Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

d2bcbac35f...0N.exe

windows7-x64

8

d2bcbac35f...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14/09/2024, 20:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d2bcbac35f41f5aded96daddeaf487c0N.exe

  • Size

    90KB

  • MD5

    d2bcbac35f41f5aded96daddeaf487c0

  • SHA1

    f964f199df20967753dabffa6a79cbd3a77cd084

  • SHA256

    a760075e88412733791beff8544b0fa177922633adf2a95e26c0c5ba0044bef7

  • SHA512

    5a904cee1a5b60947574b217ca899d9b6857a3c56e679ef66fa858c44af7be733148ee0fad888cbd195380521de78e1bf38a49dd950df27a5dee7a18a8df3ed3

  • SSDEEP

    768:Qvw9816vhKQLroO4/wQRNrfrunMxVFA3b7glw:YEGh0oOl2unMxVS3Hg

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2bcbac35f41f5aded96daddeaf487c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d2bcbac35f41f5aded96daddeaf487c0N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Windows\{96BFE688-B02D-427c-A983-62B159817E01}.exe
      C:\Windows\{96BFE688-B02D-427c-A983-62B159817E01}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\{24877D61-2D4F-4dd3-89C8-B319F525CB8A}.exe
        C:\Windows\{24877D61-2D4F-4dd3-89C8-B319F525CB8A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Windows\{CD96376B-B7AE-46fa-9270-B894A3D26ED9}.exe
          C:\Windows\{CD96376B-B7AE-46fa-9270-B894A3D26ED9}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2760
          • C:\Windows\{D93EE03E-D070-46dc-B2AF-E33B42EEF0C9}.exe
            C:\Windows\{D93EE03E-D070-46dc-B2AF-E33B42EEF0C9}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2820
            • C:\Windows\{07C526AF-0FB0-4010-9E90-F5E3137A1D8D}.exe
              C:\Windows\{07C526AF-0FB0-4010-9E90-F5E3137A1D8D}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2648
              • C:\Windows\{E03D7939-81F0-4169-B7BB-5BA538E44460}.exe
                C:\Windows\{E03D7939-81F0-4169-B7BB-5BA538E44460}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1928
                • C:\Windows\{99F45009-CA36-47c6-9EAC-CD662B59EE3D}.exe
                  C:\Windows\{99F45009-CA36-47c6-9EAC-CD662B59EE3D}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1620
                  • C:\Windows\{FFC6E689-4FE9-4600-92B0-0DF07FF585C5}.exe
                    C:\Windows\{FFC6E689-4FE9-4600-92B0-0DF07FF585C5}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1232
                    • C:\Windows\{54D2FF4A-D197-4ae2-B12E-32BD101CED31}.exe
                      C:\Windows\{54D2FF4A-D197-4ae2-B12E-32BD101CED31}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2244
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{FFC6E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2848
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{99F45~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1372
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{E03D7~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2844
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{07C52~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1236
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{D93EE~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2208
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{CD963~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2880
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{24877~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2900
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96BFE~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3016
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D2BCBA~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{07C526AF-0FB0-4010-9E90-F5E3137A1D8D}.exe
    Filesize

    90KB

    MD5

    e4ec3e349427784070315fcadfc7f671

    SHA1

    f42cc2f17b1d1a5684ab5a0fdea508e0bc7dd164

    SHA256

    a4eb48baafe584622cb6e1c6735b3ecc9507e998ec9b4be0b7efe7d6c73f3b1b

    SHA512

    ccad4e3e0b00f08a23c3ce3ca7629834bee976fb6e9cc988a70f0f347c28a4ee1e8fadea7b8111e51714fd6a904ae4ce29b5ea29b4271e5dac7ed89e8e53dbc5

    Download Submit

  • C:\Windows\{24877D61-2D4F-4dd3-89C8-B319F525CB8A}.exe
    Filesize

    90KB

    MD5

    3b0142dec494f29ab45e98c504879b9d

    SHA1

    b3b6be2625353feb7229f47f102c7c0f293686a7

    SHA256

    785b00424706fca00f18e81f0bea718e3c469810fef3ad83c9cdbc50f1138292

    SHA512

    72f352f43e88e00f289331c766e9d138e9b581b6c76953497cf922b02c4811968f4671f622c135d6bb6e609728fbc03ad801df24388abad8e3f1f62a17ff0aa2

    Download Submit

  • C:\Windows\{54D2FF4A-D197-4ae2-B12E-32BD101CED31}.exe
    Filesize

    90KB

    MD5

    7da166f96f635bd2dba13ff13391f922

    SHA1

    ab313aad62bcd3d194baf6126535ef98be26095e

    SHA256

    0c1b421a58e19b9a99d43aceaa7c168fa01dc1a2ed305ab889449a036e4a4af4

    SHA512

    44577015e75426d16c7a897c22cf90fa8f339d75816f19bebaa13f7006b7d7211ad05802cbb9b30188923a36a69959ca13101427e47a5f82c547860163e01ca6

    Download Submit

  • C:\Windows\{96BFE688-B02D-427c-A983-62B159817E01}.exe
    Filesize

    90KB

    MD5

    26f881814e9df3f255354e8bcd43d619

    SHA1

    634c4e17757b4914267968ff7a3f86d351a4a48b

    SHA256

    28c1390bedd4fb206ae9a9dce99a175660cdaa1aa1a4aa82b9c9410c64de1d35

    SHA512

    e1237b965f51fc1f8008a166b6568bee5e5eda24f02ebee34cdbe3519aad48d639ddd4dd3e6a7d2d042310d45d253d3c5360539f8a69c7bc580a12d721944620

    Download Submit

  • C:\Windows\{99F45009-CA36-47c6-9EAC-CD662B59EE3D}.exe
    Filesize

    90KB

    MD5

    70512f4e2073bbb9702997456a325866

    SHA1

    f5c862d5a5d84d78af35559e943d113957318ffc

    SHA256

    6722b3511acfb457c1ae0e277025daf84078ba832298bb07ad9485664cebd589

    SHA512

    5f24ce13cfa4c6aba7f6ee105f70c9a9e201cde8308b5d5f21468a840662e8ec145918421994c1c7032c1127b117d92fc40525dd77d6244f2a366aa44279bdaa

    Download Submit

  • C:\Windows\{CD96376B-B7AE-46fa-9270-B894A3D26ED9}.exe
    Filesize

    90KB

    MD5

    ab98cbc1df2fe02e4c1638472a89843a

    SHA1

    fa88f525326cd5e5214b1ef6fbd0a081c9aaec4b

    SHA256

    b7bc2e79f0717896f08ac9d82d9e10fe74ecfb85ab1748a9bf786ba7c97ec424

    SHA512

    aac9a30d97a468d693304345f90e3998ae87a942da059c47e2e5f531952238d914c8871d06526ad8009cdf697bbde9ac40ce89b7c061d06978e579649c856ece

    Download Submit

  • C:\Windows\{D93EE03E-D070-46dc-B2AF-E33B42EEF0C9}.exe
    Filesize

    90KB

    MD5

    275062a6c6d752f29d1005ed4383728d

    SHA1

    7636dd20a5f425326a40b150246aa2d5e2bd60b3

    SHA256

    585953b529a2fa228ac98f5a321a9c9f8589743c4d929ad47c857bea301d5f2a

    SHA512

    34d5b10f88d927da1141bf695fffd03c54d5f6c71a0635ba1455237550f46a070a84facec030d805a7e401f1e71b830580396520f2f6fac021dd345eabd7f23e

    Download Submit

  • C:\Windows\{E03D7939-81F0-4169-B7BB-5BA538E44460}.exe
    Filesize

    90KB

    MD5

    083ebb30934c4b046dcaf54e19c91a0e

    SHA1

    b3e031ff0e8f1f7aaa19cfbe544f9477e61bbce2

    SHA256

    860c43cb73b37d2c2417acc193f9c348cce0f5c60f82278df8b256852e375058

    SHA512

    166ad62f6b3ae978cbb6c3015b804541aa0bf60a4c36ca627095c55d3dcb59cd115a17a26d1cfa6a29f96131fea8c2fcd95e3a93f013e8756f08a42000738b19

    Download Submit

  • C:\Windows\{FFC6E689-4FE9-4600-92B0-0DF07FF585C5}.exe
    Filesize

    90KB

    MD5

    0c64ab66636263cf0039384bbd8d0442

    SHA1

    202be29132c89bf004d480e379a0f6423f7fd35e

    SHA256

    a33c5bfd7ece5a9841be3210a7403390fcce95cd47bece2e3328c937064b5d1e

    SHA512

    622055597b129f9c40bd6852dc2dd475e3242b78c6fd7ce2e4bcad1da3307ef505b469cc8002d14ac6906219c05d73b0947eb8f6c41f13af0026aab4a90a2b6f

    Download Submit