Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

5c8504addb...2N.exe

windows7-x64

8

5c8504addb...2N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01/10/2024, 03:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c8504addb51ee4940a039fd4af5cdf50cc6a2bb98d218bce1932daa8c7a2762N.exe

  • Size

    89KB

  • MD5

    984808916af865a78d418efccb9d5190

  • SHA1

    061fca3a3542bad674cbaaaac5d4b0a4cc37169b

  • SHA256

    5c8504addb51ee4940a039fd4af5cdf50cc6a2bb98d218bce1932daa8c7a2762

  • SHA512

    45ba3d3b32af17f49e2ffe37077035b574edf1c63ef1e35f4dc7625cd86734d23f53e158303e5a3d187c2145f749b0a264291add13498242ebf400cb26a41ce2

  • SSDEEP

    768:5vw9816thKQLrovb4/wQkNrfrunMxVFA3k:lEG/0oDlbunMxVS3k

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c8504addb51ee4940a039fd4af5cdf50cc6a2bb98d218bce1932daa8c7a2762N.exe
    "C:\Users\Admin\AppData\Local\Temp\5c8504addb51ee4940a039fd4af5cdf50cc6a2bb98d218bce1932daa8c7a2762N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\{72E17C4C-59B7-47ee-9C8E-65833169CE4D}.exe
      C:\Windows\{72E17C4C-59B7-47ee-9C8E-65833169CE4D}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\{0A8104DE-AF79-4446-ADBC-FB110867CF09}.exe
        C:\Windows\{0A8104DE-AF79-4446-ADBC-FB110867CF09}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3008
        • C:\Windows\{852D05C4-C828-4efd-A811-D231767A0FA3}.exe
          C:\Windows\{852D05C4-C828-4efd-A811-D231767A0FA3}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2568
          • C:\Windows\{24F37D9B-8733-4d23-9D7F-80BAE98DBFCE}.exe
            C:\Windows\{24F37D9B-8733-4d23-9D7F-80BAE98DBFCE}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1508
            • C:\Windows\{32A586C0-3CB9-4f90-A58B-DC75ABCB462C}.exe
              C:\Windows\{32A586C0-3CB9-4f90-A58B-DC75ABCB462C}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2896
              • C:\Windows\{9027BA76-8616-4c70-B1A8-3C552FB50698}.exe
                C:\Windows\{9027BA76-8616-4c70-B1A8-3C552FB50698}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1496
                • C:\Windows\{1E1755F6-3A83-48a5-B85B-AA22D46844B0}.exe
                  C:\Windows\{1E1755F6-3A83-48a5-B85B-AA22D46844B0}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1144
                  • C:\Windows\{48BE3D17-CC55-475c-BABD-0C6AAE4E4AF4}.exe
                    C:\Windows\{48BE3D17-CC55-475c-BABD-0C6AAE4E4AF4}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1984
                    • C:\Windows\{8942899C-27BF-4828-BAEB-8232B84734B2}.exe
                      C:\Windows\{8942899C-27BF-4828-BAEB-8232B84734B2}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2236
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{48BE3~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2948
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{1E175~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1972
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{9027B~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2168
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{32A58~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2020
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{24F37~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2828
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{852D0~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:428
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{0A810~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2536
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72E17~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2656
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5C8504~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0A8104DE-AF79-4446-ADBC-FB110867CF09}.exe
    Filesize

    89KB

    MD5

    fb9be8c7d314fd6edc7477faa950268b

    SHA1

    33d33339693b07c9f67b80db6e0cd1430fb263d9

    SHA256

    b7e111954719b732afe4983bc3bd373c78371dcc773a2f3e831c59a3f3a848ec

    SHA512

    95f1536695e0037312851a2ef1f1d77f2135f24c0625dbbe7ba2b3b82ec4c352e944a87542badc23d13966bc4e787f3a6e30dbed6bcf5ed05e97b15fc710548f

    Download Submit

  • C:\Windows\{1E1755F6-3A83-48a5-B85B-AA22D46844B0}.exe
    Filesize

    89KB

    MD5

    075cb7ffadb8cda08cad3992ed854391

    SHA1

    198616a33b5b72167404d3e8e6d22ef355fd7441

    SHA256

    54675531832419d34e743588301a108f27b494cb267299878c45e09e4491f048

    SHA512

    14322a911d33f57fde6042e5347fb4bd44cf472eef9f60540611579e361d797a2b7d207a3d198aa58b07738f17245f4290f6004e0c49d15062199731d8ab3924

    Download Submit

  • C:\Windows\{24F37D9B-8733-4d23-9D7F-80BAE98DBFCE}.exe
    Filesize

    89KB

    MD5

    25ee9c04a03b6120ae02b41b3f4a4696

    SHA1

    db8f9d55f0a43f9d1b6feec5b97737798a7d46fe

    SHA256

    da6568a4c09c87724226b921dd2690ebef23389d98bd2f3f953c8ed5488be4ea

    SHA512

    8488b1c980dc65250b0ed2e963740527fbfeb2ce93ecd31ed730697e8933597aa87df7daebf6442bf44c13aae92f5d5a80f528e777450aac3ef6b56ecc1cdc02

    Download Submit

  • C:\Windows\{32A586C0-3CB9-4f90-A58B-DC75ABCB462C}.exe
    Filesize

    89KB

    MD5

    443dc81f7a5ef32b606f7afc44ed3052

    SHA1

    8a4968896bc58ad8449f53e068528b8036da2981

    SHA256

    60a0c1649795cea525d42d24bd2341084a67d29da8d29826ece06bd5f536f588

    SHA512

    de556f7eabecb8c36bf2b862a5056b904860bd6af59c22acabcfb689d2501ea68270636871fafdcc726fff038d9e872c49e9dc78e5247adba1ea8d8f36f71bfc

    Download Submit

  • C:\Windows\{48BE3D17-CC55-475c-BABD-0C6AAE4E4AF4}.exe
    Filesize

    89KB

    MD5

    88d5e6ebdfa9d11eeb15a4e8842561e5

    SHA1

    eb1c8a237c34da2e422d6797ff093bf027271596

    SHA256

    3c509bdf76594fa88deb2625cbd51598efac05023941a87a59409c1b1ae3ccf5

    SHA512

    d845cc0be4cfec98e5d799f6508baf4ffa95198376b58f9ccbfb7e3499955f2a06a83a0abe787760da22312f11aef7f8b37d7663e395dc5480a0c1d92d8ae0ca

    Download Submit

  • C:\Windows\{72E17C4C-59B7-47ee-9C8E-65833169CE4D}.exe
    Filesize

    89KB

    MD5

    b27e1bd61f8a89ee943d457f22d72d12

    SHA1

    5fbf27d876e7b0c8e55fd924793b664642252072

    SHA256

    c92d5e958a517bfd12c3bd33c13575687657c40e1eca8669a40d94926f11a93e

    SHA512

    bda8fe4bbcf51a75c01da05eacfe472e988bf3133052ac0b4cbba0c0318d09f2ab0fc68fe0461ce6a0699945eb61bbb6a126183ba5374ec867a142586710c2c7

    Download Submit

  • C:\Windows\{852D05C4-C828-4efd-A811-D231767A0FA3}.exe
    Filesize

    89KB

    MD5

    ea795c5c454a4bd92d7c68cba57efa0b

    SHA1

    7f75bab52141bccb4bb1696691c9467121a06ab0

    SHA256

    db7de860e9b40db91a0bbd5f2ef7f537d9daaed8744b3d70e50367f653d08799

    SHA512

    380a7607613628c8a5008be909b818e8a279b0cdd4f5ca57d1fe6da0c98d8267714626353ec7e34e5813c0e4e3186d2812ba4234470b08c6fca53d990016a29e

    Download Submit

  • C:\Windows\{8942899C-27BF-4828-BAEB-8232B84734B2}.exe
    Filesize

    89KB

    MD5

    a444768bb49106a98230e098b295d39a

    SHA1

    8aa9ad9df175863578c633a889136b34d50b9a7e

    SHA256

    1d090fe4da5ecd7c6daba750db2311b00b3e20ed3176beaeda9c5cb2bb52b866

    SHA512

    7c667f332087d16bb4999d5a567e7301f4a82f9f0ddf8cab5e8bd2dcec9084eb0cdeae93fc089de9e723c90575245e92fb41c7182243d57d0ec2bdcd8da5908f

    Download Submit

  • C:\Windows\{9027BA76-8616-4c70-B1A8-3C552FB50698}.exe
    Filesize

    89KB

    MD5

    1156e2f520f0044ccf989c39827c9254

    SHA1

    095fbc9794427ecaa26a65cada12facc3bef1be2

    SHA256

    ae1abace3d2d09d3a81a12eb5a8e77fb98827b88490f44ae6f2bb309f8e7aa2f

    SHA512

    1eb3e1dfdaeb7fe2a36c2e84598bcca787fb8a88ec95cbe60711f93bb95b5e000758ebaf31dc80e19dd3da439d4cef473058fd69d4493e7af49fa6a6176135c3

    Download Submit

  • memory/1144-74-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1144-70-0x0000000000380000-0x0000000000391000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1496-66-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1496-61-0x0000000001BD0000-0x0000000001BE1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1496-57-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1508-45-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1508-41-0x00000000003E0000-0x00000000003F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1984-83-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1984-76-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2500-13-0x0000000000460000-0x0000000000471000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2500-17-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2568-37-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2568-31-0x0000000000280000-0x0000000000291000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2724-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2724-1-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2724-3-0x0000000000420000-0x0000000000431000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2724-9-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2896-51-0x00000000004A0000-0x00000000004B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2896-56-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2896-47-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3008-19-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3008-22-0x00000000005B0000-0x00000000005C1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3008-28-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download