Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/09/2024, 14:41

General

  • Target

    da1844ed7927c687acb282db6b1a88d0N.exe

  • Size

    380KB

  • MD5

    da1844ed7927c687acb282db6b1a88d0

  • SHA1

    cfd876ade42b10cb503e32ffee3f70402fdb0c70

  • SHA256

    57e3518c0dad4630e6b706f103c85b59f7767b40c5c6fc350dbdd3399e3b4743

  • SHA512

    ba22e2b52b4565cbbfe292624e941109413cddd3b28af554329636639305653744788511f80c2cdd1f4a00911aa9d766a5ee054494b0d50ec10c2e760a222b13

  • SSDEEP

    3072:mEGh0owlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGul7Oe2MUVg3v2IneKcAEcARy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da1844ed7927c687acb282db6b1a88d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\da1844ed7927c687acb282db6b1a88d0N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4400
    • C:\Windows\{DEB24C85-AAB2-48f8-B56C-BDA25BBB1416}.exe
      C:\Windows\{DEB24C85-AAB2-48f8-B56C-BDA25BBB1416}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4508
      • C:\Windows\{B367255B-8128-496d-B6B6-9595041DC3FC}.exe
        C:\Windows\{B367255B-8128-496d-B6B6-9595041DC3FC}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4948
        • C:\Windows\{7D6FB515-CC17-4bf6-9DD6-E0C8A8CD7145}.exe
          C:\Windows\{7D6FB515-CC17-4bf6-9DD6-E0C8A8CD7145}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4200
          • C:\Windows\{8B2C289B-1AB4-4d11-9536-14BCEDB8A841}.exe
            C:\Windows\{8B2C289B-1AB4-4d11-9536-14BCEDB8A841}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1036
            • C:\Windows\{630E00B0-8972-43ab-B571-4C98CADF4F5A}.exe
              C:\Windows\{630E00B0-8972-43ab-B571-4C98CADF4F5A}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2900
              • C:\Windows\{C0047C0F-E6EA-45d6-BC04-EF1CEC685B7F}.exe
                C:\Windows\{C0047C0F-E6EA-45d6-BC04-EF1CEC685B7F}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5076
                • C:\Windows\{D32477B6-E78E-4955-92D7-748B66ACCA3D}.exe
                  C:\Windows\{D32477B6-E78E-4955-92D7-748B66ACCA3D}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4768
                  • C:\Windows\{E1E732F3-3965-4cc1-9799-EA239E2BD18F}.exe
                    C:\Windows\{E1E732F3-3965-4cc1-9799-EA239E2BD18F}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4176
                    • C:\Windows\{30D6B91D-B686-4c22-B2C0-8A8F105DB6BA}.exe
                      C:\Windows\{30D6B91D-B686-4c22-B2C0-8A8F105DB6BA}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3464
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{E1E73~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1684
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D3247~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2452
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{C0047~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1248
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{630E0~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3796
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{8B2C2~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4872
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{7D6FB~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2528
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{B3672~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1240
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEB24~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1068
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\DA1844~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:228

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{30D6B91D-B686-4c22-B2C0-8A8F105DB6BA}.exe

    Filesize

    380KB

    MD5

    3f5a5c0dd5aa77c6922fba180f8cf082

    SHA1

    46ce5dbeeefd7634d50a1fc39f565bfaaf85fac8

    SHA256

    b72f55016441bb05a749b251489ac4d17cc2b7ccc541262a40f3d6910b72efca

    SHA512

    1a91de5f367cf843b08e77f5ac43fdc1407f0055ec45cf7554f6bfb96f54a0bbd59d1f0ac0ee50951edfe05cdd11eaa45665485147208f9c7d623b8f67d85581

  • C:\Windows\{630E00B0-8972-43ab-B571-4C98CADF4F5A}.exe

    Filesize

    380KB

    MD5

    7861bee945663b5d6876d9cfb50e1d1e

    SHA1

    19fa3a8fc7c22d852b58e6750dc2bf90859cfa3a

    SHA256

    024918600bb3865c3a9299b38fd472556dbcb9b95a0d7e3d788ad8f41be0408d

    SHA512

    3eee6d2ad6700126d903a86f8bbe400f1407832699195e709eea69ca2509b1ac63ad56c4a1a07604f5e44f56ba1e02bebd6e5403c43bb930900fe5a5a29a7426

  • C:\Windows\{7D6FB515-CC17-4bf6-9DD6-E0C8A8CD7145}.exe

    Filesize

    380KB

    MD5

    3b181af6965c2c7cae1ad33630df4c3a

    SHA1

    48ebe820c024f55c165cbd10d88a444fd88ba5fc

    SHA256

    11b3bfe6cd2885bf7efb386d0b36ef022569f7c53a958ef8c4c3c85a140ac74f

    SHA512

    1a449e865b9c98d6f39f445412443cabfec858617d988a650126030a1244584c92ee7a3f316e0d27d8db6c81dea1521c30228cdf99d7c1653ce9ac47c81221de

  • C:\Windows\{8B2C289B-1AB4-4d11-9536-14BCEDB8A841}.exe

    Filesize

    380KB

    MD5

    23e0902ce0baa8e43dbe14a9b6e08fe7

    SHA1

    fb3e6a039925453d20bc6b11c3924b8f9475f180

    SHA256

    8c70a18f68537fb4fbfa0499402f22934c4ca424d78686c4145c19e1916ec927

    SHA512

    335bc53fcdc5ff70634c376eb2e01b8d27fe8150a373502532a37ed07db30e2f3afdb4fac6556f35d1bb3480535d1967fbd7bd5c76645b9c7ee9c48f72fc4002

  • C:\Windows\{B367255B-8128-496d-B6B6-9595041DC3FC}.exe

    Filesize

    380KB

    MD5

    93f1bc07af3cf404d1fd65a12c341327

    SHA1

    21348f243ba87b0b4544c59ed30e9d2341e64958

    SHA256

    d0f35ab3c65d5ad0cbdb58f71ee92b4c9f9af3637ca447e55e405aa9694e48e2

    SHA512

    fcf0fc94c4faa1658d93fac293036719f21b6c82db10dacba8255fe182ad61b49196f3f0124a2f91e321223adb1841eafd169323e579af028f79ad63c485b626

  • C:\Windows\{C0047C0F-E6EA-45d6-BC04-EF1CEC685B7F}.exe

    Filesize

    380KB

    MD5

    4eee3c8e15414fc1f903a02f73f905eb

    SHA1

    aa9039ceeb431310920995dd54e0ae12a4d16915

    SHA256

    bcae7840207f0675bb81bc2e7ae03aa82e515bbbbb109c3f1c0155d0af823ecb

    SHA512

    3b00ad1a89b6e1199992c3c220fd53ce8d09587809b1e1e56bc1360797b2894e5cfb66105ab10f9498563551920d5404818b3ad60fd721709425d0164dbf050a

  • C:\Windows\{D32477B6-E78E-4955-92D7-748B66ACCA3D}.exe

    Filesize

    380KB

    MD5

    bdd221d5a51796ae0702fe1863e39cd2

    SHA1

    2a192de3fa9b6f6845e79f80b012286d29ace8ad

    SHA256

    f15a84a8e6df1ea91ea9feaa7e9a26de0e45165f910218b5669976c29112c068

    SHA512

    fec7c93a51d22ce107443a4e9773de3dfce421772daba9b7818bb9301f19b99f48ff9d71cc565822ceb8e0997e2a8ee4cb801bd1551630d1e02ce0f7c900073a

  • C:\Windows\{DEB24C85-AAB2-48f8-B56C-BDA25BBB1416}.exe

    Filesize

    380KB

    MD5

    648448b8d1d6485f9b65fec41770f9df

    SHA1

    cb19eed5df813d442ede64c6a9c5cbce76bf5244

    SHA256

    e21c89169fa317e1144e0b2829c6cf40e9296a11ac670e2e3a16667bba5b0d0d

    SHA512

    27aeb685d343f371df6260d14b4f27ba31f134f46260a77431319614665212ce136c1dd7cb6005d811f4401e112b599aa20399d627c8dbb21452ad9cb6aa4f01

  • C:\Windows\{E1E732F3-3965-4cc1-9799-EA239E2BD18F}.exe

    Filesize

    380KB

    MD5

    da38bbdbf8ee312f2f57aeb98366b1ea

    SHA1

    174077077d217f89e8549222c4009875b80ab0e4

    SHA256

    d7b9a51752dfced7f3039b50fa3c0103282ee7694557cabbb78ba513938ea361

    SHA512

    eef90f9bfdc740fb3825617f85c62e9aa68cfee78d4d60d383822aef5b95cd80232172d509a692a06f24aebc411763762d90c44badf5cbbd694c00a7376179cb