Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/09/2024, 09:56

General

  • Target

    72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe

  • Size

    90KB

  • MD5

    72a9fe6afe0c0e2d6fa95bbfb9e5c150

  • SHA1

    5bd497e0eb8d382484ae2ca33f01778bcbff2620

  • SHA256

    68840a87e639955e250fb993bde51a88b2319afcc84f3aa25cbfb22bf8f9a700

  • SHA512

    fa79bc670dc9db05c25904d1d8f72686668c171edac65356eb512b7992e251a37c388b2d7c2a23bf6b5a397afadb90b0c7c266e287c55cf914da7a00c73a432e

  • SSDEEP

    768:Qvw9816vhKQLro/4/wQRNrfrunMxVFA3b7glw6:YEGh0o/l2unMxVS3Hgl

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe
    "C:\Users\Admin\AppData\Local\Temp\72a9fe6afe0c0e2d6fa95bbfb9e5c150N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe
      C:\Windows\{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Windows\{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe
        C:\Windows\{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:992
        • C:\Windows\{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe
          C:\Windows\{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4932
          • C:\Windows\{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe
            C:\Windows\{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1564
            • C:\Windows\{796A994C-81B6-4743-971B-4D919F718F52}.exe
              C:\Windows\{796A994C-81B6-4743-971B-4D919F718F52}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2616
              • C:\Windows\{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe
                C:\Windows\{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2580
                • C:\Windows\{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe
                  C:\Windows\{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4668
                  • C:\Windows\{A7E79622-2155-46dc-9449-D7B0DC713369}.exe
                    C:\Windows\{A7E79622-2155-46dc-9449-D7B0DC713369}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3756
                    • C:\Windows\{D9E88644-842F-4ffe-96AE-7A95BECE65E3}.exe
                      C:\Windows\{D9E88644-842F-4ffe-96AE-7A95BECE65E3}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3528
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{A7E79~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2696
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{4AF43~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2096
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{12BF1~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3964
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{796A9~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1948
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{25B61~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3540
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{70778~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4340
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{D21CC~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2544
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{477EC~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3180
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\72A9FE~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{12BF12DA-4529-48b9-904B-0FD30EC86CD9}.exe

    Filesize

    90KB

    MD5

    461935fef9e7c45617388ecdb0aaa35f

    SHA1

    eb0a7d3d4d867985027e1f144959c9b6e3e614b7

    SHA256

    e8b4419f27ae7290e02e031c04c4c13d921ee6f52a7f953eb2ce37b9fc383152

    SHA512

    824803ce3b8a1f5555e38f5e4d2538305e88a8e22a33dd5eea632e6d8366c816715fb4fc613b9835258bbe3796a55873f581f936449dcf991e1ef3b529f75a2b

  • C:\Windows\{25B61D98-0542-4688-85C5-1AFBED8A0E76}.exe

    Filesize

    90KB

    MD5

    70575a628f23e8012dea7b2be765d139

    SHA1

    ad4a620604c57b71f397d4f0fe5e8f34efc779f6

    SHA256

    313e9e890c054b8e2464541a3bca96b8e3ce105cf554e34d4756cd881f42b18e

    SHA512

    86ab472262635ca0ac2abd2b18e02e8dbd8077d2f5e9147b30388d1fa5410edccf92c8cb160f4844abdd4ce2c8743dfc723f78125e464b3b67d4254e320bceef

  • C:\Windows\{477EC86A-B95A-4b81-B263-87C58D3562BE}.exe

    Filesize

    90KB

    MD5

    0e168461fc18a373d742b163fdfd69ed

    SHA1

    920eddedf2ed44e8d78a80f4fe896c2431b1c30e

    SHA256

    78507aec14c17c3e561fec2adaa036861e1939d0e2248f0d08808d2b7dfb49a6

    SHA512

    706a18f4a3f33f03d4397e064fa33075cb965ed68e7605ce31a1c8fcf5f0a80ef989e1e534b8b33fef9efb44e724055ef98810d74cff8853b6b15536e251efd2

  • C:\Windows\{4AF43264-5526-4612-B0D7-230C94BD92E2}.exe

    Filesize

    90KB

    MD5

    21603c8cbe0586fba94942cdfd0dbcdc

    SHA1

    cd3459f1dc11cb5154118d1b5f035a302d9da2de

    SHA256

    bc2388d9bde933760b13edeaffc51ee79657f964f3706affd777892490859c97

    SHA512

    c6b6c59b3900f7d7bd6e68f7305cbf5686f0589da4a29306c4998d9556fd4ea83e4319b886e1edce51587871521c3f4a62617fd52ebf7a422c7f38fcab4c75c7

  • C:\Windows\{70778BD2-4621-4b1c-92E5-D51EA84106A7}.exe

    Filesize

    90KB

    MD5

    082732b6e8f0bd0d07b03aa5e1b58b61

    SHA1

    b7a57efc1e2c7e1b3e2a42d20b232fc9ef8dcb97

    SHA256

    d7a012e9881c85f4ef7f941d6f3ab31057b9bdd1c4974dfd0db2a8e236cbd5cd

    SHA512

    fe3ba88f500ef01a5a10838092d79119f971fb72a658c55d2f2ec143e599ece39b0958eac10fcc7798777ccc1566709f2610e0dd8e61fa6d40a24ff25b73dd8b

  • C:\Windows\{796A994C-81B6-4743-971B-4D919F718F52}.exe

    Filesize

    90KB

    MD5

    f2be8e118a25b070b3b742e1d40aa4e5

    SHA1

    5650229737c8d547a9683846797c5730d5bb66d9

    SHA256

    69044b72755827a0043a866127d414682dd10ad3c78850e237ac771af996198b

    SHA512

    b7e44b69b9c9fac2f32cca660f504deaafe83e9dab305e158819db6c29c23087365ba68866fec73fa75324c35475322e4c37b1c30ce3e7217b667aad5d980a3d

  • C:\Windows\{A7E79622-2155-46dc-9449-D7B0DC713369}.exe

    Filesize

    90KB

    MD5

    4ff33719b462dc7694fc5769daae4f2a

    SHA1

    84df3f20ddec6b8a8abf120dd4923c85d91e159a

    SHA256

    03d4fa4677bd4c9bceaea22a7981f7c66236066216e3bc6900d7fba51e5cd5e8

    SHA512

    acb54ae6066a2e4159ce0c8e00cbdee9230d4fca7d6a2031bb5d1937ceb9f71b7ba5016715a64fd6259cb0e2e0e76fa7d44fc97d79585c757379012b9b4a4abe

  • C:\Windows\{D21CC69F-5C30-48b0-BD6E-E239E7547840}.exe

    Filesize

    90KB

    MD5

    ea153d9f2c0430645bbb70107d452759

    SHA1

    eff80a2a9bbaf786ecc5741fb0ec416220504c14

    SHA256

    af6b6bd0030a5e6e154f6cb9323382ed1685689697e8d366291ce3da931c041d

    SHA512

    606f9e497d68f246dc0648dc43650405af59156b9e11fb49ae7250d3341dd602de657e73297601b2cb065582f1054d326b07f4f6e55fe7f9efd30982a785ff32

  • C:\Windows\{D9E88644-842F-4ffe-96AE-7A95BECE65E3}.exe

    Filesize

    90KB

    MD5

    9e2029db1021ecccc822cfaf8e11946a

    SHA1

    c8796e2f6aa39afa3d06a833387cbaaedfd0d7b1

    SHA256

    0e8bb0078651851381863fb69680d993115a75fb8791ced546c62b848238763f

    SHA512

    50e292b232f216131324e1fec3edb17fe7810118c0b6a62ff93b5a5c3098e2ddd071fb1c0e71db9c443201ae696ccc213d520c35b2f96baab56092059fc62564