Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2024, 09:51

General

  • Target

    66d703abd497256f999f352293002aa925aa931cf782063b9cd8f8db9113135fN.exe

  • Size

    408KB

  • MD5

    884f1c01db76673c60583c64fcb3d720

  • SHA1

    029e80fe9f7a8464da0888e5d00cb73fb72d6dba

  • SHA256

    66d703abd497256f999f352293002aa925aa931cf782063b9cd8f8db9113135f

  • SHA512

    0a5b20a98d9c9982edb310f2a387e7eb2e993cff8d2ff683d6d83e3938a8c6d8d51c64aba0e65b6208fc559ede3d24478f957c0b85808ee59684d09fc9b469e8

  • SSDEEP

    3072:CEGh0oVl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGTldOe2MUVg3vTeKcAEciTBqr3jy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66d703abd497256f999f352293002aa925aa931cf782063b9cd8f8db9113135fN.exe
    "C:\Users\Admin\AppData\Local\Temp\66d703abd497256f999f352293002aa925aa931cf782063b9cd8f8db9113135fN.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\{999278E0-921D-49ef-8AA0-BDAFEE7B711A}.exe
      C:\Windows\{999278E0-921D-49ef-8AA0-BDAFEE7B711A}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\{413D4F87-ACB0-4ec1-A72D-DFF5AC0540C8}.exe
        C:\Windows\{413D4F87-ACB0-4ec1-A72D-DFF5AC0540C8}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2852
        • C:\Windows\{BFE22F42-9B85-4d65-9A1E-31B3F9135ABA}.exe
          C:\Windows\{BFE22F42-9B85-4d65-9A1E-31B3F9135ABA}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Windows\{4C73D4EE-7158-4500-A24D-9436F184C4CE}.exe
            C:\Windows\{4C73D4EE-7158-4500-A24D-9436F184C4CE}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2652
            • C:\Windows\{9348B883-9869-4da8-B60F-BD5406425C05}.exe
              C:\Windows\{9348B883-9869-4da8-B60F-BD5406425C05}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2224
              • C:\Windows\{D2AE553E-526F-45fb-AB48-5DE787A494B8}.exe
                C:\Windows\{D2AE553E-526F-45fb-AB48-5DE787A494B8}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2876
                • C:\Windows\{377614CD-B5FA-4be9-806F-2AF1EAA21104}.exe
                  C:\Windows\{377614CD-B5FA-4be9-806F-2AF1EAA21104}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2784
                  • C:\Windows\{61D27477-FA8A-4d7c-A1B9-BDF5A892D86A}.exe
                    C:\Windows\{61D27477-FA8A-4d7c-A1B9-BDF5A892D86A}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2912
                    • C:\Windows\{301572E2-E8D3-4558-AEC8-4AFFD2822875}.exe
                      C:\Windows\{301572E2-E8D3-4558-AEC8-4AFFD2822875}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2916
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{61D27~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2076
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{37761~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1424
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{D2AE5~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:316
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{9348B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2656
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{4C73D~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1428
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{BFE22~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2612
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{413D4~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2408
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99927~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2884
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\66D703~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{301572E2-E8D3-4558-AEC8-4AFFD2822875}.exe

    Filesize

    408KB

    MD5

    0250bc96c0fb130fcf0c05beae68b46d

    SHA1

    f006cc41acca6c77714d3cdef209665e0ff15ca7

    SHA256

    c4337460370b20346f726fcbecb3e253747630d328d35bbc46e236f91f3b7570

    SHA512

    5eec067354478b4774003442a64128084966ae1b1221b5625b48fe972f8ff189a7114672684f1f2afec1aad6238f61cd54d25a65b498e9c00af02c358e9c2efe

  • C:\Windows\{377614CD-B5FA-4be9-806F-2AF1EAA21104}.exe

    Filesize

    408KB

    MD5

    8c2c31898a5738abe0a29a0669739975

    SHA1

    5c061cad16e3793b52dbf30d5324cf2e2f059982

    SHA256

    28f868f57cd84af7f74686d065b4b43aa50cbd54c9e824a7669dcde1e0e627d4

    SHA512

    409cb3ed9e3092714b0844e53140f2714727b298cfe8f81a008ece59bef97f053c12b1a0102a83e665e92072498cc3a182c2e9cc66ca4e2b5a796335b03a6fee

  • C:\Windows\{413D4F87-ACB0-4ec1-A72D-DFF5AC0540C8}.exe

    Filesize

    408KB

    MD5

    f864043d5e9d53f27eaf55e0f74fa21a

    SHA1

    e939c95ce0603dbea12b0a2a6dc9b4ce824ac6ac

    SHA256

    fc6a53e69e452462e6a323d7ee91232cfb5367c3e26b4755ec888539097c2d1c

    SHA512

    f9d60f32a8fab45fa496a9eaf85749fb72e8a36e947a2f3e16a5cbd5c8fe26aacbcf9da0673ad167adf94f91401ca2063bc156c3f463c38a2ce7fd70d0fe0294

  • C:\Windows\{4C73D4EE-7158-4500-A24D-9436F184C4CE}.exe

    Filesize

    408KB

    MD5

    f0ae19024a842b64f034fe779d4b94fa

    SHA1

    800d056e4453a2a1a77eb4e871c2ca1ded51656c

    SHA256

    c83ad9add7ee7672feb9c686440969fd199e27c00c541f291cb55532a73a9a3b

    SHA512

    683d484ddaf816bafdfd0264938107e9981e9f9551ed123a11194735859a5322b3e58a41df804080001b8b6f10b625ee0e7269ce9660e1bf27cd2aca6bd481b4

  • C:\Windows\{61D27477-FA8A-4d7c-A1B9-BDF5A892D86A}.exe

    Filesize

    408KB

    MD5

    c3d439c800cb6e36fbfe9aaa9872bea8

    SHA1

    2e7504c945d79be8810643ba93694c038a8e54e1

    SHA256

    f6bef55c8f3c4796eae6c9e1fbae9bdb69c60de0eb116bdef9a4d3d2bfdbe66e

    SHA512

    26cb341ca72f0eb38c5a8280d382a66139da26a75a4d9baeefa6bd9ce76cdf6cdd71d8124435e2f3375088dbb9da1a090febd925e8d4c01199f8c483c6d4f3a9

  • C:\Windows\{9348B883-9869-4da8-B60F-BD5406425C05}.exe

    Filesize

    408KB

    MD5

    ef265cf1e601edbaa90a865edb5db9f8

    SHA1

    ee8ecdcdc5c21d63675bc76bad427204d47c0bb0

    SHA256

    f161457dc5cd2d0780edeecef112633c47cd88ee52b3e256e183dfefd41f7127

    SHA512

    305303766b1a91c8ea0e4dc254c014551d8c96842357694fa41505241a7a4d98189dad883f0744c5acbdddcc9b5fbde9691f1f6cff55255540470f6bd91b2faf

  • C:\Windows\{999278E0-921D-49ef-8AA0-BDAFEE7B711A}.exe

    Filesize

    408KB

    MD5

    f9a77a1d4e4c9f2d00ef8aaea81a0e1f

    SHA1

    b9567f52e9a6256f5f3d6391d64de2043d4a9b64

    SHA256

    4e451d7ad20493069ee9a8f12732ef41461105757f0ee4fa107864d11ef5f03f

    SHA512

    f1d1dd852041ef90e206d2d36f67739e3515d93b2e9d97afc82890481426b5c4567324a75ccac33968a4bc7a9a943333e072cea7930c4c473481dafba834ff3d

  • C:\Windows\{BFE22F42-9B85-4d65-9A1E-31B3F9135ABA}.exe

    Filesize

    408KB

    MD5

    3f5a85235c1303b9be140a2177eb3cc8

    SHA1

    d3c395ee99b384606871068d308126cc556ebe9a

    SHA256

    6949bcd85ea36cbe6074f7f8479010e44e508c10d63fc1a470893605d98357dd

    SHA512

    0a35b2144c4b202d91580b67b83754a231d75ab391aeee41f9dbe9ea8a5eabb79bd34c1ed00cdc9744e7020129715540a681d30aecf942c2758dc76f862439d1

  • C:\Windows\{D2AE553E-526F-45fb-AB48-5DE787A494B8}.exe

    Filesize

    408KB

    MD5

    e9ca7a1aa203c28fbf30ced64dec0fde

    SHA1

    cac62350f8301e97c22882ade4f47649f1911c14

    SHA256

    8f05d406582f7591dfa55ffdeb31afc880e95361a164278b097f5c1358194893

    SHA512

    ce9f48125abe2967a5341c5be6566f50c654f8b46f48c6d8f96bfbb6109bb00ac8a12e0fd874f80904355052473d3b40d51622cb8950992bbd6c9693d4c41a58