Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

66d703abd4...fN.exe

windows7-x64

8

66d703abd4...fN.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2024, 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66d703abd497256f999f352293002aa925aa931cf782063b9cd8f8db9113135fN.exe

  • Size

    408KB

  • MD5

    884f1c01db76673c60583c64fcb3d720

  • SHA1

    029e80fe9f7a8464da0888e5d00cb73fb72d6dba

  • SHA256

    66d703abd497256f999f352293002aa925aa931cf782063b9cd8f8db9113135f

  • SHA512

    0a5b20a98d9c9982edb310f2a387e7eb2e993cff8d2ff683d6d83e3938a8c6d8d51c64aba0e65b6208fc559ede3d24478f957c0b85808ee59684d09fc9b469e8

  • SSDEEP

    3072:CEGh0oVl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGTldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66d703abd497256f999f352293002aa925aa931cf782063b9cd8f8db9113135fN.exe
    "C:\Users\Admin\AppData\Local\Temp\66d703abd497256f999f352293002aa925aa931cf782063b9cd8f8db9113135fN.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4452
    • C:\Windows\{3EB805A7-6644-488e-AA56-946EDF4E413C}.exe
      C:\Windows\{3EB805A7-6644-488e-AA56-946EDF4E413C}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3952
      • C:\Windows\{6D0F4F45-EA8F-41b8-AC60-06DB9FEE2ED8}.exe
        C:\Windows\{6D0F4F45-EA8F-41b8-AC60-06DB9FEE2ED8}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Windows\{373EE213-8BC1-4194-BB3D-AB8CC15B411D}.exe
          C:\Windows\{373EE213-8BC1-4194-BB3D-AB8CC15B411D}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2060
          • C:\Windows\{9E68E18D-B2D9-46cd-8CC6-9BCC668A8595}.exe
            C:\Windows\{9E68E18D-B2D9-46cd-8CC6-9BCC668A8595}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4844
            • C:\Windows\{ABF5AFDC-9943-4280-8533-76C7E80D8BA2}.exe
              C:\Windows\{ABF5AFDC-9943-4280-8533-76C7E80D8BA2}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1160
              • C:\Windows\{7B3CD55F-86A5-4180-BD3D-8D31A1CA50D3}.exe
                C:\Windows\{7B3CD55F-86A5-4180-BD3D-8D31A1CA50D3}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4448
                • C:\Windows\{64F9FC01-6A94-40d0-B681-9F095D4C0DF1}.exe
                  C:\Windows\{64F9FC01-6A94-40d0-B681-9F095D4C0DF1}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:928
                  • C:\Windows\{6D2FBD8A-7F35-4a9f-9EA8-1EDC114A2112}.exe
                    C:\Windows\{6D2FBD8A-7F35-4a9f-9EA8-1EDC114A2112}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1880
                    • C:\Windows\{B891D259-8827-4808-BD22-2B628B9E03B7}.exe
                      C:\Windows\{B891D259-8827-4808-BD22-2B628B9E03B7}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4972
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{6D2FB~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4520
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{64F9F~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:544
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{7B3CD~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:920
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{ABF5A~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3888
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{9E68E~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2180
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{373EE~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2420
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{6D0F4~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3444
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EB80~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4064
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\66D703~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{373EE213-8BC1-4194-BB3D-AB8CC15B411D}.exe
    Filesize

    408KB

    MD5

    9e049d1aedf1de4d7c8bb1f968d932c9

    SHA1

    0d1befeb1d43c2bd4930f2eb80728e96f0f3ac40

    SHA256

    60c121efc41a4a4d21c36891fa1e30cae7106b72282cd01db63a6b0316be1f04

    SHA512

    8d782721af3d2325ba3cabe9f82e2416269b9e739ad62d1e8ac7300cd5b76c3eabc4f94f32b7a558f7e1185fc67fb63e07c30abfb9a9c3e9088cf9a9328fd2cb

    Download Submit

  • C:\Windows\{3EB805A7-6644-488e-AA56-946EDF4E413C}.exe
    Filesize

    408KB

    MD5

    a761f0e2c9e0e5eaaec4e1421ed13138

    SHA1

    49a36ea5c0fabdab1ca75c77845f11449e41e008

    SHA256

    8200a280cc50229e0159f619a2b10b3d35f4df0b1fec810c8224ec3ce3498504

    SHA512

    182dc4c04524d93272982a757234ed81397bb3b192681e4a2788f08bc49fbf33479d21c125d2dbdfbb00427e9708ad4b6e2e7fa5f1896b577d050a7d86834f81

    Download Submit

  • C:\Windows\{64F9FC01-6A94-40d0-B681-9F095D4C0DF1}.exe
    Filesize

    408KB

    MD5

    ff79d4fec45a68a32fecf00874346f29

    SHA1

    7d817c28beb74c9ff0723309015353d660cfe846

    SHA256

    723b760eed0fa15ddc2016300f3869b6b3625553fd851e3ea82a2a0bab001560

    SHA512

    11268a8dd4c9c9a0bcf35cffd23247fdfc6e99d5629cfa30c9d732edfa57520816448ac2220d80acb1cf407f75ae2f88902ff7efecf96724fcb37208caae446f

    Download Submit

  • C:\Windows\{6D0F4F45-EA8F-41b8-AC60-06DB9FEE2ED8}.exe
    Filesize

    408KB

    MD5

    c4de94453c36449c6a0ee7f8f224467e

    SHA1

    e8c81e185504690d5844d426e2bd0fa8fe4cc677

    SHA256

    180e134e4f328ebf9e9c312144b30d16213fd7ccadeeb8b30e819a14a7398ea3

    SHA512

    6416cb28b94f317df876edf092bef7bf942400cb7c0675d2dc4b36710f7360d4916b5e871c67c4de61a5abe8c44abae9e7bb0157226264153c290450bfabc8d0

    Download Submit

  • C:\Windows\{6D2FBD8A-7F35-4a9f-9EA8-1EDC114A2112}.exe
    Filesize

    408KB

    MD5

    db4e0a64eb5cc1e6d61631c4e7f6d6de

    SHA1

    fe3f919c8b04e67748188e580a6f29bd5cc6392e

    SHA256

    7bada996b18e94b30d5658f7745e2a1e262fc3023ce930b257613921289d7e41

    SHA512

    d7a35a2b0b483dcc034e81b8b524da1efa563076caedd38831d8fa570ab68f9d3349151d649dedb6c12747cac49f6cc1ddfc8fb87cccb3a145f2657f5658b4e5

    Download Submit

  • C:\Windows\{7B3CD55F-86A5-4180-BD3D-8D31A1CA50D3}.exe
    Filesize

    408KB

    MD5

    3ae71078b4351a734fb6e8db85f6de35

    SHA1

    c967a5afa137b2f29f2e96de915ca9fe83b2b804

    SHA256

    dde0c25711cc39c7b17f5919a555f63e3b0703803dedfd619b8846517bc60960

    SHA512

    c851dacd74848ba130c3ba529893e11bcb590e8c6e8fab94caaed604d6bdf93c5a587dc5b0328cfe384f5e3b124a7653f0800c0427da822c6227c8c9226510b9

    Download Submit

  • C:\Windows\{9E68E18D-B2D9-46cd-8CC6-9BCC668A8595}.exe
    Filesize

    408KB

    MD5

    742db7745a495e6d843cfa39bb3f719c

    SHA1

    cf07238a8909e1b2f28b73c0875acd8d4556b403

    SHA256

    47c83e9483e60012059d21e283648b5916bff1c001de764fbf61fbf142ad2f70

    SHA512

    4b4b1214b6d7bbd6c8857c9038f34663a490a98232b29923d69f2621c1e97070f725c71beacb6795ff300c77612bd0bf46709c7b5fd4140cab974870bb80c420

    Download Submit

  • C:\Windows\{ABF5AFDC-9943-4280-8533-76C7E80D8BA2}.exe
    Filesize

    408KB

    MD5

    f4f206ac42a1f024426f30b14e4f0d29

    SHA1

    62b1ceb122663ee92e665bb7586b793f77fa3dfa

    SHA256

    94078591efb38e6b22454d4f8ac486b7413a630e6f51565156baca43f6334dc2

    SHA512

    c0e3882596ed3c9174a54011af6eb659fb4f133298ca2f268ca50c7b92f3f035c0bb9f53c9ccc4904c717e531f6765c5f0ec551a96da570a836fc16e945b4dfd

    Download Submit

  • C:\Windows\{B891D259-8827-4808-BD22-2B628B9E03B7}.exe
    Filesize

    408KB

    MD5

    37fbe555e394d7aee745cb01d8d19ff4

    SHA1

    05adf7a6964e38d9ed6c03334dff99970a8e6d3f

    SHA256

    997c7aa0eb09f58984c3a9957f648b238b90aef62862a85a9991f0f34f572dba

    SHA512

    9e75deecb2a3ff2f6b1dd5809080e9c4b531b82f4358fdd2682531acd25b910544d4181e6c3464192a267568e6efb2f6063e92cc956f43f024661353a67165bf

    Download Submit