Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    04/09/2024, 20:40

General

  • Target

    b1c183d301c33f72866ef9071d8b2340N.exe

  • Size

    90KB

  • MD5

    b1c183d301c33f72866ef9071d8b2340

  • SHA1

    f6921d3e4f6a05c25ae3e30a2b91f58e2cfe423d

  • SHA256

    1a9e3347bc52c529aa5d24dc71da2afacc46f8940a0ee4ee5ab0a1414c5736c0

  • SHA512

    f63f6e6ca960060be7f097b0521a3245a858d6b65c0617946d85efb284a5605a3853f0418c63151609e78446b0e9a558c377bfc6c27e9acf32548b83323708e7

  • SSDEEP

    768:Qvw9816vhKQLrot4/wQRNrfrunMxVFA3b7glw6:YEGh0otl2unMxVS3Hgl

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1c183d301c33f72866ef9071d8b2340N.exe
    "C:\Users\Admin\AppData\Local\Temp\b1c183d301c33f72866ef9071d8b2340N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe
      C:\Windows\{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe
        C:\Windows\{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe
          C:\Windows\{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2608
          • C:\Windows\{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe
            C:\Windows\{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1848
            • C:\Windows\{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe
              C:\Windows\{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1676
              • C:\Windows\{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe
                C:\Windows\{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1908
                • C:\Windows\{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe
                  C:\Windows\{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2232
                  • C:\Windows\{AD4E0D63-2AC5-4b4f-B308-E36A14BBFAAA}.exe
                    C:\Windows\{AD4E0D63-2AC5-4b4f-B308-E36A14BBFAAA}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2108
                    • C:\Windows\{77681DDC-7932-411d-98D3-1261685CDE30}.exe
                      C:\Windows\{77681DDC-7932-411d-98D3-1261685CDE30}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:596
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{AD4E0~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2184
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{6DFD1~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2400
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{6FE30~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2848
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{C716E~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2856
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{7D3A7~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2540
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{C731F~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2268
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{6BEB6~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2032
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14BDF~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1720
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B1C183~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{14BDFF2F-13FA-49af-96B2-0F5C02B0A839}.exe

    Filesize

    90KB

    MD5

    be7da9ad2ca98f86e2e6f533b3981610

    SHA1

    c4c518357855c5e83508566626ddb3d440e667a2

    SHA256

    245c54a9adfaa4aa0ed8610263d3e4cb950c5b6d138395ede5883ceb4a82c52f

    SHA512

    b1a06c16a342e7a99133813ef478a538e5da17c45f0462a9f23ff74f1ac52fae695c33d3bf055ec3ab69517288d84311e4b4b5cf49b4b137fc0c81e716aea7cd

  • C:\Windows\{6BEB6595-C334-4dd5-9578-AB612FC4B9A1}.exe

    Filesize

    90KB

    MD5

    21771ba53e895f14d5365c91a204806c

    SHA1

    c04f4dcceb2989a1c4d509f066a8a8202033c449

    SHA256

    da03a5d1b63d47701965b67e21e7a5b58df90fa3d3cdbda641aa8a80a52c71b1

    SHA512

    ec30492b9f3d9ae92c92125a356e7a370dd5c49bbc2f2ac82c1c113d292a257562de8d5b202c412aad6785f57a008ee7d84b2908ac09dcbd0647dd67fabcb5d5

  • C:\Windows\{6DFD18C6-5C7F-4747-8CD0-5D8759272F98}.exe

    Filesize

    90KB

    MD5

    580db30d31dd55201147bcea067a0691

    SHA1

    516c673d624e5c5025af560576f7002a790a84f3

    SHA256

    748c414bb444cbd758fc02f1bf34a2a470107af610deb1a2f0aba25d6895ad33

    SHA512

    131f724248f4c2119c085cc0acb855a05615e2b3d7be35d172915d232612e20bad12eb4119ed2a23f4841338047f6035bb931280a6f29e65f5414c7dcd0dafe6

  • C:\Windows\{6FE30807-7A40-471c-93BF-A7A512EA04E7}.exe

    Filesize

    90KB

    MD5

    c1a5aa5da7e14bf03671871a82b3dabc

    SHA1

    18915e031a0d2d1bdd832eb236a0f403c81db537

    SHA256

    ffa30ab35d96e6d17d3ea17ced8c0c3fbd27701fcf9b798cec7d57b499a2755a

    SHA512

    8622a93cd50bd55eb16bc6a58dc64e2faab72cc868554cb9aefec7237ff2b1b4972ed81daf1f576a6c116b04e2aa5afc80aae675b2880c543328eb45430ce4ae

  • C:\Windows\{77681DDC-7932-411d-98D3-1261685CDE30}.exe

    Filesize

    90KB

    MD5

    df01dffaa4ef44077eb33695fd561776

    SHA1

    095cd516513f21792c09a96efa142f56839fe9ad

    SHA256

    79d4edc703dbfd571883b616f2b58117ecdb548cff6baa8719eb907c27123d73

    SHA512

    754517c5b3417bb41edf9f917f6482cdceb4a09b86ee14cfd71d61907bcf9aedb90767cd9e1d830788f544ab2e462d53d335d16490fb81b7ad481ff11cd01f9d

  • C:\Windows\{7D3A7EF1-166C-4978-B23E-B5B3E6B9EB48}.exe

    Filesize

    90KB

    MD5

    d16477f52708c385d831dbbe22cf37b6

    SHA1

    e6c645970133ef85d17bb8da65dc2ce67b8d99a5

    SHA256

    3f412bdadf9f5bb5551bbdbc080c77574834d482692dbef56bf34ff5ae1115ae

    SHA512

    a4684663811d98b6be42d1156a6f722ef55fd0e27ffcb6f87729b107455f251fdc0d819aa055af1aa17db3e38a612af98f71dc305b629a1f2a8f3dfef0dd3eb3

  • C:\Windows\{AD4E0D63-2AC5-4b4f-B308-E36A14BBFAAA}.exe

    Filesize

    90KB

    MD5

    a74d9ce5f74d034da02fc45539981b62

    SHA1

    355e62bddc6d44502c4be0915942c3e48b9f3098

    SHA256

    7fcc2fb5e4ea138218e3ec9dd04fca8801e9116c00c1fecf88e370c4aab30eb4

    SHA512

    12b51fff5e2369bbf6116b4e7822016d9873c01bedc083e466915e9ff9ce606f07189f94167f42f4ba238a61e473a4fd1d49509a51c93f14ed3bbfcb9e04dcab

  • C:\Windows\{C716E33F-1F8F-4eb0-B9A6-4D40960607B0}.exe

    Filesize

    90KB

    MD5

    8bff0b6517d41a0b30852b4bfb3a80bb

    SHA1

    f82423bcfbcbc92f7114d7e13cd069c2d4df2c71

    SHA256

    23783d5780799e1c0575651ccdc5320f99e0f0059e3bb8ac011049f68f79730e

    SHA512

    7e7c166dbff05e6f92727dfedcd9ebf5a4dd534fe1d7c2b7be50e616661cc1777281f01474f4c4ad2491d657d42c96561e246e58a5cd09742e7db988f9cbb2f8

  • C:\Windows\{C731FD91-8729-4572-BF75-20A78F7D1CAF}.exe

    Filesize

    90KB

    MD5

    d9aaaf2b5fa583261afbc4cea2e56790

    SHA1

    d4cc6da0fc3759ee1df071db6f6dfb4788fe7579

    SHA256

    165acc1be4bb59d32d16a2a6d81895532779af91d88ef27d678f96d74d7d2c81

    SHA512

    3e7a3d55f89907eda45305e74aa612cf5e2cbf038c2a18122b754fd0c67d35a1226d26d8bc1b6c1efcba94f48006558f7865eb2e154d97c726bdd280d716a9d0