Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

efa16d4fe3...0N.exe

windows7-x64

8

efa16d4fe3...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/09/2024, 02:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    efa16d4fe3e1d09cf2fbde61533a54f0N.exe

  • Size

    64KB

  • MD5

    efa16d4fe3e1d09cf2fbde61533a54f0

  • SHA1

    8242770a1c6bba119c32c6ea3edaed0b401a90e9

  • SHA256

    5f251260a5c406ac446459cd515c78f6f769aa396c3252ca0858516a5335c24d

  • SHA512

    ef5cc9f41662c14cba96b0a765f569486f2dff5f77286232eb6675a70ad26508a51012bc3bf6093807678d6838f16987d6d58338138354357e182930a1ea6d1e

  • SSDEEP

    384:ObLwOs8AHsc42MfwhKQLroI4/CFsrdHWMZE:Ovw981EvhKQLroI4/wQpWMZE

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\efa16d4fe3e1d09cf2fbde61533a54f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\efa16d4fe3e1d09cf2fbde61533a54f0N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3916
    • C:\Windows\{6EF00F8A-143A-44ba-B387-A35284E95BC3}.exe
      C:\Windows\{6EF00F8A-143A-44ba-B387-A35284E95BC3}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Windows\{382AD308-31D8-475d-8DCE-3F543FDB84A5}.exe
        C:\Windows\{382AD308-31D8-475d-8DCE-3F543FDB84A5}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3476
        • C:\Windows\{78F55CA7-C526-43a6-B68C-804009DE39E8}.exe
          C:\Windows\{78F55CA7-C526-43a6-B68C-804009DE39E8}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3104
          • C:\Windows\{BFCCC500-9FC7-4846-95E5-B96ACD299CAC}.exe
            C:\Windows\{BFCCC500-9FC7-4846-95E5-B96ACD299CAC}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2584
            • C:\Windows\{0D657F38-1FB6-40fa-A0A4-FA006874B9DF}.exe
              C:\Windows\{0D657F38-1FB6-40fa-A0A4-FA006874B9DF}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3820
              • C:\Windows\{02C13B47-CBBC-4498-8860-AFB125038727}.exe
                C:\Windows\{02C13B47-CBBC-4498-8860-AFB125038727}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4564
                • C:\Windows\{6CD11CB9-40B5-4cb9-AC24-15C7996834E1}.exe
                  C:\Windows\{6CD11CB9-40B5-4cb9-AC24-15C7996834E1}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4428
                  • C:\Windows\{E1979A8A-8CE1-45f4-AB9B-3E5AA59E03E7}.exe
                    C:\Windows\{E1979A8A-8CE1-45f4-AB9B-3E5AA59E03E7}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4036
                    • C:\Windows\{8E340952-82B7-4262-90C6-82730E175987}.exe
                      C:\Windows\{8E340952-82B7-4262-90C6-82730E175987}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4068
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{E1979~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3272
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{6CD11~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:640
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{02C13~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4364
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{0D657~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3684
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{BFCCC~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3744
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{78F55~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3236
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{382AD~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3256
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EF00~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3576
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EFA16D~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{02C13B47-CBBC-4498-8860-AFB125038727}.exe
    Filesize

    64KB

    MD5

    f63a52fccd0025868f764fe4cbefd588

    SHA1

    750b7a1901079de46f1b95babf527ef9cf03a3a4

    SHA256

    fca40b6baf529a4529f48ab2dd610178156ce4f43e56215bea04e649f6be1f31

    SHA512

    f104b7e5315efefda7d3373adbf074117f7262874b6840a4624971197c7383b0001fa1fafaf3414b4ea2337101d2581e9d7663e4182a6e92dccda982120d9b25

    Download Submit

  • C:\Windows\{0D657F38-1FB6-40fa-A0A4-FA006874B9DF}.exe
    Filesize

    64KB

    MD5

    bd5c01afe71555e5f91f317d3d689e26

    SHA1

    5cdf82d488b38863c9f139e5045bee2927c97ade

    SHA256

    c581e18e6fbdeac1b87e13b2f69bdeffe311b8b363b1a446313392390421b4d4

    SHA512

    018917969b1a1810eda3e39c58b2339ca0caa0bfa8cc1add5935d52805a0363eb6df59854744318dc89513da73a58cc984380eef2429022ed9be6d8f3d0027c4

    Download Submit

  • C:\Windows\{382AD308-31D8-475d-8DCE-3F543FDB84A5}.exe
    Filesize

    64KB

    MD5

    ba83b303cb8e07df683321fa01ee0a88

    SHA1

    962b4da931beb558827bd8b6038bf99aac0365ac

    SHA256

    7c74d0c178075530f11e32a123b3256db64cf415c1c3390185144927847bba3b

    SHA512

    73dd7321a8c524ae1b89e5460a037456fd6d52f9ad8a9594df5e74ca3e001abcf553e907dbd1785b400ad81d158eb3055658538008c380c689852b554789e5d8

    Download Submit

  • C:\Windows\{6CD11CB9-40B5-4cb9-AC24-15C7996834E1}.exe
    Filesize

    64KB

    MD5

    6ed701142a567803304b1493c50b5d69

    SHA1

    0c23fba3b4fe161d03b3ba3cf5650ce78c3cfdb4

    SHA256

    dba1f610e5acd64bbe54e4f361dd929eafe2eb6e172b90ce1f9c7c593822430a

    SHA512

    0958ffbd084c66a1ae04273a280197df56e70473d7789593f759dc2f71c461d5c58ce1ef112d397cc1deb4c4debb0372a38fd21d6afccbb04995a56b4a771210

    Download Submit

  • C:\Windows\{6EF00F8A-143A-44ba-B387-A35284E95BC3}.exe
    Filesize

    64KB

    MD5

    5cbd2a9d35960f6077e6b5cb2e8bc81a

    SHA1

    5c9eb4f0d9d75b7d6b089f5a3982958b5df6e6d1

    SHA256

    8b030877a9eaf15c7b0ee0a3fa08cc97b6f8690e6dfc36cf64e95a3c6a7ec90e

    SHA512

    8775ea6a53d68aaf015e4ca4de1d1db960b09fd9955ab2b71022fb0d6e79b6bdfacb4525196ed784371b64c010850a082cc70eba7f335ffb3e5d51ec318eed4f

    Download Submit

  • C:\Windows\{78F55CA7-C526-43a6-B68C-804009DE39E8}.exe
    Filesize

    64KB

    MD5

    923020af122998c4a547eeb610881bfd

    SHA1

    37833c5d4346ad7c5e91f77b8c1e3feab025680f

    SHA256

    40ce163c9d40c3449c574851cf41e5333c9a44f14bdba56053393f5429cd7bd4

    SHA512

    e1d5efc88b1e94887f098eb44f0897e7a4dae00aeef92aaaa874b2e7483af8a679c9d93f468ffd89f40709e42c868615a0ca104867cc66bf945b9335ffedfd65

    Download Submit

  • C:\Windows\{8E340952-82B7-4262-90C6-82730E175987}.exe
    Filesize

    64KB

    MD5

    41e20ee32ae8762e48a1424a2d671c97

    SHA1

    f53ce762c14fe050ea96b0d3132fde798f05eb40

    SHA256

    04345a6eaf70f2bba14bddbb9f346018d05ddf6c8df8014c8431df05a236996f

    SHA512

    fc65fdecb3d6af330bafa0066d96ac6506eac42f92004b0f22bfc36d63b435d96e7215ecba70ef647e747b1cb601e0edcb5d4b3a69ff2c8ea2f391bc5c6839c1

    Download Submit

  • C:\Windows\{BFCCC500-9FC7-4846-95E5-B96ACD299CAC}.exe
    Filesize

    64KB

    MD5

    2b4870e5c7fd06076a5a9b828b0da337

    SHA1

    f11d91e46bb0e374387fc1ff56b83171af3e7e1b

    SHA256

    a2fd602adbbe7f0c3ac5667eebed76f08268339c67e871263457713dcec843a3

    SHA512

    44e9fa9ae73671e122fa82c89a9ec017d17a38f1fb94c5da526ab82c8537960d96a007ad9fd0a219ac6ad50912fe50e9477f6cb3656d5ee4ec91f8a77b6b42c2

    Download Submit

  • C:\Windows\{E1979A8A-8CE1-45f4-AB9B-3E5AA59E03E7}.exe
    Filesize

    64KB

    MD5

    9c6b1de6bf42e36e2f818f0bc8533ed5

    SHA1

    b114a3d7ffbe7550a35d40dde18e99b90ada458f

    SHA256

    8741a17294114ff1139c0d4a72157642cd175f5d60aaab78de7ce27e23c1cca6

    SHA512

    5294e771b632560aa0eedcfa729f13761ca1f1fa073c0847d6769c6f4f1f1dde04af0cac7707d3c4b92bcc4c4b2551b20b60172a501151408237dd127099d6bb

    Download Submit

  • memory/2212-11-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2212-5-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2584-30-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2584-25-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3104-23-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3104-20-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3476-13-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3476-14-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3476-18-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3820-36-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3820-31-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3916-0-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3916-7-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3916-1-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4036-49-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4036-53-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4068-55-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4428-44-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4428-48-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4564-38-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4564-42-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download