Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

e2677e02cd...df.exe

windows7-x64

8

e2677e02cd...df.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/08/2024, 03:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2677e02cd73646fbd848d18898f16313e210e5bf6a7f5121627a38ce7419cdf.exe

  • Size

    89KB

  • MD5

    928dab96bb48ea2bde1269a007dac3f8

  • SHA1

    f8ca2ff882b5f5e43622114fdad124d769569e0b

  • SHA256

    e2677e02cd73646fbd848d18898f16313e210e5bf6a7f5121627a38ce7419cdf

  • SHA512

    17ad43a5b39e916ee1d80377ec3f03639e5aa9d20e9298d40460522af7fe381d1d4dc770b83a244bdfe4a7915ab5cd6f394fe31d99df15633c1ca72d2286b95e

  • SSDEEP

    768:5vw9816thKQLro44/wQkNrfrunMxVFA3k:lEG/0o4lbunMxVS3k

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2677e02cd73646fbd848d18898f16313e210e5bf6a7f5121627a38ce7419cdf.exe
    "C:\Users\Admin\AppData\Local\Temp\e2677e02cd73646fbd848d18898f16313e210e5bf6a7f5121627a38ce7419cdf.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3268
    • C:\Windows\{8F1C36C1-D5DC-4dc3-B996-FDAF427A6EA0}.exe
      C:\Windows\{8F1C36C1-D5DC-4dc3-B996-FDAF427A6EA0}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4908
      • C:\Windows\{4EE89ABF-502C-480f-8C6D-AB9560A43A46}.exe
        C:\Windows\{4EE89ABF-502C-480f-8C6D-AB9560A43A46}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1600
        • C:\Windows\{0D9AEBE2-3BB3-45bd-9F6A-3F0A3CAA0555}.exe
          C:\Windows\{0D9AEBE2-3BB3-45bd-9F6A-3F0A3CAA0555}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:960
          • C:\Windows\{5A01B47C-15F1-4640-97F0-9596F1F43D28}.exe
            C:\Windows\{5A01B47C-15F1-4640-97F0-9596F1F43D28}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4020
            • C:\Windows\{28BD73B5-23C7-4792-BEFE-2A60DECA3618}.exe
              C:\Windows\{28BD73B5-23C7-4792-BEFE-2A60DECA3618}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:464
              • C:\Windows\{1AD3002C-9C27-4943-93B7-8647F7797324}.exe
                C:\Windows\{1AD3002C-9C27-4943-93B7-8647F7797324}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4864
                • C:\Windows\{687B01FC-A924-4045-85B1-13ED889C3B7F}.exe
                  C:\Windows\{687B01FC-A924-4045-85B1-13ED889C3B7F}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2392
                  • C:\Windows\{8C0652B0-2D2A-49d2-8286-F624FA629D9A}.exe
                    C:\Windows\{8C0652B0-2D2A-49d2-8286-F624FA629D9A}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:5084
                    • C:\Windows\{869C0485-0133-4d90-B0FB-B330B7E9A9B7}.exe
                      C:\Windows\{869C0485-0133-4d90-B0FB-B330B7E9A9B7}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1960
                      • C:\Windows\{16CE0F8F-69A1-4ddf-BEF3-FEE774E7CA75}.exe
                        C:\Windows\{16CE0F8F-69A1-4ddf-BEF3-FEE774E7CA75}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1324
                        • C:\Windows\{5AE3FF5F-C842-4581-A4CA-495B408B2640}.exe
                          C:\Windows\{5AE3FF5F-C842-4581-A4CA-495B408B2640}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2508
                          • C:\Windows\{ABCE1242-4783-4795-8FAC-B3908C4F6188}.exe
                            C:\Windows\{ABCE1242-4783-4795-8FAC-B3908C4F6188}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3324
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5AE3F~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2768
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{16CE0~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4412
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{869C0~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:264
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{8C065~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1732
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{687B0~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1936
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{1AD30~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3300
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{28BD7~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3112
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{5A01B~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4076
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{0D9AE~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5056
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{4EE89~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3504
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F1C3~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3284
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E2677E~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0D9AEBE2-3BB3-45bd-9F6A-3F0A3CAA0555}.exe
    Filesize

    89KB

    MD5

    c0a1c4871192ce0d497ba098a7be9404

    SHA1

    b19ef6fa797531177dc86af3661a87cefcc66b2e

    SHA256

    17fd2c39cbeb59f796672ad947427e2b7b05d4eee79dac3c3594077f2f956123

    SHA512

    6b0ff26d728ea207313fdb8fce34ff7cb23ad9e44d69591bc8a83c2adc5441b67d2a64cd59ca712e2438733ccb4e548e3fb2dc5bae697a8ea427948d00400539

    Download Submit

  • C:\Windows\{16CE0F8F-69A1-4ddf-BEF3-FEE774E7CA75}.exe
    Filesize

    89KB

    MD5

    b1b43ca8c5aa537d5e2990291d664331

    SHA1

    426be0095e0854aee0a9afa8f0725bc7d2d90d9e

    SHA256

    30064cb01c4709bacfc7b41ef0b0c38d84d13ad7c1005b7f2245f87ba4ddc847

    SHA512

    b7eef280ace89ac15fcfc8789707d7f9375dfcfb750963a73e2a85f0a9b6904c09ac755ecaf6a33c890a7c1e7f9aed899f819e87d2648f0be814d11c99b971d9

    Download Submit

  • C:\Windows\{1AD3002C-9C27-4943-93B7-8647F7797324}.exe
    Filesize

    89KB

    MD5

    dc1e9fe476e977aeb42e192b0b2c3536

    SHA1

    5b4d606d78afd4ba58a8a02e6bb16c77c6b17b5d

    SHA256

    a18da8368caf4a0164719745b0fbd0aa90dc13fdb5d76a8ec1bc31f285e6b091

    SHA512

    da5520e1eb39322d340a8e5257b636b03b148c14f5c612f9b24855e78f4b910916bb6e2956edc064ee04bde22e69c5b1eec26da0bd9078484643115147607137

    Download Submit

  • C:\Windows\{28BD73B5-23C7-4792-BEFE-2A60DECA3618}.exe
    Filesize

    89KB

    MD5

    7f20346fb0c64cc5986af4343eeb3708

    SHA1

    df0a4530c1a705638c3c415cd2ca396e2f75c0da

    SHA256

    1951996577e43eed37a77987c8b5fd21d03be8a9dcb4f18eace9f61ff93230c6

    SHA512

    21725d2427a90746a29140650beb0a83090ab662862a16034968133f36589ce850b1f7ce576a5d6d9f1d5fef2f59343015746849cae667315341a5a593435124

    Download Submit

  • C:\Windows\{4EE89ABF-502C-480f-8C6D-AB9560A43A46}.exe
    Filesize

    89KB

    MD5

    5b0cfd3d941617e8170ee42345eeadc6

    SHA1

    973ef38a918e0b2f2bb227b413701877519f18ed

    SHA256

    ac58519e44c7cbdc52b8ea30d1650a4e3b86d87ee371db24c7930336398dcc3b

    SHA512

    2b80004d8d293b6d18b1f306f66dea480c4b493c93225febb2589a6483b1346e999c1101db98eb8619bbe7986bb59fc1c5479dd927dc163cea26bcd8ee9025dd

    Download Submit

  • C:\Windows\{5A01B47C-15F1-4640-97F0-9596F1F43D28}.exe
    Filesize

    89KB

    MD5

    057d1626e316a1ce6755b1f776650a72

    SHA1

    6b4e1edc3789f329f79aa39318665dc1b2f43ce6

    SHA256

    7707ff0153ccfbdc3e8cb3990e852e76a56e8dad9266ccec53b59685c109dfe4

    SHA512

    d2ef5dfe6b9926fea9cda49a2568fd5910f02965b179141f25ad20587e991d89098250890050af3edd47bad43ae53c63c680346474c185c01d6111a8b54286c6

    Download Submit

  • C:\Windows\{5AE3FF5F-C842-4581-A4CA-495B408B2640}.exe
    Filesize

    89KB

    MD5

    0c1b010fe5d8a7af5c75aa9ed69dd2dd

    SHA1

    719f035a25c9b9b9852088cae32b5e39077d223e

    SHA256

    0948f0b0c66e4e6d8ee7f63e21296ce8c60a9eb6a085cd105d45f71f765089ee

    SHA512

    9d1bd3d00adcd7a8b1b6353c33685dd1bc6487da120f781c0ee57affabee8569eeeb45ded16b18399f7647e7e35870da82907090461d5c0d9f800e2553be3c96

    Download Submit

  • C:\Windows\{687B01FC-A924-4045-85B1-13ED889C3B7F}.exe
    Filesize

    89KB

    MD5

    06faf12555046d947856e2972098c794

    SHA1

    65755c91b289e841e805a895f2a398d31db1d269

    SHA256

    d58e5126e375b4d68b28ae513356f1d03330ca4ed1a94aede1cab2f4ffecacb0

    SHA512

    81554aff22edccfa14ba58cbdfafc468b717be1a04bd97b5427bdde63db24c66e500a828f6aa836e063cc920b4a75ba7c45e1566c0eda4517747637977a2ea25

    Download Submit

  • C:\Windows\{869C0485-0133-4d90-B0FB-B330B7E9A9B7}.exe
    Filesize

    89KB

    MD5

    c0e615c0e324b01eb87d71ba8fc6608d

    SHA1

    dfb4c01090e2e7ffc98eba8bb98543fe9920444c

    SHA256

    99c3a9ef69682502965579e8044a6c7f7353586dde310ce5f9c895295f70a560

    SHA512

    d099654825def8278c36cf1ff7009316301ec3d8787d6704356d3466f7ddfffe87313c41461a970a6fdaa9800ba313092e4f805f2d03685fc3a9d747863e7db2

    Download Submit

  • C:\Windows\{8C0652B0-2D2A-49d2-8286-F624FA629D9A}.exe
    Filesize

    89KB

    MD5

    9b2eabff67647e00b1ab4016b6822869

    SHA1

    c62a83316353dcf39c00e534c626f9d99a2c2f8e

    SHA256

    198e4ebc430703e5c344687c8e97810fcf836fc5cbe371087d8fca98f5e2432b

    SHA512

    5f75eda092a1a4ef6a712a7778c7bf751ba4b447930ae0c5b1b545d708486979da9e30b969cd98c57f2d9748e30448274c34987e76fbde8fcdbf4b57f0c5014a

    Download Submit

  • C:\Windows\{8F1C36C1-D5DC-4dc3-B996-FDAF427A6EA0}.exe
    Filesize

    89KB

    MD5

    7857d69c9289546c026eb909291b721b

    SHA1

    491e5f96ce8f35818412e8228d19eeb1d80c22e5

    SHA256

    a988b27c39b974d1d1757e015dac0e6584f9064a373860d098b4060d2f6a36a2

    SHA512

    962e3349d688621ffbfa1a31e3d6b2fb1ba760c51b055cd6cd7561c611da250a5bc0a1a4a4a07cd7b073c8a6c3f91bf13a7b6feba318a373fc72606ce9d26084

    Download Submit

  • C:\Windows\{ABCE1242-4783-4795-8FAC-B3908C4F6188}.exe
    Filesize

    89KB

    MD5

    80d7c501fe6fbff133b2ffacf0a28a76

    SHA1

    be7b70f9fcc37612ba21d53601f7cdb351bc25ba

    SHA256

    bfb151237e609c56c455c840060da4bb34f642769e0039d994caf11cf973528e

    SHA512

    86f140f90b38fd478e9de432418b34c0215a3e15183a586d137a54a379b091f37fd46948824eaa96d456db67ee723350aa9544a04b2a3c9e9c74142dd658051c

    Download Submit

  • memory/464-30-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/464-34-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/960-18-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/960-21-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1324-59-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1324-64-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1600-16-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1600-12-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1960-54-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1960-57-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2392-42-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2392-46-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2508-66-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2508-69-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3268-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3268-6-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3324-71-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4020-28-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4020-23-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4864-40-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4864-36-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4908-10-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4908-4-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5084-53-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5084-48-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download