Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

1fa3ee19ae...6N.exe

windows7-x64

8

1fa3ee19ae...6N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 22:36 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366N.exe

  • Size

    90KB

  • MD5

    1df7ffe2ae542144baeac76d85e0fa90

  • SHA1

    d6c14814ae66f780b8990d1848f4716601553a45

  • SHA256

    1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366

  • SHA512

    160ee69201a43f850e51c96b61f614f4229fc8b50c9bcd7327000f324408c614ba31fe43c962af69ba4a319f2de0dd30f25e197f72b34081f0c8f5007c8fe40d

  • SSDEEP

    768:Qvw9816vhKQLro84/wQRNrfrunMxVFA3b7glws:YEGh0o8l2unMxVS3Hgz

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366N.exe
    "C:\Users\Admin\AppData\Local\Temp\1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:656
    • C:\Windows\{53FFB160-AC80-426d-9DB0-B47912709A5F}.exe
      C:\Windows\{53FFB160-AC80-426d-9DB0-B47912709A5F}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\{33886780-2458-4db2-B7C7-F2432A2DB82B}.exe
        C:\Windows\{33886780-2458-4db2-B7C7-F2432A2DB82B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Windows\{0052B4B0-1468-4c5b-A404-3CE50C5D1277}.exe
          C:\Windows\{0052B4B0-1468-4c5b-A404-3CE50C5D1277}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2632
          • C:\Windows\{98BC9CEC-7E77-4426-ACA0-49FB8AB705B9}.exe
            C:\Windows\{98BC9CEC-7E77-4426-ACA0-49FB8AB705B9}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2216
            • C:\Windows\{D3CB93E0-D8B7-4dca-B5C6-B913E990ACD3}.exe
              C:\Windows\{D3CB93E0-D8B7-4dca-B5C6-B913E990ACD3}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2952
              • C:\Windows\{7CEEB615-8F7E-4df0-96B0-E5EABB4A3019}.exe
                C:\Windows\{7CEEB615-8F7E-4df0-96B0-E5EABB4A3019}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1796
                • C:\Windows\{9FD65747-821F-415a-81A9-692278E77193}.exe
                  C:\Windows\{9FD65747-821F-415a-81A9-692278E77193}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2900
                  • C:\Windows\{8FC829A6-128F-4aab-9713-0F791FD0B0A6}.exe
                    C:\Windows\{8FC829A6-128F-4aab-9713-0F791FD0B0A6}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1788
                    • C:\Windows\{3714690A-AE5B-4486-88DE-E8229CB64411}.exe
                      C:\Windows\{3714690A-AE5B-4486-88DE-E8229CB64411}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:744
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{8FC82~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1372
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{9FD65~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2088
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{7CEEB~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2744
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D3CB9~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2032
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{98BC9~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2736
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{0052B~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1992
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{33886~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1044
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53FFB~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2604
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1FA3EE~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0052B4B0-1468-4c5b-A404-3CE50C5D1277}.exe
    Filesize

    90KB

    MD5

    92334a502487647b79247dff631497fd

    SHA1

    65f2b72ec77353408fa55824a3d44bbd6397919a

    SHA256

    3971955acf24bfdc854293dd6cdd22cfca202d90796dec94e00383f6c96f9b28

    SHA512

    d0ca5fd472f164084ef5b75571b843137ed582042a9024a21e2c004c457401a8036563c7e64809f503a4cb353603ae6348372f10e911438c0431c130b8a73950

    Download Submit

  • C:\Windows\{33886780-2458-4db2-B7C7-F2432A2DB82B}.exe
    Filesize

    90KB

    MD5

    73531c2b096207ca8101e2c7d2d9229b

    SHA1

    433ed40eded38b59c656a074bb49b5f2f1b321b5

    SHA256

    2430a4c1f40eab5485792d796cf58b691b796d36c5888be480514069d1ef06c2

    SHA512

    f30f682364d1d3deb3ca61f8dd761b01bb556e185c817c3acb6ae413b429049f64d12086d3077479b4dc83777d6da0ccccd22b305be7ad66fd7a9113e22d695e

    Download Submit

  • C:\Windows\{3714690A-AE5B-4486-88DE-E8229CB64411}.exe
    Filesize

    90KB

    MD5

    3b6331846671276c39740e30b3e65c48

    SHA1

    e4ebf01b089237fec11acb208a09bcfb55c79434

    SHA256

    5d5bf12306c53a4d501a92e327fba75a8fe7583b5c159938430af240c0e7a733

    SHA512

    7bd1ecd3c7121cbe08143dea7bd5c1c1dd4b741f5ee965acab9c287b9e70786c2a9333eb6dc6459c299e1424a200c5e7880b1b16ed5117a085a7b85d253f8b6c

    Download Submit

  • C:\Windows\{53FFB160-AC80-426d-9DB0-B47912709A5F}.exe
    Filesize

    90KB

    MD5

    7d1446bfea59a40baa9a01a147e325ba

    SHA1

    a0539e0e375d4cadb0d21b68d11b41c4a7579c62

    SHA256

    27cdd1c6473bf77697cbe19ad4094574e4948cb1e7bc0786c9622384b76f8b16

    SHA512

    96e0ecc9f8117b7bb5f16561caf93df20c70b560a4596693130921efd6a06f9b4db019aeee46cf71ea958255950ed7244adf5826f6578ced19f83feee27dc74f

    Download Submit

  • C:\Windows\{7CEEB615-8F7E-4df0-96B0-E5EABB4A3019}.exe
    Filesize

    90KB

    MD5

    621036829512d65ef2cec9200b292a14

    SHA1

    318d68a5e2548594d3bfccb538ac3a56fd8db149

    SHA256

    402e92b144c36a4923f616de8483c5ecac758c9bfb627458f5e09046fa367677

    SHA512

    e6a96ca14b38abdfac46b89c56baaacfe77588b2701e44e87f8ef64c664490c3bbf887cb15b1e0be602b5fd72cc324ab3c492c4ae7bbfcd16f7148b85d398a77

    Download Submit

  • C:\Windows\{8FC829A6-128F-4aab-9713-0F791FD0B0A6}.exe
    Filesize

    90KB

    MD5

    d13eb79623e94b01ac9a8217c82e10c7

    SHA1

    0c8c17ed52f08b5fa40acd11c91788822ef3c622

    SHA256

    9f8ba30a6bf82e4f6d0ad2c877c1112f3158943338557d9a3697d17d77d0a271

    SHA512

    f6c5285867d406416d492f4f35cbbb672aef77e1b528694e194026a76763dc5e424f241782f4593af3f95e41e946608c6d0876d93a68313956c0cc186c96fde6

    Download Submit

  • C:\Windows\{98BC9CEC-7E77-4426-ACA0-49FB8AB705B9}.exe
    Filesize

    90KB

    MD5

    124ff9dda419d9615b4869d3fd20204f

    SHA1

    e8175745028ee050bedc3fb03c2fd934b853e886

    SHA256

    1ac85720ef9bb0a51129c26f5aaafe6a7361c9c230268b1026d8b4c2339f77a1

    SHA512

    8102a466d97ba17533f8f274cdc96e85e72c149c00344912c98c15605fbd5c8d2c5289585cf34c7e5ebfb8a220fb3f56e4751f79d2b8b3ed3fc881df7ba21a6c

    Download Submit

  • C:\Windows\{9FD65747-821F-415a-81A9-692278E77193}.exe
    Filesize

    90KB

    MD5

    5b26d9029fc2b10b0cdcfa63aafa5689

    SHA1

    30927cae230f4b1a5eea3a8bb5548b8f8094c25f

    SHA256

    2af500d75021ed8a953ba725a8a43958607a2c1eb984512fada39b340f0fb2f4

    SHA512

    51c1942f249391f6443fb3317b00029826ab0e708a268db521bf1540644e91d0948d8184cbe8d6327177269f9ce48ab2373b382da98b9dd2cfbae37ae6a0590b

    Download Submit

  • C:\Windows\{D3CB93E0-D8B7-4dca-B5C6-B913E990ACD3}.exe
    Filesize

    90KB

    MD5

    a01d08349105ba9677e809bf15aa34a9

    SHA1

    79768cadee580da9009425791437e965d045a5d1

    SHA256

    966a9bf700dd46b2bd12a4488cf8ef59b7587db38279dd090bd2a486151511e9

    SHA512

    f6d2810fe39c9e20ed788d7050d07a6aeb4dc3161ebc318d6a0f7849992abec43d645d97225765483d507a01d8ff75b81f6dc87ef8ea565a9e7b3e09b2d80c7e

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.