Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/09/2024, 13:56

General

  • Target

    f286418428ff4cdc71faf6538b918960N.exe

  • Size

    89KB

  • MD5

    f286418428ff4cdc71faf6538b918960

  • SHA1

    0bb1972dc509db36c7dc286b08fed4dc28cab3b8

  • SHA256

    c8911e229034edb96557d4cc3009d5b9ccfadff4080c04f3f1cf49919561d1da

  • SHA512

    947e8eb2d47b357395f886d86af0987509e28eed6c680cf7329024f141980831c90271f781a3caba02612349f148ff0172929125e91997b62e33abfab87328ee

  • SSDEEP

    768:Qvw9816vhKQLroH4/wQRNrfrunMxVFA3b7gl5:YEGh0oHl2unMxVS3HgX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 8 IoCs
  • Drops file in Windows directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f286418428ff4cdc71faf6538b918960N.exe
    "C:\Users\Admin\AppData\Local\Temp\f286418428ff4cdc71faf6538b918960N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Windows\{27E296F9-17E9-41d7-9A94-AC8949CAC182}.exe
      C:\Windows\{27E296F9-17E9-41d7-9A94-AC8949CAC182}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4856
      • C:\Windows\{A9138408-A0CE-4783-8088-0C23392C7B1A}.exe
        C:\Windows\{A9138408-A0CE-4783-8088-0C23392C7B1A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3872
        • C:\Windows\{17B315E9-09C1-48fc-8BBA-8963F5DAD9BA}.exe
          C:\Windows\{17B315E9-09C1-48fc-8BBA-8963F5DAD9BA}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:880
          • C:\Windows\{325F1B91-B18E-49dc-A6D7-8B4AB2A5554D}.exe
            C:\Windows\{325F1B91-B18E-49dc-A6D7-8B4AB2A5554D}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1764
            • C:\Windows\{99A416B6-9C6B-4f4f-8DDD-9C5E2D1FDFAE}.exe
              C:\Windows\{99A416B6-9C6B-4f4f-8DDD-9C5E2D1FDFAE}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2408
              • C:\Windows\{C06AB5A7-E01D-4ce5-B3C9-45EA0F2C4A9E}.exe
                C:\Windows\{C06AB5A7-E01D-4ce5-B3C9-45EA0F2C4A9E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1952
                • C:\Windows\{98CF559D-9C9A-43e7-8FA4-C953E4E2E076}.exe
                  C:\Windows\{98CF559D-9C9A-43e7-8FA4-C953E4E2E076}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:632
                  • C:\Windows\{14BE3868-ABAD-4b2b-91CE-F42F125D1FEE}.exe
                    C:\Windows\{14BE3868-ABAD-4b2b-91CE-F42F125D1FEE}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4956
                    • C:\Windows\{45EBB8E0-C6A0-4855-8D99-CB0AB1FD3BE1}.exe
                      C:\Windows\{45EBB8E0-C6A0-4855-8D99-CB0AB1FD3BE1}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:60
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{14BE3~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:5080
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{98CF5~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3540
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{C06AB~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:992
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{99A41~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4356
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{325F1~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2840
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{17B31~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1532
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{A9138~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1020
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27E29~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2320
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F28641~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{14BE3868-ABAD-4b2b-91CE-F42F125D1FEE}.exe

    Filesize

    89KB

    MD5

    249cc2823a21e38a59534c2e0cc16a70

    SHA1

    dc57b6ec0b6bf1384aaa2359487f6ca094bbb2c0

    SHA256

    29f5ff40ac01c540b42c4b9896cb0a58025dab02c7e825f29173ada6a257d3e1

    SHA512

    c1768f511f7898034acc1fb90330e9bba87dd3f1e91b69652edba5478f0f069600f3a1d938a912cde77690286c3e99de1e97c2dc243651923775e0f7744457fe

  • C:\Windows\{17B315E9-09C1-48fc-8BBA-8963F5DAD9BA}.exe

    Filesize

    89KB

    MD5

    91e29069366b2096d97b39325cba9346

    SHA1

    a51d0fde3d7ea30df4251f3a26b89d56a8aab7a6

    SHA256

    293d75a67e804b745b24af52d2be9dddc574632371d1a308f43ab31c1c7b37d0

    SHA512

    2d17868b3811bab042cf8be3a7d92ce45d50ebdeb2a71c1ed7ff1ed20089e0a85c5ae5890e9a17089877becdd4eadec8bdda3a1245a5af13046208dcfd0a7fa3

  • C:\Windows\{27E296F9-17E9-41d7-9A94-AC8949CAC182}.exe

    Filesize

    89KB

    MD5

    1538f524b355b15ac51d4613152c9a07

    SHA1

    d6c7c6d77516b130b41a46e673256076cf5c37e2

    SHA256

    4cb33af6bce90262dea76c2aaf2aaac6d34ec762cf63cf199aa4449381ba9d0c

    SHA512

    88064c45eb4b965a675126d4ccb051ab9029a64fc2f35788806285a2c9e094eec851b9b2d510a355f82288f8a1acb02b687ce63e946ee6355a64dd5e0fb890b8

  • C:\Windows\{325F1B91-B18E-49dc-A6D7-8B4AB2A5554D}.exe

    Filesize

    89KB

    MD5

    febabc378f081398ca28e6c2b316d8c8

    SHA1

    f7d166577a7855a0b6a418967ed2fa537290690a

    SHA256

    cbad03edc5b993d180ae236e17f776b0145e3c17671c65f3f7f43414ba704a3d

    SHA512

    d40daf96f82ba9c8ef4edc4a849ebd64f39bf713a9198f2ff9a77f142b494e9fcc570abc19638c1ad741bdcc220c7bd7b398d2fe30b743332bfe436a28a2ed6e

  • C:\Windows\{45EBB8E0-C6A0-4855-8D99-CB0AB1FD3BE1}.exe

    Filesize

    89KB

    MD5

    fd2fc6451387b421a6ab757329ebeee4

    SHA1

    cc9536d773a5f460dbd521a00e29f6d00c422101

    SHA256

    f5ed5846c790a7c07847a4c2cfb6c2366bd61517c10935295f8af2acaedf5a8b

    SHA512

    3cd3ceab5b58f9c509c3a923315bdf1a21d1303b4310e031afcf12601386a6ac93b779aeda5cce37981459f2f01c1fa3a5b67d112475540956dc3abbfd8007c3

  • C:\Windows\{99A416B6-9C6B-4f4f-8DDD-9C5E2D1FDFAE}.exe

    Filesize

    89KB

    MD5

    016b93f7f5fda649e98bf229a5b1acf7

    SHA1

    25256cd47f384ef1341e3b1241a928feba3a0619

    SHA256

    ba0eba61b13caccc72e95872ffb7e2313b19cac37fa2dcb5e24a4dc935ee26ea

    SHA512

    52b22ae53844bfb2b4c67aefb843bdcc7afa6baaf7d505e54337d86d7cde3b396bd15e11b0a8856f86283702b9b2837adb23428e92e0c2fabe0f442349681f27

  • C:\Windows\{A9138408-A0CE-4783-8088-0C23392C7B1A}.exe

    Filesize

    89KB

    MD5

    6be72fa87ad2f2235a1085a88a8b7c7a

    SHA1

    b48eae2bc92e33db411952f633fe48bc907958db

    SHA256

    2818804a716713ecc68d958e1a57c911f95f660bba5240bbf7e127db6164e5bf

    SHA512

    4e5a3fc03153b3260dc8386390761d5435cd635d830e75a0ff73c45c712f02922d90e8cfded2760c7d22bb1c110d8babf16547a8a4e4a981344880c2256f1d82

  • C:\Windows\{C06AB5A7-E01D-4ce5-B3C9-45EA0F2C4A9E}.exe

    Filesize

    89KB

    MD5

    24252900b6a1879342e460d76bc1f776

    SHA1

    44e8d51285b09cccb3a42409a9e580a399cd5678

    SHA256

    98eb4d60b2bc2c8b8a4175fd8e12729b9a58f0817dbe997751075e2b3540033a

    SHA512

    2e1767479f941de99005be32f3c125c9908338e535c7daacbe05776eca9386c233810184db7a83656d8cc53bee6d9155607421f1e7dcd9244613a5df4d8cf89f