Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/08/2024, 07:15

General

  • Target

    63fd02fdf10254b3f8cf4048fe202220N.exe

  • Size

    60KB

  • MD5

    63fd02fdf10254b3f8cf4048fe202220

  • SHA1

    6f84b4e82557b9ae089b679cb8a8302dbaaae84f

  • SHA256

    7e80f4c3de232199039b43990c9b4e67ba45017eabea3d799d000a1a624e5208

  • SHA512

    c9a5d7aa6d13b04fcbe8b76729d01c0c4b35632afd5232bcfdb56176a8dc03c51940af1d14182b3a1fe42520be3900703dd5e03eff057e06e5bd01ef966309d6

  • SSDEEP

    192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqw8Y04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLroK4/CFsrd

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63fd02fdf10254b3f8cf4048fe202220N.exe
    "C:\Users\Admin\AppData\Local\Temp\63fd02fdf10254b3f8cf4048fe202220N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Windows\{FF12EF98-E628-4efc-9991-6F07989600CD}.exe
      C:\Windows\{FF12EF98-E628-4efc-9991-6F07989600CD}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4400
      • C:\Windows\{C4F3842E-C007-4545-964F-1704306F8F34}.exe
        C:\Windows\{C4F3842E-C007-4545-964F-1704306F8F34}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4212
        • C:\Windows\{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe
          C:\Windows\{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1016
          • C:\Windows\{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe
            C:\Windows\{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3584
            • C:\Windows\{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe
              C:\Windows\{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1476
              • C:\Windows\{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe
                C:\Windows\{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:740
                • C:\Windows\{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe
                  C:\Windows\{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4836
                  • C:\Windows\{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe
                    C:\Windows\{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2836
                    • C:\Windows\{524D7F45-47B7-4b2b-B0BD-D779BA5D238B}.exe
                      C:\Windows\{524D7F45-47B7-4b2b-B0BD-D779BA5D238B}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:764
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{1EA2D~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1316
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{1F62B~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2992
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{E3AEE~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3244
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{1A154~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3356
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{14D49~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3784
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{3798B~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:540
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{C4F38~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3640
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF12E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4952
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\63FD02~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe

    Filesize

    60KB

    MD5

    a2feacc942a5dea3b311153f2554abe6

    SHA1

    6b38c86009851a8f2b249a356907214204443645

    SHA256

    ef54f384644938927d494e0473587df25e906aad8356f53b94a1a9a9fe32a99f

    SHA512

    67b9f871beb756803925369bd04078e9989a0665ae556e053c18ef77864f82d1c9e08b9db1cb5179fb9b6027029c38d4de1a6cd16d73dab83aeb8775c9c2b3fd

  • C:\Windows\{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe

    Filesize

    60KB

    MD5

    4f938fa42bfbcd194ef5fb52c0e2a5e9

    SHA1

    be2cc58781032aad9e12e45625697e636324b349

    SHA256

    85277c1f6dae4050439147e1f2ba610579445006fd069f5ff4ddfc2099fb17c7

    SHA512

    42d303ce3da4dbee9449aa2af775c70cacaaddd409bb5ddece1cfa2b082f5ec1467e5efc295e0766e68839d977fcc89a0ada50dffdcc930b4bf04b513621b562

  • C:\Windows\{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe

    Filesize

    60KB

    MD5

    9f49697262fc012bbf9f0feb97b8f9a7

    SHA1

    a006cffbff1fc0f372f8e87a4e5288dc144ab151

    SHA256

    c08e8c79f1ec61e953bbcd94367a65ff8e86016958427ea0693366b34cc8d249

    SHA512

    a5fca47bc61914f52b3abcb69cc683c5dadc40fe4166b99295108df6a8b08891b777426eed810284d68e5717cab4731a738b4e4706c43b049cafc86fe17ebbf5

  • C:\Windows\{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe

    Filesize

    60KB

    MD5

    2c624bdca137ab28036876df923bdb1b

    SHA1

    bf1687e151770c4ed3edefda0174ebeb294114a2

    SHA256

    91d9c54f4f3ac1c802535502a15a32ea33564b8fb1e75607e3f5cbf59b8aac22

    SHA512

    0b1f36dc38461ea239d377b8c8b690316959c41dce9fed4d27b3b13c57d118b2fb13d5a7817ccb06a49bfe47d5bcde8e5c799425941122a0119cd5c633ff6acc

  • C:\Windows\{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe

    Filesize

    60KB

    MD5

    757a8f269d8bd044d461eee3bc76b286

    SHA1

    79b1f94274137a1c24e118f6ca5b889ecdc9714b

    SHA256

    7f9b1ce569c85b1ada7fc4e1f1aa20198cee62ffefe18537eaf58d35151fb3e7

    SHA512

    9c2c9836bcdfc0afcd4a854636f86d4fe88bf92ea32c9ad3f3639c8130f3349f8b741a791ab34c4cb45ec331da7236e6fa3904ef6da1e19fdebc0c8e1c75cc9c

  • C:\Windows\{524D7F45-47B7-4b2b-B0BD-D779BA5D238B}.exe

    Filesize

    60KB

    MD5

    02fca4528a0848900d550b45d975a725

    SHA1

    31c27ce91b54b9446e3cd9af6fa2f01e24ad5d22

    SHA256

    8a87ac4bf20e38c81f452742041d051ae022516205f82b9fc2d7014b89054d88

    SHA512

    919afac1a5fce81096641f1bc32abd5ed59e19e39146be15f5048f33e8cb5185a799c610183449ce726719bd3050e81edb0bef70779b7962be23613e2b6f8118

  • C:\Windows\{C4F3842E-C007-4545-964F-1704306F8F34}.exe

    Filesize

    60KB

    MD5

    58267e3956e7803f753402e6483a330e

    SHA1

    7ebcb7e2bc298c2d37401b70e9ee50195b82c63b

    SHA256

    92633a6cbbb030befaa578329c63d9570397d4dddd8fe9e9ead1b2f0e570f29f

    SHA512

    7c2b8cf54784cb2c2513e017aeb33cf421135122fc8cb58eb39a0c9ac52d14640fa617dd01a9241bb887b665a50d2dffbbbbdba4fd5f0c22e094974fce532cb4

  • C:\Windows\{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe

    Filesize

    60KB

    MD5

    04318a7381e0af8ad3a6dc2135688c7a

    SHA1

    a5afbea4f72dcf0464169fd4557c8852d7c73293

    SHA256

    bf0abe9ae2f67583d38e1b944eba001788c249be4857949f5eca2e3b52f4f3c7

    SHA512

    139187dfee8dde12037d71d51f47461ae523a60acc48af1db1624808606600c672133f4778099c25a78ecf69c896ba000355cb1ba7b179a1a8436f5b625d3ec6

  • C:\Windows\{FF12EF98-E628-4efc-9991-6F07989600CD}.exe

    Filesize

    60KB

    MD5

    5f053fe0ee03f72f76195666ca5ef7fb

    SHA1

    7d93a3841c7b771020ed7e8f3fc7c49220343197

    SHA256

    d49efed93f9d34ba389d1145b1821d7268349c874ea4ec57f74b08f68f18e7d9

    SHA512

    c5434b468d700aa6fd77e35178025aacbe8bac57c202b93d0708b503918c51ae778f0d30792305a2ff834e7571a47d535c324aeab4647c80af0d53f30c98345d