Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

d0dfc6b721...0N.exe

windows7-x64

8

d0dfc6b721...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/08/2024, 23:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0dfc6b7211aafbc085a81fa9aa42870N.exe

  • Size

    197KB

  • MD5

    d0dfc6b7211aafbc085a81fa9aa42870

  • SHA1

    970e6847a49945081ab60d508d9ac35835f88f52

  • SHA256

    4d6c85079e15457656ffbfa8574d0996774dba41ad71fb7edfd6321205ec2ab0

  • SHA512

    16f33a21ea47c8c64c31926d8cec60b39ddd8b0db0af99dab27bb504512969a55d3eb0f07b8960e4ede09225a102cbf1e653c85385945d7ae57d75a4d1a85152

  • SSDEEP

    3072:jEGh0oVl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGblEeKcAEca

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0dfc6b7211aafbc085a81fa9aa42870N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0dfc6b7211aafbc085a81fa9aa42870N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4484
    • C:\Windows\{EAD5F48A-D5F2-441d-A029-2454C5CE5488}.exe
      C:\Windows\{EAD5F48A-D5F2-441d-A029-2454C5CE5488}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Windows\{3349231E-0D7A-4e5d-967C-4E61C2C1CF66}.exe
        C:\Windows\{3349231E-0D7A-4e5d-967C-4E61C2C1CF66}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3444
        • C:\Windows\{5F3A37D3-5825-42b1-AD54-2F2990831D9A}.exe
          C:\Windows\{5F3A37D3-5825-42b1-AD54-2F2990831D9A}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4224
          • C:\Windows\{E1864D24-923A-4b93-8FA7-C025023C9A78}.exe
            C:\Windows\{E1864D24-923A-4b93-8FA7-C025023C9A78}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4324
            • C:\Windows\{23A69BA8-0D3F-4ed3-8EED-851CA42B6E9C}.exe
              C:\Windows\{23A69BA8-0D3F-4ed3-8EED-851CA42B6E9C}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2332
              • C:\Windows\{B79D0078-734A-4300-ADA4-4B461681396D}.exe
                C:\Windows\{B79D0078-734A-4300-ADA4-4B461681396D}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4712
                • C:\Windows\{D600A1CA-CCAE-485c-99BE-0EB36611E2F6}.exe
                  C:\Windows\{D600A1CA-CCAE-485c-99BE-0EB36611E2F6}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:5080
                  • C:\Windows\{8E6051FA-43B0-4701-845D-F93FDF88DAEF}.exe
                    C:\Windows\{8E6051FA-43B0-4701-845D-F93FDF88DAEF}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4904
                    • C:\Windows\{7605EC01-4D3A-4ec6-8B09-8DB9B5DF455C}.exe
                      C:\Windows\{7605EC01-4D3A-4ec6-8B09-8DB9B5DF455C}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1436
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{8E605~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4336
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D600A~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4448
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{B79D0~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4568
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{23A69~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1440
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{E1864~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3456
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{5F3A3~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2848
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{33492~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3556
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAD5F~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1064
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D0DFC6~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{23A69BA8-0D3F-4ed3-8EED-851CA42B6E9C}.exe
    Filesize

    197KB

    MD5

    46fc053dda7fd8e89dfa67b90b18b91b

    SHA1

    b5063c33f603755bda8cf79e00a783f0a981107b

    SHA256

    58cbf8ef764672be9fa5c8d2baf94f26224a26deba6e6c4273b82e5a90eff08e

    SHA512

    2a4627cd7f04dabb2af118efd6d9151c3c06bccd3d93cf87eeb69d995fd6cb71eefd4a2640d50e4324844c15fcf821c164a3bc0194eb02691b29e192ffe2382e

    Download Submit

  • C:\Windows\{3349231E-0D7A-4e5d-967C-4E61C2C1CF66}.exe
    Filesize

    197KB

    MD5

    47440e1a49d1486a250d3468bd3f00db

    SHA1

    ea5ab9d98cf032b854b7ee9e29256d3c07fdcff6

    SHA256

    849d7c70aba8c9f72028283ee52fcbf572e342044fb1d349bd8efa66334d1f9a

    SHA512

    78cb3932a4e0191573ab12c0192ac92831ed431d617fad8236293830f03eccfa04e2be76859755343bde2ae0cd577f144ec6c1435b298d9d3de0f0da3380d939

    Download Submit

  • C:\Windows\{5F3A37D3-5825-42b1-AD54-2F2990831D9A}.exe
    Filesize

    197KB

    MD5

    57ae22cb7420d522eadaec17d0047acc

    SHA1

    fa70388a3b72057c449172c185b3bda8108fa0e8

    SHA256

    22d7586bfb000bfaee98aa7d1e1293abfb904c4ae041d32122e269878f705751

    SHA512

    3478475da4ca59f069e371b23464d6206d7797a4f0f065b0bda927dfb9938ee87bd794f618fe61a79fd192a8e3a57891c04f957d086ce4896ee02160ff1759fd

    Download Submit

  • C:\Windows\{7605EC01-4D3A-4ec6-8B09-8DB9B5DF455C}.exe
    Filesize

    197KB

    MD5

    d4cb6a154bab1ce00804fc6efeb028f4

    SHA1

    f8b22ce6127d60637e3321e9400414b98373a87a

    SHA256

    ad254c74a779a836062d23722980daba128175a4b4382038b82bd004cb730cab

    SHA512

    d9a0b94db0eea39cfd7078d299dbbec69dcb6c0f03306771c8945a86573f172fe43da2805172992fd320780f77874298bf77334d3d1c9a585fa9ef222d6131d4

    Download Submit

  • C:\Windows\{8E6051FA-43B0-4701-845D-F93FDF88DAEF}.exe
    Filesize

    197KB

    MD5

    b7299c218028e4823d1512594426dfa3

    SHA1

    4715450ed7ca023847ee54f25371fd58425931ca

    SHA256

    624dfab4f1430f170951c5a23d7b424546186805f8255d821f6a7019af9991d4

    SHA512

    3aef9663d400000897e3afb097d5feb89393722622fc8013af04c3c02d37bfc83a93dba9442978aec363a1e7197b7454b51ec83118e017d006b3e99913bf967a

    Download Submit

  • C:\Windows\{B79D0078-734A-4300-ADA4-4B461681396D}.exe
    Filesize

    197KB

    MD5

    d11ba6ed272075e4d6cc0d07546c1115

    SHA1

    a9a684224173e6e7d3e3f41605f485ee72cd9a1f

    SHA256

    ea6a93e902396a5d2ac061ee7d95510e1569c0e685eefa01d2b154e441688856

    SHA512

    3d2e9c6bb47e25a662a7eb8eac48d4ee1dfb74ade0cc79f05f785508b836ee30a3dc49ae24309a78cf77cfa898cfdbc8b7f25ee64568356625a0d970e74330e4

    Download Submit

  • C:\Windows\{D600A1CA-CCAE-485c-99BE-0EB36611E2F6}.exe
    Filesize

    197KB

    MD5

    595d6165526fbf37710624650910a71b

    SHA1

    104a4f9d26a48a24f605fbf40e3c56036c3d9089

    SHA256

    35a85b1400c69cba0ff21fbcfecc07453d4a8f671a4b7f6f922fbb854369aea1

    SHA512

    02883d5c5a397d33d936adff82992c179551ea0763d1c53285eca728f9df6b3f2b99daee0a7959d809f5adceeb6ec9997aa3299c4d3edfce5f444dc50d3d4d2b

    Download Submit

  • C:\Windows\{E1864D24-923A-4b93-8FA7-C025023C9A78}.exe
    Filesize

    197KB

    MD5

    faf97f14dd0a9abdf0da89e9798131cf

    SHA1

    00a35dd06a24b67ade696c2f0e55045b72ac281e

    SHA256

    856bab00b3485143a74697a78e25962a2f64d90c9131cb9cfb6b90926f4b6354

    SHA512

    5a1cb5f2d342fccb9e90b0a2fb45e8e8eab42a0a52b323d732a1d04408e9573a3e360aef4c42c7f8f43dac896c79f78632521466cec235019c55ca9f465f5a39

    Download Submit

  • C:\Windows\{EAD5F48A-D5F2-441d-A029-2454C5CE5488}.exe
    Filesize

    197KB

    MD5

    a398413cf3db58d924a07824553f48b0

    SHA1

    af14f7c96aeff684244d464535b07adc7a972736

    SHA256

    bda6e43b3afc87adf2eb415a5ff5867ca76395c2d94ef2e06ee9bdbf15a17eb6

    SHA512

    1d73c60cd11be04facc2fcd4a0e0bb97b025b6ef79bb375f816a0be4381ebf83b44526bcf207001ad519e5909080ab945fec61e0ad531602dcf385cff1250daa

    Download Submit