Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/09/2024, 03:39

General

  • Target

    0d267e230e2351bada78c3bf62667570N.exe

  • Size

    90KB

  • MD5

    0d267e230e2351bada78c3bf62667570

  • SHA1

    ae3ff6512b4fe24c41451e81ed76f882c431688e

  • SHA256

    748c6594e869d2b87b6d6db08842045b42acfd7448f9461a554204d3e4866899

  • SHA512

    b3bcddfcf0dcd4b73a5cd3557427998e21d89beebf70670c98d1344db6b0259d0447cc97dfed3b3642302e269775a9bbe1f28fcc6dfe87e3b4a8a47a394cf563

  • SSDEEP

    768:Qvw9816vhKQLro74/wQRNrfrunMxVFA3b7glw:YEGh0o7l2unMxVS3Hg

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d267e230e2351bada78c3bf62667570N.exe
    "C:\Users\Admin\AppData\Local\Temp\0d267e230e2351bada78c3bf62667570N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe
      C:\Windows\{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe
        C:\Windows\{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe
          C:\Windows\{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2872
          • C:\Windows\{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe
            C:\Windows\{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1700
            • C:\Windows\{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe
              C:\Windows\{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1716
              • C:\Windows\{C2144132-6025-4583-8666-AF10A4530E57}.exe
                C:\Windows\{C2144132-6025-4583-8666-AF10A4530E57}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1152
                • C:\Windows\{13357041-5365-4d60-9476-3EB88E48621A}.exe
                  C:\Windows\{13357041-5365-4d60-9476-3EB88E48621A}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1428
                  • C:\Windows\{4C4347AD-AED5-414d-AF56-2DE7B0FFE117}.exe
                    C:\Windows\{4C4347AD-AED5-414d-AF56-2DE7B0FFE117}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2032
                    • C:\Windows\{6C5906ED-92EF-4a0a-B045-02DD527988CF}.exe
                      C:\Windows\{6C5906ED-92EF-4a0a-B045-02DD527988CF}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2436
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{4C434~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:916
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{13357~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1752
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{C2144~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1360
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{C9B11~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1524
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{8BA3D~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3048
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{6DDA8~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2584
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{0A3D2~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2856
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64AB1~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2900
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0D267E~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe

    Filesize

    90KB

    MD5

    a9e206a1148e6f9f0ed4ba750dc59768

    SHA1

    75b68d572f60220cd6105da6b8b5a0a386e7ab20

    SHA256

    796106eb2b5d05dc7d47b143587b3bcde9031a36b693b28c8a1fe6371f00b985

    SHA512

    7894e6b5376652360f19cd0f043c1f4e4ab43467638f0de3078849408fd07219ab884c122f8325259e426b80918f8b399efbbb7578ac399182b06a1f3b54a251

  • C:\Windows\{13357041-5365-4d60-9476-3EB88E48621A}.exe

    Filesize

    90KB

    MD5

    69a7683b0aedc7afcf032401ff42c0d6

    SHA1

    a28ab104a8a86273d72c49d2399ef9e59e23fd9c

    SHA256

    9b8f8bf615399ec853b9e1a42c1a26ddf912f270e41b6f703287b9c64b21932d

    SHA512

    54b005370a544a00ad1e0da6a0275abd623a95715298f4f47245283f074b89c18c5e3347e1fa4c32341321a8411be42f628a5290f42e1deb3b6f39e0067c6bb1

  • C:\Windows\{4C4347AD-AED5-414d-AF56-2DE7B0FFE117}.exe

    Filesize

    90KB

    MD5

    0c8945c49980b0faccd1ba0f9c382585

    SHA1

    bf1334f98b04b827069753779765c371bcca6e0b

    SHA256

    494c6fccab74e0e1796bd742a27ea140d1fb69e3be69c163226cec7d51bf136f

    SHA512

    a62d19ac5ef54c79e9fc11a6b53eab42e4e3fc528744b36c70dcb601a97f0e844a2261bcb9d766e6893948c9ecd307f36e3d9b4bf63540e2b071ebc109b1df44

  • C:\Windows\{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe

    Filesize

    90KB

    MD5

    05e23fc9edcbf7e47d9d8efc01771a21

    SHA1

    0728d1b2401965867b49c9c4f44426fdf8a65b2b

    SHA256

    46d8f41293386ab5c08b1d4565cf615278798922b976e6d4f385dd6939f98d85

    SHA512

    12d2792bc4daa6867af7a5bbc4180d28c6ec79208972004d6acf9d7b5a80cca233aecfe0c38f46c13b0bf0a9782e2bba7cedc74e78a2da9cd8c111ee5eace584

  • C:\Windows\{6C5906ED-92EF-4a0a-B045-02DD527988CF}.exe

    Filesize

    90KB

    MD5

    e7540954f10cd369e6c69d70b578ba8c

    SHA1

    d54564832a8a6335238e884b37195d3466c67f28

    SHA256

    f23fc2d732238ba2eb71c8f42a31039e073fde8cd67546664315be3a0ffb594a

    SHA512

    7004282aabea939c6c2dee2fa6a3fa85c531954da0ba319efa41113a25f2d775f1b1ad905345254ba0e77ebdac3f427408e132321d78ba3f990c586aa8f05ceb

  • C:\Windows\{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe

    Filesize

    90KB

    MD5

    be8b5f94554baf44647354f99bb10aec

    SHA1

    c6837089838586f7d978bda12d27e5bb532c48f0

    SHA256

    9729527f3b58950c80002859bebf52dd31be04442d9f07e92aab8e50d7e0ea68

    SHA512

    6c11bd40e7c4b36e155fb36ab32f770cdbb3d3b673a8e475fcf22df411cb07bc6328158ecfc846a915d0b96be5232c63316f949b2185aad28b6fd37b686b7980

  • C:\Windows\{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe

    Filesize

    90KB

    MD5

    f3219b0b7a8796d1bd07dbd894091c2d

    SHA1

    de04237a0bffa0a3a4b5a316b59bab4a3d797107

    SHA256

    9fff58a08eb5a80f97a5f96ee3f006a929c89f562518a8e893c002403fb23da7

    SHA512

    8efee30976fbf277aa7c2aa45d35c6ab8a39ae6910f95ab10dc390ec3e57c52ef37c5bfa720c7b2563756d1b8bbba2e5946c45cc6feaafbfbd531b6d7798a0f5

  • C:\Windows\{C2144132-6025-4583-8666-AF10A4530E57}.exe

    Filesize

    90KB

    MD5

    b7cb16c34c22e3452ed62c1f35ae5f37

    SHA1

    67e88d2c9a0098013165b2995055637bb7e6b778

    SHA256

    366c9eeeb1b2326c59bcdad729063a9bccb57352b14ca317dbe67911eb3ad074

    SHA512

    940fb87bb77c15c4e5fb029b3c683365d82c1c372866db186029897c2304784faa559f4a842a202ef904d39eb77ef510e91580093b8df528caea98899603f2fc

  • C:\Windows\{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe

    Filesize

    90KB

    MD5

    7630ddf46fa7fb681d628c217712216f

    SHA1

    bc938681355c00de10fe8c8e4ea9898e4cb5fc2d

    SHA256

    46e53c09fc09c10417bd3d4355e58bea1e50cd120f9659ce8a1475b9de7c24d7

    SHA512

    34de37da4032d31ebc2f90adb990023a76deed12caa47e635aaa55b5d44fbcc4c50f938f029a95872d415ff7249950b2a5e8459e4f556ac710d5b329171e564a