Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

20b2db18fb...0N.exe

windows7-x64

8

20b2db18fb...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/09/2024, 18:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20b2db18fb06fba12487960d61359070N.exe

  • Size

    91KB

  • MD5

    20b2db18fb06fba12487960d61359070

  • SHA1

    e26f2a49f6975c727554a4be8256b86f0d6df859

  • SHA256

    895e73ada2bbd57e122c9dffad787a84fddce5e4a132253f22c9c27cff3a96d4

  • SHA512

    860be0f7c2f0c902721fc231234cadf17118ce2b04a5fce4aa9dab6f067cafea83e2f7d6b47e0592eac15f16d952c38347e89e7abb5fea73aa253b21c94107e6

  • SSDEEP

    768:5vw9816uhKiro74/wQNNrfrunMxVFA3b7t:lEGkmo7lCunMxVS3Ht

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20b2db18fb06fba12487960d61359070N.exe
    "C:\Users\Admin\AppData\Local\Temp\20b2db18fb06fba12487960d61359070N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4592
    • C:\Windows\{4A2CF42C-E7B2-4722-82A8-E9538A11C2C6}.exe
      C:\Windows\{4A2CF42C-E7B2-4722-82A8-E9538A11C2C6}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Windows\{92667651-AF1F-4451-AFE2-85CA057F7425}.exe
        C:\Windows\{92667651-AF1F-4451-AFE2-85CA057F7425}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4460
        • C:\Windows\{BEA8AB3D-C32D-408f-9682-67CBAA10B1FF}.exe
          C:\Windows\{BEA8AB3D-C32D-408f-9682-67CBAA10B1FF}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3792
          • C:\Windows\{8756BB71-E75F-40b4-BCF7-67A451259070}.exe
            C:\Windows\{8756BB71-E75F-40b4-BCF7-67A451259070}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3380
            • C:\Windows\{D6334427-2123-4092-A593-B02641DF71BB}.exe
              C:\Windows\{D6334427-2123-4092-A593-B02641DF71BB}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3040
              • C:\Windows\{EA6F00E9-3B13-4b9d-9D48-53D1FA9F9E1E}.exe
                C:\Windows\{EA6F00E9-3B13-4b9d-9D48-53D1FA9F9E1E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2688
                • C:\Windows\{6029F528-1429-4443-A2BD-3EE5AE14B8B9}.exe
                  C:\Windows\{6029F528-1429-4443-A2BD-3EE5AE14B8B9}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:724
                  • C:\Windows\{DD07EEE7-C0D0-4b74-BF12-99B7524775C8}.exe
                    C:\Windows\{DD07EEE7-C0D0-4b74-BF12-99B7524775C8}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2484
                    • C:\Windows\{9E22B0C6-71EE-4810-89DA-90A39DD4C640}.exe
                      C:\Windows\{9E22B0C6-71EE-4810-89DA-90A39DD4C640}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3708
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{DD07E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3536
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{6029F~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:5004
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{EA6F0~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4816
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D6334~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1052
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{8756B~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1760
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{BEA8A~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1696
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{92667~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3108
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A2CF~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4992
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\20B2DB~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{4A2CF42C-E7B2-4722-82A8-E9538A11C2C6}.exe
    Filesize

    91KB

    MD5

    fe1d62c7c708c92230e60004e6ad0065

    SHA1

    2c62fac4f87f94d14a5810470c1a36877472f3e6

    SHA256

    effaeb7460933bed08d39fafde01fcda73ea9e5e0f20c49967a729ceadeb3185

    SHA512

    9cd5dfaefd684d9760be3d2b1f52a5725f9c062970dd1b216e616266242576bb2a451be75d024bf4d81be76f1c99557eff232f834085084e54f231d69be07f51

    Download Submit

  • C:\Windows\{6029F528-1429-4443-A2BD-3EE5AE14B8B9}.exe
    Filesize

    91KB

    MD5

    555d3ab277b9996bafa61bdcea0ff7cd

    SHA1

    d26a7ed44405388f7d5aaa691f1fd584c0165048

    SHA256

    4e43dd5ccb1a12a619407efd066d329ec2988367ad3c867c7f49a26731da2a8d

    SHA512

    fb9ad48385dafea8887537e7bc9162a2db7bc4a1e53d8aa879345c623c4ef7883a0e187409e5eb3f3de1d5fbf190c1013b2c49b892a86407396c4087a2fb4da8

    Download Submit

  • C:\Windows\{8756BB71-E75F-40b4-BCF7-67A451259070}.exe
    Filesize

    91KB

    MD5

    ea0455caa31803dc33201b197fc32c96

    SHA1

    e72cff1aec3e3fd8e28a13e9b9fc62e01fa5219e

    SHA256

    9adc8141d9fbfde4dfaf6db8cbab8a49982e8901a671233699f7f144d9420793

    SHA512

    3a6f2b188a74577c0259c3b0cc7115d7f318130e43489255e6e7f3c82f061796ceba26075ef81ae96d84eb584e050464d0195b3798fb2123f9035196d1d3d6cb

    Download Submit

  • C:\Windows\{92667651-AF1F-4451-AFE2-85CA057F7425}.exe
    Filesize

    91KB

    MD5

    6f3777773a088381df54facb78824b2d

    SHA1

    ff97ff4b28376526cbb720ad612673b6b11f955d

    SHA256

    4efa082959a922630028188c12a1cc07672169d41b10410ddc7b7454ed4dcad7

    SHA512

    0a99bd6fd8b5ac40581778341bcbeaea00dc7c7de78bd7e84dc7aa769d5053799c400b1a34309dae4247f59857bea39f99a5774f02bd26632ac2064deb5cfd8c

    Download Submit

  • C:\Windows\{9E22B0C6-71EE-4810-89DA-90A39DD4C640}.exe
    Filesize

    91KB

    MD5

    aba648f5e8dd0f5c9eb9fbafe2065913

    SHA1

    26e3ae5a409460b81e8be883e1e6f41a7e1e78d5

    SHA256

    f5b70745b656224e35f648dd41b4db0abf421638b9b419ea5a33f1bae9466b9b

    SHA512

    76dcf016de669d4ccd593b965d945e6291ab0bcc7570969d6de2032d57e55cb2e8e81b3181181567c4a9e731e1859070114f74b6f9104cc5987191bf5a1fbf8d

    Download Submit

  • C:\Windows\{BEA8AB3D-C32D-408f-9682-67CBAA10B1FF}.exe
    Filesize

    91KB

    MD5

    7a62a3ab08a846babcf3b1c712432f69

    SHA1

    1e82f5b34cb0749c013b8c6361103a0ae721c914

    SHA256

    be91c6cd4ba903d8e6f8ad6e8e95a59fba10dd89fa1919ea95017b97af9e2a05

    SHA512

    fe596748696e2bff4e716cb457b251b2c0e071ec6131e1a28091e9239138d229c59a6d7ff364769ff8c3ac393046acca3c2227bc3495c32dbe164bde51f08999

    Download Submit

  • C:\Windows\{D6334427-2123-4092-A593-B02641DF71BB}.exe
    Filesize

    91KB

    MD5

    78dd4fdf6c3a9e23717104966816a7f7

    SHA1

    c98b8bdaf6fa3521fd8d0f5696620a058991a5f0

    SHA256

    101006242738ea1bf606644f80179f847aa797ec63957a6e0b71cd97f9673aa9

    SHA512

    1537d1732c594b61cd32c401563261a80a8ce289fc18a4e6c2fa1a4970e569d3576479869e83b9d47e312071244312b6fbbf97364fa19d7e9b35675df8250276

    Download Submit

  • C:\Windows\{DD07EEE7-C0D0-4b74-BF12-99B7524775C8}.exe
    Filesize

    91KB

    MD5

    30590b5308ed44a9067c91ef9ee94b21

    SHA1

    2bb5adffd1ec8dd74c2d22f63b1284a17a7dc56d

    SHA256

    be25d1e6437dc58a366870efae22361bda94233506e0e1ebf2e0d90aee634779

    SHA512

    deaee36b45187d796bf315190bf5164c9e9fe675047b3e0a10eed635f5a23c15193223e9a8e728a5e668a002ca9197d3478b3281b5af145b12c1c13b1c0a6d3a

    Download Submit

  • C:\Windows\{EA6F00E9-3B13-4b9d-9D48-53D1FA9F9E1E}.exe
    Filesize

    91KB

    MD5

    fceb62833dd5887073932ba7b6269e4f

    SHA1

    a82dcb25e0322806e9ab511d14b3c696b234955c

    SHA256

    e9ab2ea2a426ac28423dbfcda52c98a5572d1cffee1a7710cb73322196d161d5

    SHA512

    019a6ce602dfb9b5d6c2b8dbabbe31fb952eea56dddab2087b5a579773a1397bd75ae35d4d3649aed4fccf724f20b2bf338d957028e9cdd63fb08f11868ce41f

    Download Submit

  • memory/724-43-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/724-47-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2076-12-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2076-8-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2076-5-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2484-49-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2484-54-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2688-42-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2688-37-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3040-32-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3040-35-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3380-25-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3380-31-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3708-56-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3792-24-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3792-19-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4460-17-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4460-13-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4592-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4592-7-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4592-1-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download