde7be073ce56b04936688a4430c0e41b37c8ae94b56a9c1f55

  • C:\Windows\{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe

    Filesize

    90KB

    MD5

    20d8ce97e1d9c1482da6ce61182aa0cf

    SHA1

    8cf3323fc62f836bbe53b674faa52d23fce1ae39

    SHA256

    0d245df2cc88590d0b148f4e9f44d75e30df54bdd4f46c672f84f439cb1ccd33

    SHA512

    d512d0eec4d29158b3eaf8300af27cc1d0ecf54f586fa397b058e2b164f17a45e630b4b3388073ee3bff0f08630ffe01e840c4e135d03bac80a5a08598d7159b

  • C:\Windows\{9328F258-02A8-4753-A9CB-0545654ADF3D}.exe

    Filesize

    90KB

    MD5

    ebbb318b0345033b1a3873dc56a29323

    SHA1

    e950f12f2be8fb4114f9824899e160ef5049520f

    SHA256

    471f2587d52a2600538455f8768f5f4592cd7ef4845b4017d7ef92c081e8400a

    SHA512

    f6e1cd762994c2a09b3114da521802c5b3750927fd6bd4cb80a7a38a588254cf14a55aabff02ea6e30b831bc96f5ac6964a76f8703bc4d693abfe596b26281cc

  • C:\Windows\{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe

    Filesize

    90KB

    MD5

    3bdfdbb67833f1d0cc0b3ee5dd72dd27

    SHA1

    33c1cf0d4c041a070464cb3160a8c0d4b70bc4ca

    SHA256

    1f99c4f313e50a1eaf441ce7a1b67220c4ca91bec3634348e51ae54ec58fb54e

    SHA512

    ba10722128f60b99e9788178b497de9863924c3a4eb30e66dad5fd2b4a3646e44f6145eb30d35c34d42a2d6bba2233e40f8318661cbf8b020086ee10f057cfaf

  • C:\Windows\{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe

    Filesize

    90KB

    MD5

    e87e7a61031a6a02e67f3db0fa43c2f3

    SHA1

    80d87b653dd73fc46f01e2828702d006d79342ff

    SHA256

    6afb5ff19095d0b01197746f24ad2b8076ba37b687932a981535fc06169d6bcf

    SHA512

    bcea3b4c400a42dd19baa9c5d615df84a8f0fbf1b5e9a121871a11cfc603d4bcf5202eebe327df944722dde08ea50fd479d257ab25c4453957f4ee8aae5d31dd

  • C:\Windows\{E98F00B1-16F8-4c9d-B25E-25038A4BBC8E}.exe

    Filesize

    90KB

    MD5

    97d7fbe946b328673fddd689e09e6798

    SHA1

    c8058deda47f6a8ff132039eb314914d8cd0f4d8

    SHA256

    88f71e0fd5ff4704717f7500610e9298bf072594858fd97ba2df995791c5bbec

    SHA512

    331188683448e6b65c629a3590c34ea6a58c7f9b2777302cd52dde2c8d70fc7b2642b8ead096b16ecd5dd621e76d9da8cf949966c6da8a3d00fd93a2ec2fd5db

  • C:\Windows\{EA43E890-A880-4b70-970E-653B874380D5}.exe

    Filesize

    90KB

    MD5

    2a5935d2558a705ee09ecc23b543fdee

    SHA1

    1b1d1232fa1175427191d6e657d09b4049059d67

    SHA256

    a91b28503e78b8088728ae918b8c57facf5b8181df4224f3f6444d258548a3f0

    SHA512

    6f7603b8b15d89dff416973d5742bc06e5023c24ca30d61c3b14690fb544a2498143906c88bcbd5a2e00e4c71ef973deb55ff2c6632706eb190ba2778d113439

  • C:\Windows\{F9EE1185-19E6-48e6-92BE-82A33A6D4937}.exe

    Filesize

    90KB

    MD5

    923135c8414a4e893b0b67ff291aa5c8

    SHA1

    64057712eeea39de4123b41f8d416e4707fa67f9

    SHA256

    995cf95dc9599c8efcf28ec8746be639bbd158c230cecf8a113fe8a75c206165

    SHA512

    8863be0e5856e890936415f2a661f010d18a7aef7cbd03cb0d24b8efcbdc97beb91a60e772284befb3e5adcea5d931ccdab4c1f4b7986b877ab3f1a9101ab22b