Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    08/08/2024, 20:24

General

  • Target

    3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe

  • Size

    89KB

  • MD5

    2aef6586334840096ed23ceb9fab1320

  • SHA1

    48bc4b2663a531b88565fbf7edee55acf7ce99c0

  • SHA256

    3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f

  • SHA512

    5cde108e2b2f220cc9dafa11dfaa99b2ec4710b4d9aa864fc4a4da2b482290cea2b413d6a246bef73bfb800b18d8f5a44a29984b49468f965bfd8e562d7c4813

  • SSDEEP

    768:Qvw9816vhKQLrov4/wQRNrfrunMxVFA3b7glL:YEGh0ovl2unMxVS3Hg9

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe
    "C:\Users\Admin\AppData\Local\Temp\3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe
      C:\Windows\{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe
        C:\Windows\{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2208
        • C:\Windows\{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe
          C:\Windows\{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3028
          • C:\Windows\{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe
            C:\Windows\{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2712
            • C:\Windows\{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe
              C:\Windows\{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1300
              • C:\Windows\{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe
                C:\Windows\{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2732
                • C:\Windows\{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe
                  C:\Windows\{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2992
                  • C:\Windows\{B920A500-D5F1-49de-9ED8-F0F2CA5FC34F}.exe
                    C:\Windows\{B920A500-D5F1-49de-9ED8-F0F2CA5FC34F}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1536
                    • C:\Windows\{8C8D77E1-B571-4cf2-A720-7B401C636E89}.exe
                      C:\Windows\{8C8D77E1-B571-4cf2-A720-7B401C636E89}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1588
                      • C:\Windows\{F95EF687-F30F-477f-A7FC-098CBB1A390C}.exe
                        C:\Windows\{F95EF687-F30F-477f-A7FC-098CBB1A390C}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1700
                        • C:\Windows\{C78B686B-3E55-4702-8CD7-76F424DFCFC9}.exe
                          C:\Windows\{C78B686B-3E55-4702-8CD7-76F424DFCFC9}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:3068
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F95EF~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2484
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C8D7~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1656
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{B920A~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1648
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{C5BF9~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2760
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{86ECF~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2148
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{DA0CA~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2900
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{84815~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2888
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{15C68~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1996
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{2C52C~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1708
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{092A9~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2796
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3ADACA~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe

    Filesize

    89KB

    MD5

    baa694f8d60dd0bf75aaff974f3c780b

    SHA1

    4665b18e89c0e46ea7a0ada8eae840bf3fa1174e

    SHA256

    d606a67f2b236268cfda5a17c6b33ba655fe9b868ce8334c660502ca6c66fd81

    SHA512

    caeed2714844af64b28a07d088a8348a210b78c4efc96df6d57e54cc220185a7ab6a6a5c6c830d4d4eff98f2a46cea42d9e5cdb2d1666649764ed378e3e94a45

  • C:\Windows\{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe

    Filesize

    89KB

    MD5

    7a27a5c18f1521ea7a061ca67b0acfc9

    SHA1

    2cbb3534689e54f9146bd2c85426b401f6451a0c

    SHA256

    f77e6b2049fa7c54fc1f478913e6069ea76c19968275baec9cfa679976ad4439

    SHA512

    9c7d642075d3dd22e76670169f41eddc02f7f1cd2855acf90e1ca488588add7745a749b62c2638e24e1e3b47ba76386e5f37c3cb5975a37db3d4ad0d1ea7987a

  • C:\Windows\{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe

    Filesize

    89KB

    MD5

    63620f343788272f8c98097a05c18178

    SHA1

    5c0c640f4d00c21dd2ff3e8ff455a629f1bd4fa4

    SHA256

    76d905244df700ffc962cf2c07af6aee3fde17c4f4c11440aa3fd14b7818792b

    SHA512

    9e25a5480b60db9741d1a1cc2e9e53fbde74fc88d38b02726de7d6bdf4d598dd7698e3219f53ff5f395d44f2c4d438a619c57e2f6167b07be46a543290ed0ac0

  • C:\Windows\{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe

    Filesize

    89KB

    MD5

    46897cdf65a5c3c8c6d6228c2bf4ec9a

    SHA1

    390a5d0d52530a4fc7ac5dfffaa6ee8802d50050

    SHA256

    2652f6b6da469a916d046181a42e7e1b8a670b81d493204063091c9256238af5

    SHA512

    db17cc861995b3c6d9ebf8f19025dd8796ed25c28bf493b4e57c6128aeed09f353c4f3a0e0dc570733fe88775f045a440a933e42f90fb11e2cfd68e638d6e991

  • C:\Windows\{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe

    Filesize

    89KB

    MD5

    1a27baa590f7034ee73fdc9fc98bee50

    SHA1

    b3a26dcfb4bf5b1adafcd9411469cd0433e735e6

    SHA256

    49d8d12186b7a6bfd693dd35f38ce64dfb865a7296809a3dfe9ba4b75fa46acf

    SHA512

    52c269722899084f83245867ff06838d8107d60873870cf45314cf1f8729352f5b7fa64ce1eda1b8263e142cb0d4774ec67d42e6e541b3bef00d1210fdb2fdc7

  • C:\Windows\{8C8D77E1-B571-4cf2-A720-7B401C636E89}.exe

    Filesize

    89KB

    MD5

    40c3799322ee2eef52ace83da2698d5b

    SHA1

    fa96e40911a9f7a032a29e313c5f780f1c4182e9

    SHA256

    810606eeb1f981f6a12b7e6baae52bdead6cb29e89c318cd5367d186842f800f

    SHA512

    27363a7f866e8791809d562a0711a7dae43c8fa31a18ef20138b92f09f7defac8f0b76647695881ff4520ccbefc374556c13aede2d63ce59dbe292638b427db3

  • C:\Windows\{B920A500-D5F1-49de-9ED8-F0F2CA5FC34F}.exe

    Filesize

    89KB

    MD5

    07935c96ee82622e5b4257f3a92d34bb

    SHA1

    bbc815e697a802c4295d776a7df78d495dfd3e8e

    SHA256

    321fa391bea952ee8aaea69f28980e505412b5dc7c9c0fa0e6ef9ba87e012194

    SHA512

    f759988d98adcf8cb70edaf39501bb37299b6247ff39d4fce6b702157bcbfd3f3eb1ef0eb84d08c2b6f09a78a24869e496195a4b9f5787dcf708ea21a47d9a54

  • C:\Windows\{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe

    Filesize

    89KB

    MD5

    3f55504149d2ac0d4519e394b58aad48

    SHA1

    9fd42b2d03f4c6e8733a01c775682dff0b7141a2

    SHA256

    ff36e9e74b95f0a45e86455a30b0db3c86eda5fa28605dc11f7d64f3a1c3206d

    SHA512

    bce53302f9fb63638b02b333ebe0c63724dbf72cdbfac6bce704c0dfde9ae11c7a29ceb64b739d9be449368be6b25c387c4625f90a11ec617f098be2905efced

  • C:\Windows\{C78B686B-3E55-4702-8CD7-76F424DFCFC9}.exe

    Filesize

    89KB

    MD5

    4780a0faac470a9b09d8d82af63bb25b

    SHA1

    d44178b4d4030d3bf5f2deb32ae0a967b8aee151

    SHA256

    4722177e2091b33ae8d668a05a4caf182c51971117f7826a0898c8988a5638a9

    SHA512

    afc28cb524a8651a739ff42b80703ed9eca1eaf8efd8f3bfd45cd240dd7c53d588dc38ef45db84e5e97233f611b60fab9a200d55e7b87e54db7a2e8c037ced29

  • C:\Windows\{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe

    Filesize

    89KB

    MD5

    c296a3dc135496747f6a565e4b198e38

    SHA1

    d4c8359f4ad9fd0a8d8b50f5087410eff8a768fd

    SHA256

    e5f924fe1f3a197b9e42da26d105e9a4de970da0b2a9a2f395ae42942e19c076

    SHA512

    a164c232b2916fbb3a4d101767a5b390b1e7bd01137aa1b230b828dcaef3f6489b1da7f23ddcf200a658691b3886632b0b125266580e8174a563e61e9b2c3ceb

  • C:\Windows\{F95EF687-F30F-477f-A7FC-098CBB1A390C}.exe

    Filesize

    89KB

    MD5

    f6df24dabcfc787da72772b48dc0b410

    SHA1

    4d2e9a543fe4e19df1a06b6559638fdba7813449

    SHA256

    d04f3e024a07e4c0abdd99be0fb6194c72c106a7a3e7c100f937675351902c87

    SHA512

    d7a236f5a5c78de76ec645758b324ce7979fbc7e76ebc2100a91c50549db58bcf3ef336c0de2ccfc57969346503fb19553e5b12c5d16f43a570d0832df9632c0