Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

d2bcbac35f...0N.exe

windows7-x64

8

d2bcbac35f...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2024, 20:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d2bcbac35f41f5aded96daddeaf487c0N.exe

  • Size

    90KB

  • MD5

    d2bcbac35f41f5aded96daddeaf487c0

  • SHA1

    f964f199df20967753dabffa6a79cbd3a77cd084

  • SHA256

    a760075e88412733791beff8544b0fa177922633adf2a95e26c0c5ba0044bef7

  • SHA512

    5a904cee1a5b60947574b217ca899d9b6857a3c56e679ef66fa858c44af7be733148ee0fad888cbd195380521de78e1bf38a49dd950df27a5dee7a18a8df3ed3

  • SSDEEP

    768:Qvw9816vhKQLroO4/wQRNrfrunMxVFA3b7glw:YEGh0oOl2unMxVS3Hg

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2bcbac35f41f5aded96daddeaf487c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d2bcbac35f41f5aded96daddeaf487c0N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Windows\{D37BCBBE-F024-4609-954C-5A6B14E4F11A}.exe
      C:\Windows\{D37BCBBE-F024-4609-954C-5A6B14E4F11A}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3448
      • C:\Windows\{8B6D2975-B05E-4c87-93CD-B37E563C7150}.exe
        C:\Windows\{8B6D2975-B05E-4c87-93CD-B37E563C7150}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1508
        • C:\Windows\{971D40B8-40E3-4828-B4C1-55715383594E}.exe
          C:\Windows\{971D40B8-40E3-4828-B4C1-55715383594E}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2080
          • C:\Windows\{5EDC0EAE-FCEB-4fc6-B648-C1B84AA3E57A}.exe
            C:\Windows\{5EDC0EAE-FCEB-4fc6-B648-C1B84AA3E57A}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4888
            • C:\Windows\{393E88D3-424D-4a9d-9E9F-2C27CF26BCE9}.exe
              C:\Windows\{393E88D3-424D-4a9d-9E9F-2C27CF26BCE9}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3924
              • C:\Windows\{513035A0-E850-419c-83CA-62CAA69DC258}.exe
                C:\Windows\{513035A0-E850-419c-83CA-62CAA69DC258}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4476
                • C:\Windows\{88816DC5-F164-4be2-AE4E-4C453956F9F1}.exe
                  C:\Windows\{88816DC5-F164-4be2-AE4E-4C453956F9F1}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3324
                  • C:\Windows\{99324E4A-CB86-4686-BCC8-D942ED1E99D3}.exe
                    C:\Windows\{99324E4A-CB86-4686-BCC8-D942ED1E99D3}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4272
                    • C:\Windows\{1D2727A0-F244-4eed-8429-CE4C3A53FF88}.exe
                      C:\Windows\{1D2727A0-F244-4eed-8429-CE4C3A53FF88}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2484
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{99324~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4472
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{88816~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3096
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{51303~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4448
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{393E8~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2784
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{5EDC0~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:548
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{971D4~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4344
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{8B6D2~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1644
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D37BC~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2584
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D2BCBA~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1D2727A0-F244-4eed-8429-CE4C3A53FF88}.exe
    Filesize

    90KB

    MD5

    d32c26683273d6f6ca3b6a40fb9a76c0

    SHA1

    c99448228f2800490f1b744e167d1ef0c5f2576d

    SHA256

    51211057654fd81733af77f9e6ddb18c0f31bb34a8807cf62715b84c34533a62

    SHA512

    7454246fcbfdb9e18965badf5a82c75f2cec46964a3f87310142ecd909fcfdbfbce55422d7c7756bed343464238d3d88cb49f48f7d2c0ba113461cc56ebb75ef

    Download Submit

  • C:\Windows\{393E88D3-424D-4a9d-9E9F-2C27CF26BCE9}.exe
    Filesize

    90KB

    MD5

    f5cd71a21f725206030756920440c4e9

    SHA1

    44eebb2eb506d501c88d49939cdbb2fd1f7b9695

    SHA256

    6b62dd99f20d1270fef1dae1669abb39165d4a66a54d5ea068cf7c26aefc0617

    SHA512

    5ce959ee2ec3daedbf42893ded7f3856fd75c3aa0062a207c711c704975d72e4a6873fb357ee8993b62539d1b119cce34724f0a12c4621a6fadac5f0836ddf44

    Download Submit

  • C:\Windows\{513035A0-E850-419c-83CA-62CAA69DC258}.exe
    Filesize

    90KB

    MD5

    9e786c84bb4cf4fd62a8cb891b016600

    SHA1

    f601838d3555eb093514d0d30257056b615d0a43

    SHA256

    4df26e700df51cece20d94459fdeb56ac94ef1337ab9979ba9792f20504ed79c

    SHA512

    43b6dd8b104d53f70b034cfd734539baaf1be1ccc750e6db3d38b2f70b2a2dcbe6f486aea5c23b45a56046c7c77694def36ccc238982bf7adf31b7755b8bec66

    Download Submit

  • C:\Windows\{5EDC0EAE-FCEB-4fc6-B648-C1B84AA3E57A}.exe
    Filesize

    90KB

    MD5

    4bf4c8cef30e382ccbef473c43e53f41

    SHA1

    d2e8b37c451688ed237b77fde6945bdb0291ddb7

    SHA256

    74abe758d5f62acc667f4865ef10e4862455f042828bf029b6a45ad20a92fbc5

    SHA512

    c57b785fce6cc2beff79b954673f6dada86b5fa6dec63f6e5a3af6719fab90a4b74f79fbb25a72703b1637f636d77076a4591a6c00f5a97720726ba10b3a15d6

    Download Submit

  • C:\Windows\{88816DC5-F164-4be2-AE4E-4C453956F9F1}.exe
    Filesize

    90KB

    MD5

    2de65161648d7aabb55ff37f036ee9de

    SHA1

    01b9daf1d51e9a3889f81eb47f8944fb7183a6ac

    SHA256

    52a09fcaf9aed31124f21df65ddb819ca332b55f4ca673f36d437914f8945d6e

    SHA512

    f31f32775101a7b8d65997083eaf949d8d3ab31ab74c12f925c298ad2dab3f873ec696508af6a29cf9efa365f88774503e162d12f42ed89eed603b4a916816fe

    Download Submit

  • C:\Windows\{8B6D2975-B05E-4c87-93CD-B37E563C7150}.exe
    Filesize

    90KB

    MD5

    24c0f973032df1e67dd009d970ee91af

    SHA1

    56cc495bdf5320a9b2ae5d1aaf3b7b5b2b3ee101

    SHA256

    a3cf1d4c88d848f018fed595ba14505aad634eb786200f6aaac1c9b1de42144d

    SHA512

    47acdbccf2ec674345c9785d381f13174c69e43e6c7107f4e60cb2460e7939896e09c6326f0f82bff9ab11b87b3a478f721bb8f97818bad64b9b1720f1ac334d

    Download Submit

  • C:\Windows\{971D40B8-40E3-4828-B4C1-55715383594E}.exe
    Filesize

    90KB

    MD5

    1150b7e13d940c9169ff35c517c4a4b5

    SHA1

    c9aa2979055d7a136aa2b66a049e5f6c75e80ec0

    SHA256

    e2c6e058f2b1271f86d24af288ff45911af4048f9dfa27499dea69a07ef7eadf

    SHA512

    e45bd99dbc64935083595f952b16b669220836a5c65b66343e26e179e227471ee46d13efc417575b8d5ed0492e995fab8010799c5b26d1fdec074809ed665f00

    Download Submit

  • C:\Windows\{99324E4A-CB86-4686-BCC8-D942ED1E99D3}.exe
    Filesize

    90KB

    MD5

    23e61876e1c535933368334a24d1d3f2

    SHA1

    fb14339e4d455ef39fc1d657552a0d31d6acae89

    SHA256

    881ac4ccaa17ca5534cc9fac2210931888f219e0729af46e3923e3430d7683e4

    SHA512

    e1ed2232a8f59d12608ec6c9c9a09c902e7df6a2e80d171e924a08158e76fd802611ba83dd8851d0e3702182f5d5b68d25a69fa633989d98e0884375e3f7fa42

    Download Submit

  • C:\Windows\{D37BCBBE-F024-4609-954C-5A6B14E4F11A}.exe
    Filesize

    90KB

    MD5

    f0aca8a66c84309694f15867b9a2a971

    SHA1

    dbc51c9547fa682a0a43b848d1f170416b166310

    SHA256

    3a2de092260c48bcac8e4fbb5892443c294a2c8eb03e7d9d241e0a65f076b21d

    SHA512

    0f58c8e943aae87f5ff69dc1272aed4afe25774d42c46bf571dd8278f35c757ca9ef7c9d5aa7a6f1d084b81c8d9fb7d4cec4f2cd7734a61f6af8d50c86aa389c

    Download Submit