Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

0376e2dbd7...0N.exe

windows7-x64

8

0376e2dbd7...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/09/2024, 07:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0376e2dbd776b4b1a74ecebd73ccb580N.exe

  • Size

    88KB

  • MD5

    0376e2dbd776b4b1a74ecebd73ccb580

  • SHA1

    404632978194a31e64804b5c62fe8acff7c91760

  • SHA256

    6119d58486d1317da2c96f5d611a2253487b97c55ac01d2fed4458354a31f307

  • SHA512

    d7cc39c6f8cbe6cbe2e6e43bee77027adc17fff26c4edfe47f7aadd439233a127779dbd49189ab04aed01408e8c2522a1a622c49d7530fb7e2f2dad99cb99b7e

  • SSDEEP

    768:5vw9816thKQLro94/wQkNrfrunMxVFA3V:lEG/0o9lbunMxVS3V

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0376e2dbd776b4b1a74ecebd73ccb580N.exe
    "C:\Users\Admin\AppData\Local\Temp\0376e2dbd776b4b1a74ecebd73ccb580N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4600
    • C:\Windows\{2A78DA9E-85D3-4d3f-B801-394D68A05ABB}.exe
      C:\Windows\{2A78DA9E-85D3-4d3f-B801-394D68A05ABB}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5988
      • C:\Windows\{932C1E59-4BCF-4529-BFA4-139736ABAEDA}.exe
        C:\Windows\{932C1E59-4BCF-4529-BFA4-139736ABAEDA}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4924
        • C:\Windows\{6822D83F-2ACC-4ee4-B2A8-D3EC1040E33B}.exe
          C:\Windows\{6822D83F-2ACC-4ee4-B2A8-D3EC1040E33B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1804
          • C:\Windows\{87788BA8-0C99-41ed-8503-8C41BFE95AFE}.exe
            C:\Windows\{87788BA8-0C99-41ed-8503-8C41BFE95AFE}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4876
            • C:\Windows\{DBBA5001-3BB6-4966-A003-C957521F3C73}.exe
              C:\Windows\{DBBA5001-3BB6-4966-A003-C957521F3C73}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3168
              • C:\Windows\{889743A8-76AA-4046-9913-2A4972E15198}.exe
                C:\Windows\{889743A8-76AA-4046-9913-2A4972E15198}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1052
                • C:\Windows\{82191743-AAEC-4517-9B13-52AFE947829E}.exe
                  C:\Windows\{82191743-AAEC-4517-9B13-52AFE947829E}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4360
                  • C:\Windows\{89515D02-0AA7-419e-B3B0-CBF8544B49C2}.exe
                    C:\Windows\{89515D02-0AA7-419e-B3B0-CBF8544B49C2}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4676
                    • C:\Windows\{D0833BD2-3C19-48c4-893D-F8BF24457A69}.exe
                      C:\Windows\{D0833BD2-3C19-48c4-893D-F8BF24457A69}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2484
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{89515~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4572
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{82191~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:440
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{88974~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:5628
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{DBBA5~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3408
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{87788~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:5724
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{6822D~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3972
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{932C1~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:676
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A78D~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4480
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0376E2~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3156
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4768,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=948 /prefetch:8
    1⤵
      PID:4528

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\{2A78DA9E-85D3-4d3f-B801-394D68A05ABB}.exe
      Filesize

      88KB

      MD5

      158cc509ea7e3d2fdce5d97ed1426fb0

      SHA1

      d5883c0df4b9e406043d6821408a1b7f04ca6e90

      SHA256

      a7f0a009a9632d36497a755e2dde9a13255e7251443897c0b8ab2ed42e8b3ff8

      SHA512

      bcdac3a46491c53a95171abd3ca626db5d365aa6dac39368858b9d5ef8e603c82057fd79c9f2443b120dd3306708629d9099602118c9d9a6ca918b6ce6411580

      Download Submit

    • C:\Windows\{6822D83F-2ACC-4ee4-B2A8-D3EC1040E33B}.exe
      Filesize

      88KB

      MD5

      7957f442388ef62c3b1bf80af7e0d08b

      SHA1

      198d06f45875963c74339420683b4db2e6f16fe7

      SHA256

      1b317eed120f6cc1c51111a62985fc53ada2cc30e0ec380755aadd9de4b9a980

      SHA512

      fe60f448ce5fce04f96abe8cc5238c9d2287b774fac0ea704089e96a9839f9f5d471a237b85cc48488095247cc1f8ab36309233c38af1ff7d0de7ab9cb4928bb

      Download Submit

    • C:\Windows\{82191743-AAEC-4517-9B13-52AFE947829E}.exe
      Filesize

      88KB

      MD5

      9b58a72e492d2d1254e7d5de19c7a465

      SHA1

      f0c3d485c5b193b1f48dcec1da26205092be64fd

      SHA256

      79e67d5faa4e2f52347feb33f3d5545fc3458bc198efd0f3bdc638b7480e6240

      SHA512

      d2ab6292de99518309f9524219521f93c86616431b8f300f6b6a61b1860c474ac941dbd8c47a1feef3e69990cfcacf16ecd664fc45dca6c222da1d08a5aa227a

      Download Submit

    • C:\Windows\{87788BA8-0C99-41ed-8503-8C41BFE95AFE}.exe
      Filesize

      88KB

      MD5

      4e0b74df5467e54532ea9230a3bf2b6a

      SHA1

      fc843bcd40e638f804bcdcc99d857b64453bf90f

      SHA256

      79d1646fc8b565e49cb82ca067e744164e8c02f110d1e953737502fe1604d87e

      SHA512

      2a7df90b5bde4f213d2ca901bb79bfcb8325509de32411c944f39761accd31b1d702e7d4e324f8711613b6113c0e062c921a39125761e7bd26c9b566bc7bd10c

      Download Submit

    • C:\Windows\{889743A8-76AA-4046-9913-2A4972E15198}.exe
      Filesize

      88KB

      MD5

      512e293a8faea28d3df252e3acf8ff28

      SHA1

      f61861d4f85585cea8e8e115373aff393856d585

      SHA256

      5db83969dc5037da17627873d51fcdbd6dccd08171d323e4eccbeee5ecafb16a

      SHA512

      a08e88e4fbc2adf65583a0c94f853b8f242c70479bbdf2b6d59b30e37791c00d570455e2f066d4a39c96e5f76ec49314b6b9302cb1216c1b81bff28c4dc536ed

      Download Submit

    • C:\Windows\{89515D02-0AA7-419e-B3B0-CBF8544B49C2}.exe
      Filesize

      88KB

      MD5

      64c7a4ec334e3a50954cd859ddc1477d

      SHA1

      3c8869f21fa64f0e18d2f624772044e66dc265fe

      SHA256

      40d6a881a6d29220d7cabdff6e29907ff275f7ae78f00c4dcdd238b84e4639d5

      SHA512

      780c47a4b9e5ebaf3a871af7c129652ed917e10d7ed4d075f12e56c77cdd2b8c4e817c544cbbad767fefbbbb259541f9bce79257fbbb10d3bc4c690bf85099d6

      Download Submit

    • C:\Windows\{932C1E59-4BCF-4529-BFA4-139736ABAEDA}.exe
      Filesize

      88KB

      MD5

      fc9acb934a389dbfd49ec3c906271363

      SHA1

      bdf189b7824bfa45fb7faf3aa04e9acbaa93a8f1

      SHA256

      426ed8ec437709293af5256cba796e5eb3b57fcd8602e4cc752929b44070f7cd

      SHA512

      7589735686c221ccc488a588051e9e6f02fb9771560fdecee4aeed0f65e9d8e1f646a54652bff0a60c66c8d10e758ba90ab66f279bf8c9d02e7586710d3390b7

      Download Submit

    • C:\Windows\{D0833BD2-3C19-48c4-893D-F8BF24457A69}.exe
      Filesize

      88KB

      MD5

      ab5329a805fbec65d9e3c1f930a8ee55

      SHA1

      79f3c566d25be5a3818b4b518844f259727f760f

      SHA256

      afa960194a5ef533136e49d2d90d2c30afab1e59ab104f9b5fff4fb406268f8d

      SHA512

      aee0a1d556c55267fe899d14b8ed3ecf32528eadca2505f3262755fe464870e2de2dc6d7b23c148ad18977834ac697b37642ed737903aa010c6ac5e9804502f1

      Download Submit

    • C:\Windows\{DBBA5001-3BB6-4966-A003-C957521F3C73}.exe
      Filesize

      88KB

      MD5

      0dda622e3a5fc22e5fe09af8bb4d06ff

      SHA1

      d93b54aea236a85c2cdf5b726eaf4f9c5c005b11

      SHA256

      9a575d6d496ac058eac5f7a8db2dcf641df3e11c8fbe24947fa2a7a411c2cfff

      SHA512

      dc88f95aa28bb84811bcce98013e21bc1632632fa4de6ca267c9c4497889b7f08182bd6702c1ea776a521a1c4457ee1d08625d0d5c01c4f9271ff7c6aa5cd945

      Download Submit

    • memory/1052-36-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1052-41-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1804-19-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1804-25-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2484-55-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3168-30-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3168-34-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4360-48-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4360-42-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4600-0-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4600-7-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4600-1-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4676-47-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4676-54-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4876-29-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4924-17-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4924-13-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/5988-12-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/5988-8-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/5988-5-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download