Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

934e5fbc2d...0N.exe

windows7-x64

8

934e5fbc2d...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/08/2024, 22:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    934e5fbc2d110b89156d066a6a9ea450N.exe

  • Size

    60KB

  • MD5

    934e5fbc2d110b89156d066a6a9ea450

  • SHA1

    f42f42ba628edd491d8321d4a27b2ed9a58e4d53

  • SHA256

    b838db5d109117028a9c3ec8de1ad4f1f2dcf41524d71c400caee99100247ef7

  • SHA512

    9e9356075192399935c7f1045d30af45781a5c1f7726ad941d3df2a8e35ac8c5c09bc8a8e5165f4e9a016c4a9f9cd0df42b8e8f3514e0d483f71d19167c332f7

  • SSDEEP

    384:vbLwOs8AHsc4sMfwhKQLrom4/CFsrdHWMZ:vvw9816vhKQLrom4/wQpWMZ

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\934e5fbc2d110b89156d066a6a9ea450N.exe
    "C:\Users\Admin\AppData\Local\Temp\934e5fbc2d110b89156d066a6a9ea450N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Windows\{3FFB03F8-9F1C-403d-B256-E6B9BE312A1C}.exe
      C:\Windows\{3FFB03F8-9F1C-403d-B256-E6B9BE312A1C}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3588
      • C:\Windows\{B8A8C703-7715-46e2-8425-8100114518D4}.exe
        C:\Windows\{B8A8C703-7715-46e2-8425-8100114518D4}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3368
        • C:\Windows\{14CB816D-03CB-4e96-9AD2-79C471FCF593}.exe
          C:\Windows\{14CB816D-03CB-4e96-9AD2-79C471FCF593}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2016
          • C:\Windows\{FDB88637-F35E-4160-BB38-2646E51C788B}.exe
            C:\Windows\{FDB88637-F35E-4160-BB38-2646E51C788B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1052
            • C:\Windows\{33DD9259-BCA8-48d2-A57B-31D1BDA167FF}.exe
              C:\Windows\{33DD9259-BCA8-48d2-A57B-31D1BDA167FF}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2228
              • C:\Windows\{392FAC6E-242E-4590-B52D-A4A8FE2175F0}.exe
                C:\Windows\{392FAC6E-242E-4590-B52D-A4A8FE2175F0}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3520
                • C:\Windows\{29026B56-945A-4e2e-9E7E-A87F0C691667}.exe
                  C:\Windows\{29026B56-945A-4e2e-9E7E-A87F0C691667}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3176
                  • C:\Windows\{9688A85B-F01A-41cf-8AB8-CA2CEE66E663}.exe
                    C:\Windows\{9688A85B-F01A-41cf-8AB8-CA2CEE66E663}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4328
                    • C:\Windows\{3DE1EBC7-0910-48df-80FF-FBA476C36A99}.exe
                      C:\Windows\{3DE1EBC7-0910-48df-80FF-FBA476C36A99}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4708
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{9688A~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1180
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{29026~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:5116
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{392FA~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:5024
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{33DD9~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:212
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{FDB88~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4256
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{14CB8~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4692
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{B8A8C~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4812
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FFB0~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2496
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\934E5F~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{14CB816D-03CB-4e96-9AD2-79C471FCF593}.exe
    Filesize

    60KB

    MD5

    746da6aed2a8a6d8a87062447909e3d7

    SHA1

    9e136f12cc822e68479db2091680a49e4883fc83

    SHA256

    00d5cbbc3a11d18e5fc3998b62fd0e763abe33f749e718eb8c43693d0eebaa37

    SHA512

    8f6c28173492c8777f5acbbed04daf882b6ddf8ab9843601fd1418980e67776e75f37967ac9f0f4a49fa75c246f0c25e2c9dec9a591ddd0be0c3ef04c626a0c3

    Download Submit

  • C:\Windows\{29026B56-945A-4e2e-9E7E-A87F0C691667}.exe
    Filesize

    60KB

    MD5

    9c4789949749c7b9c15784c7c4f48d7b

    SHA1

    375a381353129934ba476da4afd796fc60fa42c3

    SHA256

    4f131fc6ee6532c508d385d1e549298cb33efa7cb1dd1f088076c536f93a927e

    SHA512

    d26fc08f434b341ae331d7a4fd60c39efadf8bc0e36623bd0ee3f5caa1e96bc84c7d3a3d305010672e2ecb7130000f3b0f58a3eb755aa2ac8934046f6a77a07e

    Download Submit

  • C:\Windows\{33DD9259-BCA8-48d2-A57B-31D1BDA167FF}.exe
    Filesize

    60KB

    MD5

    ce001b56bb8da5b3e9b933ca73b7c77a

    SHA1

    e8451d0e185d5db019637f70270b857811427e33

    SHA256

    751ab2e4dcf6c94c987c835287af02c2dfa46b3a91429f3ec0ec7e94abbe6111

    SHA512

    629bfbcab888222ec69975b39d4a3682dbe1a18c374dbc8fd421de5bf9714ed34f698d407126cdbb13e1ac8eadd1d347e6eff3cfa11a7fad7af6163a81a5f446

    Download Submit

  • C:\Windows\{392FAC6E-242E-4590-B52D-A4A8FE2175F0}.exe
    Filesize

    60KB

    MD5

    86c3d23483a9edc4573cb22e59214973

    SHA1

    71b43b6c3e4aab0c1335b255bd488ebf52187a39

    SHA256

    206ca6a208d6c00d0d0f347feb2ec5a64ec86fcb5e84e831a8c74ca85ac0b42c

    SHA512

    e6805787c5b32de1636ee46188e1c7a45efed8869beda26a1014fffe1a73a87a350df1be2545398aa26b9b6ae699cdc22d3a96a8911557f5a5746c9179e506c2

    Download Submit

  • C:\Windows\{3DE1EBC7-0910-48df-80FF-FBA476C36A99}.exe
    Filesize

    60KB

    MD5

    8ee8da4889879514f71a1ffad156c818

    SHA1

    a2ee36f488215d6c81d642bc135968cfdda8221a

    SHA256

    f1ead37053dcd82a54cae60959af578591d7a3c31f9cc6c121d6b485a4f8569c

    SHA512

    4f849e8a0aa7d0ead320bc6bd5ad3ebe2460cb3de902a4f980f78ced612659224e2976af809b049db38d23a459afa92595e7280247cdeb3a6b838c98fda91f60

    Download Submit

  • C:\Windows\{3FFB03F8-9F1C-403d-B256-E6B9BE312A1C}.exe
    Filesize

    60KB

    MD5

    6e7111fb7544b5672fdb673a21aa4d56

    SHA1

    ff7a936260ff089eb07e8db23b71c0e71c6bf023

    SHA256

    959ba2508495b8350fe324c3d2442bf02d6b625a1f89ee4e15fc463e625ea3c2

    SHA512

    02164c13518f2be3ce3973f5c1dd36a8631ea4415c91dab467e0cd47dba6a4537afcb0ca41002811967f9950eceacb5b0f7839021140020a2d06007d006b1881

    Download Submit

  • C:\Windows\{9688A85B-F01A-41cf-8AB8-CA2CEE66E663}.exe
    Filesize

    60KB

    MD5

    592c99054395b9f04929d0b066a90c54

    SHA1

    ce918a722315e8d475e1cd85c43aa6acc83a945d

    SHA256

    159ade70168ce466c2211de1ab6cee91b918bdc3d625f936184868d988e0b61f

    SHA512

    3742f8637656c44dda6cee7e0bba9209436f0cd7682eb7f97d925fd175c8dded385b176644190a71be6e0a5d24a787ec60d8b08081070ee4b01a32ef27f5a819

    Download Submit

  • C:\Windows\{B8A8C703-7715-46e2-8425-8100114518D4}.exe
    Filesize

    60KB

    MD5

    5925bb71e918a18ff810be037356b836

    SHA1

    a1deda862d69bf63a254ae5bce480687628a2a90

    SHA256

    4d713ecbb2225b08d01819d4b6245574a998b7e54941a786850ca26997d5e593

    SHA512

    091077303c223e83388e0350a88b5175c81ee7eeff1640108fa2184952f4725145f438b71fcd44522a237b3a8b5280500f2964a644e7a818a9f11c30eac4068b

    Download Submit

  • C:\Windows\{FDB88637-F35E-4160-BB38-2646E51C788B}.exe
    Filesize

    60KB

    MD5

    d561d3dbcf226e9be8a1fc1adcb826dd

    SHA1

    12784e2ddb0769cf278057027607633efe4b453b

    SHA256

    934da96e16c3f331e0dd8a2f834d01f055a2382fcba7a36d475df623d49d4b82

    SHA512

    2691497b622eff1a37b002faaff3837e4b74e0be40ee8e5bfd71dd3f61359eea1aa4dc6f4c8beb1d2dcf893fb4f8a78df48d01a2834be3f9bde9af35b12e42ec

    Download Submit