Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

f3950599eb...1N.exe

windows7-x64

8

f3950599eb...1N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 18:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3950599eb050afe282c46fee597cfc7e4a72e4967f02014f77486aeb5beb6d1N.exe

  • Size

    89KB

  • MD5

    9a358d41e5ef8bf9d0c9dbd12a166b60

  • SHA1

    ce805212f5f2432fb7966fee5fedeb2f6aebc3db

  • SHA256

    f3950599eb050afe282c46fee597cfc7e4a72e4967f02014f77486aeb5beb6d1

  • SHA512

    96c189ada8508b92a9840e88618fe1d5c83ae78f04ac19627ef6c2195c03a9a221570a811449fc86f3054cc370103d9c29dab309dd1ddef63d281de9ddec42ad

  • SSDEEP

    768:Qvw9816vhKQLrou4/wQRNrfrunMxVFA3b7glL:YEGh0oul2unMxVS3Hg9

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3950599eb050afe282c46fee597cfc7e4a72e4967f02014f77486aeb5beb6d1N.exe
    "C:\Users\Admin\AppData\Local\Temp\f3950599eb050afe282c46fee597cfc7e4a72e4967f02014f77486aeb5beb6d1N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Windows\{EEA3C6C7-B6D3-4d51-ACC6-60A1C48189EC}.exe
      C:\Windows\{EEA3C6C7-B6D3-4d51-ACC6-60A1C48189EC}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Windows\{6E16E179-87C3-4b57-B2AA-0BAF6151307C}.exe
        C:\Windows\{6E16E179-87C3-4b57-B2AA-0BAF6151307C}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2296
        • C:\Windows\{0048C63F-E4E1-4d4c-9753-4F3EC00D27D2}.exe
          C:\Windows\{0048C63F-E4E1-4d4c-9753-4F3EC00D27D2}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1948
          • C:\Windows\{93EF97BB-3D80-445b-B827-25ECB79B6817}.exe
            C:\Windows\{93EF97BB-3D80-445b-B827-25ECB79B6817}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3532
            • C:\Windows\{500BF414-9A79-404f-AE16-0089AA0DCEA8}.exe
              C:\Windows\{500BF414-9A79-404f-AE16-0089AA0DCEA8}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2028
              • C:\Windows\{A6564ED2-F3E3-4cc7-A722-4D03FF672198}.exe
                C:\Windows\{A6564ED2-F3E3-4cc7-A722-4D03FF672198}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4520
                • C:\Windows\{D02E3F90-4851-4045-874A-C846BD500335}.exe
                  C:\Windows\{D02E3F90-4851-4045-874A-C846BD500335}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2328
                  • C:\Windows\{A10DD917-B47A-4cd6-9E14-035BDD1A94C3}.exe
                    C:\Windows\{A10DD917-B47A-4cd6-9E14-035BDD1A94C3}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1044
                    • C:\Windows\{BCD4A9B7-4F9C-4f9e-B810-8EF9B115118B}.exe
                      C:\Windows\{BCD4A9B7-4F9C-4f9e-B810-8EF9B115118B}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:396
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{A10DD~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1552
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D02E3~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:5048
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A6564~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3132
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{500BF~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3644
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{93EF9~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1332
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{0048C~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2012
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{6E16E~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2692
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEA3C~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:808
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F39505~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1908

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0048C63F-E4E1-4d4c-9753-4F3EC00D27D2}.exe
    Filesize

    89KB

    MD5

    76deeeacda3ed87c73664d22e3c4e334

    SHA1

    8f64a6d10c54761c628624f381ec402672ed3334

    SHA256

    9796362266a02b687661d09f271d9c856035aa1e20162ce7ca882767d638a864

    SHA512

    c98f3d2906a0e103c6cbba9269db0d7b674134370efa8494c53b1c74b6f73c40e93935037febff44b71f0e553f4f1337f510576bfaa229c960ec5bd06acf7147

    Download Submit

  • C:\Windows\{500BF414-9A79-404f-AE16-0089AA0DCEA8}.exe
    Filesize

    89KB

    MD5

    67dd6241430e68c358c6adabb9c069e9

    SHA1

    289786707aa2172e3421980edc921e978f652b7a

    SHA256

    9bcea6389e2de6bb4075df4fad19be05eeee4d38b0666698e2293ea17fd854a5

    SHA512

    7e0ca1cc8d69934300ab278d3f9b5723ea0d510e15af773e4994427ee82453d354267a49777f57e5ddda657ac3f10ebd340b280ad2d01de26f1f9b1b23667406

    Download Submit

  • C:\Windows\{6E16E179-87C3-4b57-B2AA-0BAF6151307C}.exe
    Filesize

    89KB

    MD5

    009e7d9e6cee2db556f1986e666812b7

    SHA1

    25a2cfbaf8b90e4f4f7d7b92e2b6a073ec149677

    SHA256

    4064dcf349701b9fad4b844b28e803895572f69aaf6b1a3fd704817efd966aa0

    SHA512

    0fdf1c98ccc7bbd9fcb7ee5a9477e2bc45c59455df104396d970ac75aa695948b3e4f0ef53a51e6ed4e5f00bb594f531051f0f96b510e99d99b97231ede5fe0f

    Download Submit

  • C:\Windows\{93EF97BB-3D80-445b-B827-25ECB79B6817}.exe
    Filesize

    89KB

    MD5

    58d984329b0ea57a7794827c48ffa747

    SHA1

    973750a6af5f09c8a88fd68334c4b701743ac51c

    SHA256

    ddfd4b09f8b4240600d6ce5c8794352386eacf4b4c1c4034aab14e4699e1c057

    SHA512

    ceceff8c816b21a71d5552568a73bb634239753acda922defec288114f651a0b4656e35bf8090c971ddf72d15fe5113e5aa080c7eceb420bf3488e2350aa0598

    Download Submit

  • C:\Windows\{A10DD917-B47A-4cd6-9E14-035BDD1A94C3}.exe
    Filesize

    89KB

    MD5

    6e1112b296c25aad8820aa80c1d7b0a8

    SHA1

    5431a302e82d4c2516dc88c29f40dcf75340dfcb

    SHA256

    5b64b9102e7b6144fee81ef29cca6c054fb9e859d60dc210a6a726fe7b91cc33

    SHA512

    bb603c0128d4494560fcf1c3602cf095f1effc712aa6f823ee90fc636d20e009747ab0d2abe11859b924f609ffe19e274b0c270a89e72064bc0045f03f15df61

    Download Submit

  • C:\Windows\{A6564ED2-F3E3-4cc7-A722-4D03FF672198}.exe
    Filesize

    89KB

    MD5

    a8913d699497ba99f7ac593c4d64b1ec

    SHA1

    11194a7046e590a3e5ee3eee5c6bec960e6d8094

    SHA256

    ccaee9bfcaa0ff4380b6981068d5deea0ed2e5066dc7c9f8c7dab69253c27788

    SHA512

    8df5c891d0a870c65f8b58ee378a33a7226b93c6b40999447a79e989d9a9816360f83b074c5b09f71dce875fc208dfc03c65914a145a5c9f22e606ebeae92cdd

    Download Submit

  • C:\Windows\{BCD4A9B7-4F9C-4f9e-B810-8EF9B115118B}.exe
    Filesize

    89KB

    MD5

    85e68e001cd612da0d3f93685bca9633

    SHA1

    72d256773e1b92e6d1951566bc7933e590422eeb

    SHA256

    a3d6dbf784ca3913fbb8568c4e36c041069e1aefb535138fb1c9f26cac0488b5

    SHA512

    64f8d9d6a4d0492b8ef68441ab3fa078d14a9fd1a8bc45d68bddb407dec6862b5c164999761eda4f7f4e9aa3fd44fce374187a9b7a37cb5ffab358edec93888f

    Download Submit

  • C:\Windows\{D02E3F90-4851-4045-874A-C846BD500335}.exe
    Filesize

    89KB

    MD5

    1dfe3079cabe0823cf98bda38f2771b9

    SHA1

    6091e7868e2fa2609eba78b2ee4dee848cb64647

    SHA256

    52950228e999cef6641b0b16d1848f657634581c0dc3d5d50c278b3a98e65b1e

    SHA512

    435136beb03f4f2855d4f4f9bab92a01e53a4ae0e32700a8739c73f187b084a2577f23116854e20eb236634f1c069532fffeaacbab9887580a613fe296f83a41

    Download Submit

  • C:\Windows\{EEA3C6C7-B6D3-4d51-ACC6-60A1C48189EC}.exe
    Filesize

    89KB

    MD5

    58992b7c0dfc5ddc89a4175718ebeed7

    SHA1

    11d2d124d78af407c84e082dc31a52483366365c

    SHA256

    907b2a4a4cdbb7e7a0f3fe8d618a12a5167faf6b8375007dea26872c7da915a8

    SHA512

    5fcd89ba09e1ea6245085564953531c071f9383a6f7aa21183659e637d3785e4d40d64ed9cd0a16857c8a89cb584869032e952e9072b30d37488c9924bb56445

    Download Submit