Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2024, 23:02

General

  • Target

    2c9682d54f34f26298f0ea3e6562ae86aaa120a26deb41fa5ad2342fd7b01f6fN.exe

  • Size

    60KB

  • MD5

    e41ce34a88cbcf4c88131ad2f2917100

  • SHA1

    dc141d093ed1487a0573c276d39d3f94eda83932

  • SHA256

    2c9682d54f34f26298f0ea3e6562ae86aaa120a26deb41fa5ad2342fd7b01f6f

  • SHA512

    7e46cd752c79381d6f1138ba23d824fa9b02e8b1ed4759565ace1e8be73c22d15fcf53a53345267633c7b120e844895ebb954d695501e178210d746a8c51d852

  • SSDEEP

    192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwJY04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLro74/CFsrd

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c9682d54f34f26298f0ea3e6562ae86aaa120a26deb41fa5ad2342fd7b01f6fN.exe
    "C:\Users\Admin\AppData\Local\Temp\2c9682d54f34f26298f0ea3e6562ae86aaa120a26deb41fa5ad2342fd7b01f6fN.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4828
    • C:\Windows\{AAB3DD99-976C-46b9-A466-2608F7BFE504}.exe
      C:\Windows\{AAB3DD99-976C-46b9-A466-2608F7BFE504}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\{3FBE7858-3693-4a29-A724-53359914599D}.exe
        C:\Windows\{3FBE7858-3693-4a29-A724-53359914599D}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2096
        • C:\Windows\{91DB4E71-1902-4481-9984-4F2A372F20E1}.exe
          C:\Windows\{91DB4E71-1902-4481-9984-4F2A372F20E1}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1336
          • C:\Windows\{3D4DA143-D30C-4d9e-823E-3F1B4927263E}.exe
            C:\Windows\{3D4DA143-D30C-4d9e-823E-3F1B4927263E}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4448
            • C:\Windows\{5991BD41-735D-4bb3-9AA3-5CAC10ED6608}.exe
              C:\Windows\{5991BD41-735D-4bb3-9AA3-5CAC10ED6608}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4444
              • C:\Windows\{EAC65136-8668-4996-AE8E-4B8693E86AA5}.exe
                C:\Windows\{EAC65136-8668-4996-AE8E-4B8693E86AA5}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3172
                • C:\Windows\{9F69A2ED-5435-4c09-B148-978D267E0089}.exe
                  C:\Windows\{9F69A2ED-5435-4c09-B148-978D267E0089}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3940
                  • C:\Windows\{D410EA68-9559-44a2-ADF4-C6027AA70BDF}.exe
                    C:\Windows\{D410EA68-9559-44a2-ADF4-C6027AA70BDF}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:384
                    • C:\Windows\{3EFF7932-1C6F-4ee6-9EEF-0CDC5DE004BF}.exe
                      C:\Windows\{3EFF7932-1C6F-4ee6-9EEF-0CDC5DE004BF}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4764
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{D410E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4920
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{9F69A~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2384
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{EAC65~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1324
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{5991B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4404
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{3D4DA~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1984
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{91DB4~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2332
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{3FBE7~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1988
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAB3D~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:956
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2C9682~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{3D4DA143-D30C-4d9e-823E-3F1B4927263E}.exe

    Filesize

    60KB

    MD5

    3c7c299e978874e04ee90575ad8f6eb0

    SHA1

    f90d899b7a5c9f75906881119d67b5104a460b9e

    SHA256

    0ec5b0d920f90cbcff5e65ac2b054661b2f25b69d34fd6886f3c0e93dd767624

    SHA512

    1635445e1b449a6d5903888610c2b5e2a8a7da0363bc692549557731f2656bfea103c22f96ac61cba04c3e5bdfcf6497404abce89015af21f5e19b1e03fe3c26

  • C:\Windows\{3EFF7932-1C6F-4ee6-9EEF-0CDC5DE004BF}.exe

    Filesize

    60KB

    MD5

    244ea18eda04f7f11e550b0ebcbe57df

    SHA1

    61a6a06c1eae0a17ec9fbbdd1da13ed1356382bd

    SHA256

    a2fa8e43cf260cc8e523d1604812041dd7032e474f279baad7f5377d0fe75396

    SHA512

    214f00859d5b1fef2053aadc59a23b4343736d46eec84e610c98541500949f13487cf10b85d0218730a57f934141be71cc440b1e5dceefc12d5d503943355238

  • C:\Windows\{3FBE7858-3693-4a29-A724-53359914599D}.exe

    Filesize

    60KB

    MD5

    68f2db9f707e3ae5555abfc56e84f702

    SHA1

    81ccdfaa705d23e78413dd1c5641d5d5d06220cd

    SHA256

    26b56217a0ef5f1733eed10b21320a7ca5c5c88d9206968798bbcbbbd01704dd

    SHA512

    a40b5a536c670f0cd51ea73feae8b89b7f3c42bc0c32ef39506e5500dddc620128cb634704adc1d44f2b344f9237ac1d10ef7a836adb142feb4edee28b95020f

  • C:\Windows\{5991BD41-735D-4bb3-9AA3-5CAC10ED6608}.exe

    Filesize

    60KB

    MD5

    e31a27d807e09aedcdaef010c77274de

    SHA1

    ea6901bd3a482d953fb901d1617db52084743a8a

    SHA256

    02fe54fcf2e17b64b23671d5fc4b66908123c3802715842f66d797f105f83c5b

    SHA512

    dc6fcadc70395842041b80be8117cda7e7f368b88e1a81020002da6fe223e7a7278143c53f168720d0a2a3489ba80064a5aa7d8572babf04fe78b3446379f3ad

  • C:\Windows\{91DB4E71-1902-4481-9984-4F2A372F20E1}.exe

    Filesize

    60KB

    MD5

    0e918694b82f61e14f11bc3727e71598

    SHA1

    bea1abdb4c23d754be9dd506b2c2676b2f367724

    SHA256

    d3f86c48836e829bd12ed5e47cb7be0bb43a6e3281e66f007ced34c0e2a5bc02

    SHA512

    7c086109ca361a22520aed9e50f201172b73e8842900e1af0e1b5acf85ac22136ef6bdfcaf751fd78ca81cb9715b731b2420122ee96d127ff1235fac5ee30595

  • C:\Windows\{9F69A2ED-5435-4c09-B148-978D267E0089}.exe

    Filesize

    60KB

    MD5

    c937b9c3c4e04e5bfe9401be16ba1af1

    SHA1

    af2916dbdfab9980c823e2245281b4a1b37524d9

    SHA256

    995aa225713ded726256506898d598f8067e3b1b7d318223fa0d83cc0b8eab19

    SHA512

    e1b12925ae62838fcd2096b8ca9b12ca936c44e5408f744518b95840bcbb3e2adbdcb1b2a1e92bb5fe98be478c10edba1df0ea20b83bdb8dd2c63df3e12e1745

  • C:\Windows\{AAB3DD99-976C-46b9-A466-2608F7BFE504}.exe

    Filesize

    60KB

    MD5

    5c8bd7f330dc4c51e44d771789d956d9

    SHA1

    dda50658912455d90be7e9637f7c5723501ef9c7

    SHA256

    f19eb1ff1ff63c895335e15951f9af65d8a6ed9f04991bcb33085e832e9debed

    SHA512

    20f6a7ae4aaf5ebdb798995fb07cacb644d45f5d7776f40de92f3f053852d7683ad18460cd7c8cd498c43086f78f3b93747f471b9e61b8bcfe200b97cef41273

  • C:\Windows\{D410EA68-9559-44a2-ADF4-C6027AA70BDF}.exe

    Filesize

    60KB

    MD5

    a18ddfd873b50907dffefa5c5887f2fa

    SHA1

    5cea43feacf9bc17f70cb180df431ec79853ff4d

    SHA256

    42147f8649cf09c851400b56691a36274415b9d08acab511fcbdb9084a7d110b

    SHA512

    da0cf35e3320aa0e3b096b7c8e18555d6e3db01e64e098975c2fe289496719315aa73ab9a1e303a170acb31a74e543ef8ed17db65be062da669e667a306c6f6f

  • C:\Windows\{EAC65136-8668-4996-AE8E-4B8693E86AA5}.exe

    Filesize

    60KB

    MD5

    5d9a2e8f757f26081334a7d76a25aa82

    SHA1

    9b61a045786a99f742da9d45ff79b55d7c2a3ec3

    SHA256

    3a6f4ed629b3e4372040f8397c23a39d116dcc516b4e40b505cde362ba93f44e

    SHA512

    79ba520a1ff8c6af25930b4e7a5cb7ca0a26583f1475f35bdc9aff35a94f6586738a908c162c852e1d779ff3673fddc60906237ee0f1be3e1fefa2558254110b