Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

e2677e02cd...df.exe

windows7-x64

8

e2677e02cd...df.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    09/08/2024, 03:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2677e02cd73646fbd848d18898f16313e210e5bf6a7f5121627a38ce7419cdf.exe

  • Size

    89KB

  • MD5

    928dab96bb48ea2bde1269a007dac3f8

  • SHA1

    f8ca2ff882b5f5e43622114fdad124d769569e0b

  • SHA256

    e2677e02cd73646fbd848d18898f16313e210e5bf6a7f5121627a38ce7419cdf

  • SHA512

    17ad43a5b39e916ee1d80377ec3f03639e5aa9d20e9298d40460522af7fe381d1d4dc770b83a244bdfe4a7915ab5cd6f394fe31d99df15633c1ca72d2286b95e

  • SSDEEP

    768:5vw9816thKQLro44/wQkNrfrunMxVFA3k:lEG/0o4lbunMxVS3k

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2677e02cd73646fbd848d18898f16313e210e5bf6a7f5121627a38ce7419cdf.exe
    "C:\Users\Admin\AppData\Local\Temp\e2677e02cd73646fbd848d18898f16313e210e5bf6a7f5121627a38ce7419cdf.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Windows\{E25C0222-E5A2-4357-A7D9-63D7CC25A92E}.exe
      C:\Windows\{E25C0222-E5A2-4357-A7D9-63D7CC25A92E}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\{739BEDD2-9A1C-4a1e-857E-B4C75C4EF032}.exe
        C:\Windows\{739BEDD2-9A1C-4a1e-857E-B4C75C4EF032}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\{82D7EE1C-DF8E-46e7-8E1F-F8103548EF09}.exe
          C:\Windows\{82D7EE1C-DF8E-46e7-8E1F-F8103548EF09}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2852
          • C:\Windows\{DFCF438D-FA9C-4534-A48E-157924540CF6}.exe
            C:\Windows\{DFCF438D-FA9C-4534-A48E-157924540CF6}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\{8C9B8CA5-B2E6-4f87-8EE3-225184A35463}.exe
              C:\Windows\{8C9B8CA5-B2E6-4f87-8EE3-225184A35463}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:264
              • C:\Windows\{A32BBD1F-1B90-4486-893D-E94DDA2BD1C3}.exe
                C:\Windows\{A32BBD1F-1B90-4486-893D-E94DDA2BD1C3}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:624
                • C:\Windows\{A3A608D5-9563-4208-B468-95BC7117C215}.exe
                  C:\Windows\{A3A608D5-9563-4208-B468-95BC7117C215}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1160
                  • C:\Windows\{05E459B7-5D59-498d-981A-E356D3E43B11}.exe
                    C:\Windows\{05E459B7-5D59-498d-981A-E356D3E43B11}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1604
                    • C:\Windows\{F8FD6552-21D8-4a0a-A2AF-1BD545C28344}.exe
                      C:\Windows\{F8FD6552-21D8-4a0a-A2AF-1BD545C28344}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1856
                      • C:\Windows\{ACB4A053-C99A-406c-AC17-4B47FD531F92}.exe
                        C:\Windows\{ACB4A053-C99A-406c-AC17-4B47FD531F92}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:632
                        • C:\Windows\{D4ABC83C-7E5D-4bdf-AA97-2A2EE44CD94B}.exe
                          C:\Windows\{D4ABC83C-7E5D-4bdf-AA97-2A2EE44CD94B}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:848
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{ACB4A~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1072
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8FD6~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2204
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{05E45~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1540
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{A3A60~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2332
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A32BB~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2508
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{8C9B8~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2688
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{DFCF4~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:832
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{82D7E~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2676
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{739BE~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2640
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E25C0~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2724
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E2677E~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{05E459B7-5D59-498d-981A-E356D3E43B11}.exe
    Filesize

    89KB

    MD5

    d8b4556cbf97b425301a076d1a5e4559

    SHA1

    70cd258bd03c0b9ff397db98be8aed82c8e9c036

    SHA256

    73ba726bdc75648a160982acacaeaab05d3ea32239472865b2f06e62d510847a

    SHA512

    fd162f1af9237949724f4d5afd7a725990e2abd8d7fcce99f299b512790b30464a50c6436dd3a1a3addcc3a35cdab5055c1558eaf153068629b67cdccbf478a3

    Download Submit

  • C:\Windows\{739BEDD2-9A1C-4a1e-857E-B4C75C4EF032}.exe
    Filesize

    89KB

    MD5

    49bccfad22e3ee61dca99ff30007c656

    SHA1

    17c1fdf90aeec1953962820b5fdeb086c747c7c5

    SHA256

    db80046489c6b4ff1d104c98cbe49d6c7f81863a1aa46047e049231eda5d761d

    SHA512

    ea3eb52daa709d5de86599bcfe2d96e2c5d3c3490e203d38005c8e80591e73dbd363491f471e3ab35f1016288c03232ece3bb1adda7c990a0366d29430ea203f

    Download Submit

  • C:\Windows\{82D7EE1C-DF8E-46e7-8E1F-F8103548EF09}.exe
    Filesize

    89KB

    MD5

    2bcd8dc57e302d8e5e83e3aff51b4802

    SHA1

    90c0f18dcb7837f140d77a04be11a62fa6b4dc21

    SHA256

    3c645d4df9460b99f7a3bdbb6be26409c5757bf41a623b9828d72a2fb0585d15

    SHA512

    6d990f0e663dd7b245b5113f6a39ba03534e21650b4b87542652aa4b887a401b5f23ed9ec1b335378752563c23cce951708143214ccb9e8ae46b1918d76685c6

    Download Submit

  • C:\Windows\{8C9B8CA5-B2E6-4f87-8EE3-225184A35463}.exe
    Filesize

    89KB

    MD5

    5d5814557da8a954f46e9a75ead831f3

    SHA1

    3dd9ac2789f5d2e2525deeb84f63d2a2b476bd95

    SHA256

    469d5b14204263ca0f2bbecc1625eec2f93c57ed890a8996adeec39e9277f1a1

    SHA512

    34159e1d594ae30667bfe9d164f4e617f4a9e59741995a3e14f6ee198263800b6ee73685a4547ea5771333625978c2e09480a6bd6590ccfd717cbb088fce1310

    Download Submit

  • C:\Windows\{A32BBD1F-1B90-4486-893D-E94DDA2BD1C3}.exe
    Filesize

    89KB

    MD5

    740111049ddb003ebca39787ee177c1b

    SHA1

    92e3e82a70ad11f32e8155796c8423d73802212a

    SHA256

    f3dec6d44b5c85ba75338a6119d39477eb7904a421818172ba330054ce0e5a55

    SHA512

    a90043490cc31ec13696b58f401b3569a992e37ec63c89dc511bd15ad0856738f16fad91f74cba03fac5108d20a9955bbc394c38c5c41ac6aaa1000ff155c686

    Download Submit

  • C:\Windows\{A3A608D5-9563-4208-B468-95BC7117C215}.exe
    Filesize

    89KB

    MD5

    b48616b0c0cce27aa78b513fa485e8d7

    SHA1

    ca1502c2209f7f1b9d987d43c812b34146668dd6

    SHA256

    da7682ae2788f724729eff11d5f91adef1dd72609b1dd48a24f63515bdda5823

    SHA512

    67ceed7e78b84085d40e740835a5876c92acc5a5cb6daab453e2dd5168d7df30b51c7205e7d792bc2b2d8af2b4f684249fc966a7001664b9ffb58708e66d98af

    Download Submit

  • C:\Windows\{ACB4A053-C99A-406c-AC17-4B47FD531F92}.exe
    Filesize

    89KB

    MD5

    ad1324a00bb0cfa8f5a290b09eb7e780

    SHA1

    939dd3425d4ab854ec9e2a76d5235a5f7ea41916

    SHA256

    b073c64ba064176964aebecfd66bdce34060a95310b175064e924cd21737edc0

    SHA512

    97da8b06349679f420eece437537f9c3b1c47aff0bb293e67f6d7485f79eda7255466f59956616942bc2f159f54975f766079820ef2d79256a0fb2b7530ced45

    Download Submit

  • C:\Windows\{D4ABC83C-7E5D-4bdf-AA97-2A2EE44CD94B}.exe
    Filesize

    89KB

    MD5

    599817ebadfb1251186e3656d7b09de4

    SHA1

    f8b7bce0c414ebf1eca0209cf1f27d09849bb644

    SHA256

    06dd1892c6e300cdd56d11d1f08eebb8dac9fffbcac22c03e14d164de177684d

    SHA512

    3889511c5eb6f01602318000f8b6d226c8343124d5898812cd9ebbf055afc9e414aed00a60ad4516f109fe2e4dfc5727839fee6f0001c04d89cb89b174db427c

    Download Submit

  • C:\Windows\{DFCF438D-FA9C-4534-A48E-157924540CF6}.exe
    Filesize

    89KB

    MD5

    64c7879555c9165481a7555cb83c449d

    SHA1

    eeb69009264d9ff875be2dc29505f75b918af6ef

    SHA256

    88b345b8cb715eed979d5b74e1149cfa751b6de4f34ceae9cedef7993dd14c70

    SHA512

    b8296ea31b3efdfc73d34a4ed247440259a429102249c1340fe4a0ae20f95f0fea2e74233fd1cfda441c86bf1383fa2f54896bee12921617379e26c49c1a2051

    Download Submit

  • C:\Windows\{E25C0222-E5A2-4357-A7D9-63D7CC25A92E}.exe
    Filesize

    89KB

    MD5

    eb244e756993df9747f402ab6451150e

    SHA1

    f1f8f031e21b15e22192a07d263b256b19ccbc2c

    SHA256

    87fe5e980020159545ff41b94fc2cb07f959be285c7bad7a46a0a377a763b372

    SHA512

    be1c246472db04ed95e74c2342c45fe2658ccd6cbd72dafd91e963bfceb161e621e944c7112232bb7daffa0667a4c4ab532b978246483db6b94f32e05e5e7265

    Download Submit

  • C:\Windows\{F8FD6552-21D8-4a0a-A2AF-1BD545C28344}.exe
    Filesize

    89KB

    MD5

    f041e678144c1e172d2107e1ed1a0ca9

    SHA1

    56be2110d60842754b4df5a475d5a0dfafb4a62c

    SHA256

    475dcb09e0093c48f8db938e34b09fcdd45b3ff37d40f31f47e1a821a8697493

    SHA512

    9c58d37f7a4fc9357a7356bd5a911dab92c0cb89bdf2e77fd3662677a6a533c5c1c808fd1f6cc4fb5f123d92aa963d6887711621a6fd2d1541723f269b69f5b6

    Download Submit

  • memory/264-50-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/264-43-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/264-51-0x0000000000370000-0x0000000000381000-memory.dmp

    Filesize

    68KB

    Download

  • memory/264-62-0x0000000000370000-0x0000000000381000-memory.dmp

    Filesize

    68KB

    Download

  • memory/624-61-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/624-53-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/632-96-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/632-89-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1160-70-0x00000000002E0000-0x00000000002F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1160-69-0x00000000002E0000-0x00000000002F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1160-72-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1316-8-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1316-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1316-3-0x00000000003E0000-0x00000000003F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1604-79-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1856-87-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2616-41-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2844-26-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2844-18-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2852-34-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2908-16-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2908-9-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download