Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

b1c183d301...0N.exe

windows7-x64

8

b1c183d301...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/09/2024, 20:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b1c183d301c33f72866ef9071d8b2340N.exe

  • Size

    90KB

  • MD5

    b1c183d301c33f72866ef9071d8b2340

  • SHA1

    f6921d3e4f6a05c25ae3e30a2b91f58e2cfe423d

  • SHA256

    1a9e3347bc52c529aa5d24dc71da2afacc46f8940a0ee4ee5ab0a1414c5736c0

  • SHA512

    f63f6e6ca960060be7f097b0521a3245a858d6b65c0617946d85efb284a5605a3853f0418c63151609e78446b0e9a558c377bfc6c27e9acf32548b83323708e7

  • SSDEEP

    768:Qvw9816vhKQLrot4/wQRNrfrunMxVFA3b7glw6:YEGh0otl2unMxVS3Hgl

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1c183d301c33f72866ef9071d8b2340N.exe
    "C:\Users\Admin\AppData\Local\Temp\b1c183d301c33f72866ef9071d8b2340N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Windows\{9F6DC59C-152D-450c-A148-147B9696FBFF}.exe
      C:\Windows\{9F6DC59C-152D-450c-A148-147B9696FBFF}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4100
      • C:\Windows\{1AB712D9-A0AD-4d36-B9F0-57DF0D647E4B}.exe
        C:\Windows\{1AB712D9-A0AD-4d36-B9F0-57DF0D647E4B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1188
        • C:\Windows\{C0317FA2-AE02-465c-B4E0-BCC1C9A8D97C}.exe
          C:\Windows\{C0317FA2-AE02-465c-B4E0-BCC1C9A8D97C}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3260
          • C:\Windows\{10AEFB6E-B470-42ca-969F-858B7644C317}.exe
            C:\Windows\{10AEFB6E-B470-42ca-969F-858B7644C317}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1548
            • C:\Windows\{2FBBED4A-8CE2-4df9-9BB3-CC7802B44C49}.exe
              C:\Windows\{2FBBED4A-8CE2-4df9-9BB3-CC7802B44C49}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:884
              • C:\Windows\{65E64798-174A-40ae-812D-A30499B18ED9}.exe
                C:\Windows\{65E64798-174A-40ae-812D-A30499B18ED9}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3980
                • C:\Windows\{B5B71527-FC23-4f77-8E5F-38D82DB2722D}.exe
                  C:\Windows\{B5B71527-FC23-4f77-8E5F-38D82DB2722D}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4016
                  • C:\Windows\{3037D900-3140-43e7-8205-63AAE5E3AE96}.exe
                    C:\Windows\{3037D900-3140-43e7-8205-63AAE5E3AE96}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2664
                    • C:\Windows\{B03FB6C3-A26E-408c-8F26-ACF6AAFABCF0}.exe
                      C:\Windows\{B03FB6C3-A26E-408c-8F26-ACF6AAFABCF0}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4896
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{3037D~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4184
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{B5B71~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2300
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{65E64~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1124
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{2FBBE~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4460
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{10AEF~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1840
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{C0317~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4124
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{1AB71~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4112
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F6DC~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:680
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B1C183~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{10AEFB6E-B470-42ca-969F-858B7644C317}.exe
    Filesize

    90KB

    MD5

    b2138e70adf8ae9905691d32e6e3cd2b

    SHA1

    97c640d97d8412f1924be1f9e50e2213a6b47e48

    SHA256

    acfe8d2c883d207bef6403514a9d9c89bc4108cf738859fdc1c1e8d9de4f97a9

    SHA512

    3824b6df88c4d273973ba5c792d1b336f9dc6b9de1c89632484bd67c7d8d77f303104459d52117de0fc7dcf82d8f1453ada17790cccec5bbf00d12bf5c3dcec7

    Download Submit

  • C:\Windows\{1AB712D9-A0AD-4d36-B9F0-57DF0D647E4B}.exe
    Filesize

    90KB

    MD5

    1cd33e6a984438316621b4523d8a39d0

    SHA1

    dc6ce3f712bc742fb1020990006c92f5c2fc493b

    SHA256

    61d54072686455b31f42158829cf45b99cb9105ed9b6f62a5059c8abc5f1c9c2

    SHA512

    dd6011bbadf74a4f0276811236262be8b519dc44d2f4bd113b76a3fc184c88837329a2a89e537693819e7833ad3143893ac55623a94c1552186bb19cc282154c

    Download Submit

  • C:\Windows\{2FBBED4A-8CE2-4df9-9BB3-CC7802B44C49}.exe
    Filesize

    90KB

    MD5

    d209aae39903551134d9a9cac1b1eea1

    SHA1

    1c7cab8e5c1ede82b157af9e527e71b20b98bda2

    SHA256

    90b730da68e6a36e8fe856bc9aa20c7320a71854b663e904e1a80dcf5b3f7c9f

    SHA512

    473a7b02ecbd97d38f63839a6316f5703a42f49d761e29d0b2896cec383f460495450fc3fbe59a46c58a490f8de7ced83cbc1d40e10533df65e873d0a1b69180

    Download Submit

  • C:\Windows\{3037D900-3140-43e7-8205-63AAE5E3AE96}.exe
    Filesize

    90KB

    MD5

    f3dd5301316f1ac49bb68472ac7e368f

    SHA1

    e00db2d72173527242596cb0945cb1d6cbfae021

    SHA256

    527e22b051dbd4fc8750afc86d7097e01be2d5554e76838dced172787a2db7a6

    SHA512

    37de1daf9c8564bd9b261d2591cb56b93506bdcce602853e40f04d435e2710aada20b419a5703f7068c0e89ea811d7b63ddf84853e95e4b5bcabc25990959023

    Download Submit

  • C:\Windows\{65E64798-174A-40ae-812D-A30499B18ED9}.exe
    Filesize

    90KB

    MD5

    19a6e3d3f90f55406190a6a370666f03

    SHA1

    be33ee946d6f07d573e07590cdfe19da42ea4283

    SHA256

    1c00aa849693c5d5c4f42050b40e770ab290f634058d6f19a2e204ad983b088b

    SHA512

    02eba6a958d00d278e97b0046e8d832eb768eb01a8be03ae92e98d7467e1a5cd1eb2fc0761caf0b60ae6d41324482c4aacee5668621ce21ff09ffa2a32d0d325

    Download Submit

  • C:\Windows\{9F6DC59C-152D-450c-A148-147B9696FBFF}.exe
    Filesize

    90KB

    MD5

    2f1d40e9ca11c1a2baa7ad18440a53ba

    SHA1

    faf2e3f20a93502acf94964394b0105f1006d17c

    SHA256

    c327a661f69bb4cc4130f9e7670077aab677f064d308b6c962f4229c82cc61a7

    SHA512

    6cdeb0ec9f80772ab49ced50622a8593ac67f5e947da2b0c9641e6452e9c95b83ae941d3c87ae5650d8dc3706816bcb271f64728bf1cf9c812781dcb5380482d

    Download Submit

  • C:\Windows\{B03FB6C3-A26E-408c-8F26-ACF6AAFABCF0}.exe
    Filesize

    90KB

    MD5

    8bfb894af81c48eeafa56d3ea4db870e

    SHA1

    9df4a63f94f56d48d4be23368a81f3d2698b1a9c

    SHA256

    70e724378fcec18593388b21ebe84460b5204d9fc66c334a4463358fe4657326

    SHA512

    bd6e23d8db1075748d4db812c5aa9e77f4d68b7200a47c4dedf6036c7d9a6feae256d3ca550efc7ff02f433ae71af7e9b543da01acfd3d96b104dd7f28ce8e54

    Download Submit

  • C:\Windows\{B5B71527-FC23-4f77-8E5F-38D82DB2722D}.exe
    Filesize

    90KB

    MD5

    51316e143d5b5c32cac9e81a7b096b57

    SHA1

    4d7c83c21972dfadeefa541b575e96f0bb6b1487

    SHA256

    924adc21523d871476dec4242e0990eb827cccd52ccd857eedc092f107d622cb

    SHA512

    9200cd1e42db259acf466362d70efc6f770656ffc80e2c495ae8353500d7280358a4aeb68e20438b259b05edac8fe6dfe935f99b7345c9195220023ad8f570f2

    Download Submit

  • C:\Windows\{C0317FA2-AE02-465c-B4E0-BCC1C9A8D97C}.exe
    Filesize

    90KB

    MD5

    c1fe6e5817108c7e317d0f3d9b92579c

    SHA1

    b58706c41bd901816cbe622317551ce5a5091030

    SHA256

    5caae9b5e55782fa58fa30acde9ef692df1ecebc326696f09a0599d34062137d

    SHA512

    78cc3c14e14608e94216b99dd83b06ef2dea6f25a1f37facf534974259febedffaee0156b55fc94ca19eb9d32baf07288871d9b7d2926f3e006b8db4b966a6aa

    Download Submit