Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2024, 03:39

General

  • Target

    0d267e230e2351bada78c3bf62667570N.exe

  • Size

    90KB

  • MD5

    0d267e230e2351bada78c3bf62667570

  • SHA1

    ae3ff6512b4fe24c41451e81ed76f882c431688e

  • SHA256

    748c6594e869d2b87b6d6db08842045b42acfd7448f9461a554204d3e4866899

  • SHA512

    b3bcddfcf0dcd4b73a5cd3557427998e21d89beebf70670c98d1344db6b0259d0447cc97dfed3b3642302e269775a9bbe1f28fcc6dfe87e3b4a8a47a394cf563

  • SSDEEP

    768:Qvw9816vhKQLro74/wQRNrfrunMxVFA3b7glw:YEGh0o7l2unMxVS3Hg

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d267e230e2351bada78c3bf62667570N.exe
    "C:\Users\Admin\AppData\Local\Temp\0d267e230e2351bada78c3bf62667570N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3316
    • C:\Windows\{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe
      C:\Windows\{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4332
      • C:\Windows\{97C92693-1963-4b18-9547-CC8A4106E39F}.exe
        C:\Windows\{97C92693-1963-4b18-9547-CC8A4106E39F}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4972
        • C:\Windows\{92680027-65BC-4051-8236-F5A064A517CF}.exe
          C:\Windows\{92680027-65BC-4051-8236-F5A064A517CF}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5104
          • C:\Windows\{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe
            C:\Windows\{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1812
            • C:\Windows\{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe
              C:\Windows\{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4744
              • C:\Windows\{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe
                C:\Windows\{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1192
                • C:\Windows\{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe
                  C:\Windows\{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4020
                  • C:\Windows\{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe
                    C:\Windows\{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3612
                    • C:\Windows\{254A76F7-B1B2-44f5-92E7-B4E9480B3767}.exe
                      C:\Windows\{254A76F7-B1B2-44f5-92E7-B4E9480B3767}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1620
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{A7013~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4052
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{73A29~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2300
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{C3F3C~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2348
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{F67B8~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4692
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{6ED1C~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2520
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{92680~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2872
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{97C92~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1548
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FABF~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2268
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0D267E~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{254A76F7-B1B2-44f5-92E7-B4E9480B3767}.exe

    Filesize

    90KB

    MD5

    641653c8d3d40a6da5aa04f7ad9c7ea4

    SHA1

    342407eebbf67c96410ff01a2f63809ace03ffda

    SHA256

    eb401ec0aa3a7fdbc6d1aecb53c7cc93d5fffef12fc688a0e6391b500f48a599

    SHA512

    fc4d80dd166ef55be9985700cc2bc2865c3b4570607e4895a68bbe1b7203227d5e0ddce4f17da4ae802dbd10836bdb8c244605c8f52bc53bc265766cada026cd

  • C:\Windows\{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe

    Filesize

    90KB

    MD5

    e3e191e6dd474ab1085c96bd9d1c4dcb

    SHA1

    55a6ce309ffa8a6a531ebe0a5f7891bd89a78a49

    SHA256

    331fa8ac8df98e5f922f735047c7658ddfb0351db581143892df27950225ed96

    SHA512

    09569a5443639e86487799392d96a4b5b1afb1200c0a159d94a795851cda556eca13e284f3d7ad0ba52944a7b7339bb382350b1305cf5db1e9284be0a5f6100c

  • C:\Windows\{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe

    Filesize

    90KB

    MD5

    5a01dd90562835927c1201fa785bfd1d

    SHA1

    2b4814ad10a412de721818e7e5bc651f26ee4a06

    SHA256

    72216f7fdf4de28acbe2b6cfc06f713d2847744251def3d88ad442971a270397

    SHA512

    b4784167b3fb4086ea88769306f06e915354b2790826cc9995f99f2b2e6829fa5660a9d06a24b4a48fe5ec54cc3e882c272ea931b3fad940c8218fcdb7e0a02a

  • C:\Windows\{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe

    Filesize

    90KB

    MD5

    468bcd52cc0d2ac485635b275316b2d2

    SHA1

    5433dc5c322a1ce44f943af0043640d29851e86d

    SHA256

    044958f77b3edb77d16bed28b3dd023e0f20107ebbe8e78225420e0c2008ec36

    SHA512

    97f263c910aa70535be0cc28ce5a40e4f02118f40e48a9faf5de4bdcdf5f9b5df39756457f5d1b893998baaa732e2786ca4498abd9e7af9ee9476034ba21ffac

  • C:\Windows\{92680027-65BC-4051-8236-F5A064A517CF}.exe

    Filesize

    90KB

    MD5

    04ab5bd9494703e6d12225b691a645f4

    SHA1

    b0ef11466a87aaa3e7846df8633c93cc4c11df13

    SHA256

    0f7a9ceb2b89b7d0c19a9befc3b37ceebd166cce0d8176abb37d1f1118f7d202

    SHA512

    cf5d58da0403b2144c22ca145887bf2c5c0b61bf9671f5e21a6848b015073d09aec04e2f3bc56937f631d022d285e4550c87516de7c05a532d8bf3d96cdd2153

  • C:\Windows\{97C92693-1963-4b18-9547-CC8A4106E39F}.exe

    Filesize

    90KB

    MD5

    8b18e0a642958f902fa3bb57e2047696

    SHA1

    de334695f37b64a4c9e76d8df5852a3700da50fd

    SHA256

    6ca4fb18777b705fc3d9a4117f0d436e58fec58dc7914b67c3807183b84526b0

    SHA512

    f65f1587e265add4291b50db12189e9e15e3d859a8aed6297354470e398ac81c78eb3a771160ce15763b1c807b5ae274371b17f02f45914b4a57dd1d9731c3f5

  • C:\Windows\{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe

    Filesize

    90KB

    MD5

    1ac342cb0e892cd9d7163038c64b1a3e

    SHA1

    cdaab3fa86e3f57a08a3465afce504a632600c44

    SHA256

    d61201f30e8c21bfad528e6bbade4e9efdceefac45a0ce28b462b8583dcbcc4f

    SHA512

    16b311f6e33d39dd06b517e9bec0dd80482bed2af856c5ec71b351cf5a794dae7cee68abf33d43865d01aa6874b033b8ccc54406dfb757ae3ad9a935a4a7cac1

  • C:\Windows\{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe

    Filesize

    90KB

    MD5

    6f3f5d387a93db817d3ebfd379803828

    SHA1

    ae07937fbc44b85bb7d4b734145a78651a3d3b74

    SHA256

    29d38288feaa9c860b00bfd5a614746219f4557ee9468ac1f2f6f3e3ae86a720

    SHA512

    e51fe60eb4a76261af86206b1b8c85ee5b266dcaf1d230926ce8ca362ec7540c60610cee47b698d34c7a5a5637ba39a9dcbc737fab018047baf1f3ec2b8d9e48

  • C:\Windows\{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe

    Filesize

    90KB

    MD5

    0172a74d130e1d773c928006a869e8ff

    SHA1

    1aa278efa7933cd43e02bdf7c551c6dba30bc287

    SHA256

    b181c2ca9195dff66eeac829eec66d721756396595005ebf0b8b1de951e19d29

    SHA512

    f7d43816f557dd32d8299e45400bd359b0609eaab057a7167157ba5d6e7a6e5f64e368fb3b3b61e115f3f4d3435a72713ecec8690807bfad9ce8d16bccff011e