Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

8c31df4aa5...7N.exe

windows7-x64

8

8c31df4aa5...7N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 21:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7N.exe

  • Size

    89KB

  • MD5

    0d4682de41cf510e58b094be2decd860

  • SHA1

    5d77d8cc0a3ddfeb5835e6a37c2154666121730a

  • SHA256

    8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7

  • SHA512

    64f0b82658e5770e4324e283ea09a3d9fa900ec5c7358f981629b6b7ac987df252413ab5e69f577733053d1f789af9c9b617d089987babe3a1460861fde48e09

  • SSDEEP

    768:Qvw9816vhKQLrot4/wQRNrfrunMxVFA3b7glL:YEGh0otl2unMxVS3Hg9

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7N.exe
    "C:\Users\Admin\AppData\Local\Temp\8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\{E9B4A457-4E1E-4f9a-B4A4-FE0CF81EE580}.exe
      C:\Windows\{E9B4A457-4E1E-4f9a-B4A4-FE0CF81EE580}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\Windows\{84AEA5E6-FD5F-46fe-AF33-A3B674E38682}.exe
        C:\Windows\{84AEA5E6-FD5F-46fe-AF33-A3B674E38682}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2120
        • C:\Windows\{D4EAB145-DACE-486a-A9B5-AAB0666BE401}.exe
          C:\Windows\{D4EAB145-DACE-486a-A9B5-AAB0666BE401}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2596
          • C:\Windows\{50ED6670-FC90-4f3f-8632-BC80605A0812}.exe
            C:\Windows\{50ED6670-FC90-4f3f-8632-BC80605A0812}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1892
            • C:\Windows\{B868E1A1-E2C8-431b-99A1-62CA5A489EBA}.exe
              C:\Windows\{B868E1A1-E2C8-431b-99A1-62CA5A489EBA}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2340
              • C:\Windows\{3CD31DD9-A31A-45e8-94CA-E95F5B9F4252}.exe
                C:\Windows\{3CD31DD9-A31A-45e8-94CA-E95F5B9F4252}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1528
                • C:\Windows\{98EB809C-1EB7-44c6-AC0A-D9FA4B2A32ED}.exe
                  C:\Windows\{98EB809C-1EB7-44c6-AC0A-D9FA4B2A32ED}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:532
                  • C:\Windows\{53E3A40A-01B7-43c3-B37A-589CC5EB946A}.exe
                    C:\Windows\{53E3A40A-01B7-43c3-B37A-589CC5EB946A}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2780
                    • C:\Windows\{2F39CC71-3DFA-4c24-BF49-62E5EB6D71EB}.exe
                      C:\Windows\{2F39CC71-3DFA-4c24-BF49-62E5EB6D71EB}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2920
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{53E3A~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2788
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{98EB8~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2940
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{3CD31~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1340
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{B868E~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2648
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{50ED6~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2068
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{D4EAB~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2636
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{84AEA~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2704
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9B4A~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2852
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8C31DF~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{2F39CC71-3DFA-4c24-BF49-62E5EB6D71EB}.exe
    Filesize

    89KB

    MD5

    4a789b26507602c0b1557c494146746e

    SHA1

    da07b44a20ea7e2797e8ed40da113dd69e152c15

    SHA256

    895f7383d34c6aeed2586580137c243ca2aaeeee97d94a4fa10121630ddd5308

    SHA512

    c9372585111854ce5cc90f477debf78475cadb5b888d85410fe0389e9c3bddf8fa3cf089f4f1721d2e7c2fefbf374768f75cc1f59c3a40b9e5dc92a59aca0dd9

    Download Submit

  • C:\Windows\{3CD31DD9-A31A-45e8-94CA-E95F5B9F4252}.exe
    Filesize

    89KB

    MD5

    798befa4cbe6eebbfcf8e09d6e80d200

    SHA1

    cd8cdc53037c63404110c50a4b867410801b3943

    SHA256

    fdec38f7b3a6d7f9ce3fc38097ffc279f9c428d6d8c669283b634c34aaf13cb1

    SHA512

    03fe9419b3d8eadc17c928f9b4eb5c79461fdb026624c699cd257ca82cbf0497c4dfebcf4e9300c9da7b97f600bbadcf481b628e04c516009c08ac037f79b48b

    Download Submit

  • C:\Windows\{50ED6670-FC90-4f3f-8632-BC80605A0812}.exe
    Filesize

    89KB

    MD5

    2e12bc99a85492550b9cc1785977fbba

    SHA1

    48113d764af85f87abb64a627f6518d05600f577

    SHA256

    13828fa579cb8acdfda79fddf132f4c8baace9cbcb428d4749e5819acf00a85d

    SHA512

    dedb18c564f3a0f1c3788eb301a06e63111c2c8dc29767751ffe4800ca05d76b3818c762e073b99a791c2c7f549d35da26e9dce01ec783fbae4599cf1776c16e

    Download Submit

  • C:\Windows\{53E3A40A-01B7-43c3-B37A-589CC5EB946A}.exe
    Filesize

    89KB

    MD5

    cd1a9a32f3519fe697b52ebc290b187f

    SHA1

    b9e8d91a7a45d831e11d85ce5690ffa1f3907b5d

    SHA256

    914e1380a46fb630a75db6a0654b742045c6bd7cd6229c57837865246b4c0211

    SHA512

    b3fec0fee4c9271a643c00004c5e7a8488f6c98862be4dcb200b36fb400fbd3cd9d5b85e218b2887bdcdfd23b5c3ea290b14b1e58a2bc53b4dceb39b2b24abc5

    Download Submit

  • C:\Windows\{84AEA5E6-FD5F-46fe-AF33-A3B674E38682}.exe
    Filesize

    89KB

    MD5

    50037647b20cf40cf4456e28151b0564

    SHA1

    1d1fdabfbe45e6828881dbe8fd52de62672bc26e

    SHA256

    e25b77e11efae31e7f17f3b08e5924926d3e66ccee6282074ae0b18108d701c9

    SHA512

    d958ad74c48304ef947233e5161778e682c240985cfbe171404ffa818912202740d76eb45b296c54832215bcd3fddc076cb8c0c119193713a6cbc4d4723305c4

    Download Submit

  • C:\Windows\{98EB809C-1EB7-44c6-AC0A-D9FA4B2A32ED}.exe
    Filesize

    89KB

    MD5

    53872677a60944a0ffa73aa5f4460040

    SHA1

    5555b8c50b638f21745b083215b97efc8d1ecbce

    SHA256

    dc619c566f108fe436f5039b00934fe338462c22c03fddc831dd61c782ce3e26

    SHA512

    3fbc0890fc96e57f6bebf403f082d3b59943e350b4ae1efea5746c87f8a559ee87147a1c05a2eef3766027537146163a323dfe2e7fe2c3fbae53c956dfe0950d

    Download Submit

  • C:\Windows\{B868E1A1-E2C8-431b-99A1-62CA5A489EBA}.exe
    Filesize

    89KB

    MD5

    5083a04ab3dc336d5a294f3ba36b3638

    SHA1

    750cd86f0a9d82723fa70ea4ce9cd555ba0a44b8

    SHA256

    ef826eda17cb2a7a179d1dcb7fadd286a3e3aa8cd04ce7f24fb212af205eede3

    SHA512

    13d6dbf47abca01f9cef1dc50d6cb489c7bd413d9a4eb704d324caf23fc6179a38d76c8608f45384486e258d14c8a8f08af0508b7803b20c122d8d88a31178be

    Download Submit

  • C:\Windows\{D4EAB145-DACE-486a-A9B5-AAB0666BE401}.exe
    Filesize

    89KB

    MD5

    fa2af10ff84f3af947154569d0e406d2

    SHA1

    25fdfae7f3ca98219e566702d8827eaa4ee13e4d

    SHA256

    38735d4d0fea2e7ff9dcd6537e6147a7cb2fe1127095b4436329d3eed75b962a

    SHA512

    222c06ea1586fb7db9db1422bb92d1584c63b7c4be08187fecae3ed4860a4b0af7f0ef42c1c81c5fc914c367206f087fdae4b58467e47b8b6d83b5dfa0ee40d5

    Download Submit

  • C:\Windows\{E9B4A457-4E1E-4f9a-B4A4-FE0CF81EE580}.exe
    Filesize

    89KB

    MD5

    8ad17b07ea1aee7885e8957144837b21

    SHA1

    04fafc05ebd4c7f18d000ca75cdd5a3ad752f8d1

    SHA256

    96ccfe7b6c5d9c9baa1c988aa92e013622b521cdceeb4c94ce4a5173d3c7f28a

    SHA512

    10202512dc91e7ddaebf27b6b426c47255079474c4710c628e0ab3e3ef230c8e0e1a7c9c0a477c266e1ab452525b46e3646ff5b0ee3c4efda6dd57a10ecbc3ae

    Download Submit