Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

11cc40e757...3N.exe

windows7-x64

8

11cc40e757...3N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2024, 08:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe

  • Size

    90KB

  • MD5

    a33799b4413ca558fefbd2815dd58d70

  • SHA1

    4254fbb8eae91c7be70323de60a0bd32023d54b4

  • SHA256

    11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53

  • SHA512

    2a82fee977e72c4040ae93c0dd75c71fc6e5caa32d853179b270b45ed3c168fd180b6dfdeacba999046735fac2beb105b8b7daf4346a06cb9cfadb52e26aca9d

  • SSDEEP

    768:Qvw9816vhKQLroY4/wQRNrfrunMxVFA3b7glw:YEGh0oYl2unMxVS3Hg

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe
    "C:\Users\Admin\AppData\Local\Temp\11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4212
    • C:\Windows\{6C47BBD5-DA2C-4dc3-AD25-9F58BC8A3CED}.exe
      C:\Windows\{6C47BBD5-DA2C-4dc3-AD25-9F58BC8A3CED}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\{EB9BF7B5-E01D-4832-BF37-324758E393EB}.exe
        C:\Windows\{EB9BF7B5-E01D-4832-BF37-324758E393EB}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2092
        • C:\Windows\{8D3F4F06-57D3-4344-B4A1-A27931E2EAED}.exe
          C:\Windows\{8D3F4F06-57D3-4344-B4A1-A27931E2EAED}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2780
          • C:\Windows\{9A20AAF6-4589-4ad8-A559-DAA06BF4487A}.exe
            C:\Windows\{9A20AAF6-4589-4ad8-A559-DAA06BF4487A}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2124
            • C:\Windows\{EF470168-616D-41cd-87B5-223CBE56C894}.exe
              C:\Windows\{EF470168-616D-41cd-87B5-223CBE56C894}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1668
              • C:\Windows\{5F689424-7D49-4632-97AF-09DDCB519D66}.exe
                C:\Windows\{5F689424-7D49-4632-97AF-09DDCB519D66}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2896
                • C:\Windows\{06BAC080-ABD2-4901-9383-7269C1F9E012}.exe
                  C:\Windows\{06BAC080-ABD2-4901-9383-7269C1F9E012}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3016
                  • C:\Windows\{011F2BD5-5B66-4425-BE02-A335DDBE20E1}.exe
                    C:\Windows\{011F2BD5-5B66-4425-BE02-A335DDBE20E1}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:5040
                    • C:\Windows\{9A464D94-2319-4c39-8F5F-E4E576269C71}.exe
                      C:\Windows\{9A464D94-2319-4c39-8F5F-E4E576269C71}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4648
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{011F2~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1664
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{06BAC~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1608
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{5F689~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1848
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{EF470~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2168
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{9A20A~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2904
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{8D3F4~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3432
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{EB9BF~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2336
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C47B~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5100
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\11CC40~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{011F2BD5-5B66-4425-BE02-A335DDBE20E1}.exe
    Filesize

    90KB

    MD5

    7e4b2ce95444418a2637b502e39aad56

    SHA1

    2cf7af1edd19e9a6e2e03e3e50f8ad8dd156e28c

    SHA256

    78a16724bfb553ee539f9e912395787a0ea1c9a63cbc09eb2cda469926eae322

    SHA512

    8180b20a485680b5dd11578b6943a0a44022198f78348fcb273dee4e4452dfdf9b8e582fa7840044cd7c8b553036ac4599b020433b875951ac02e8cd3a1d144c

    Download Submit

  • C:\Windows\{06BAC080-ABD2-4901-9383-7269C1F9E012}.exe
    Filesize

    90KB

    MD5

    6f3663cfb1d6825dbc4c9da90fd3c1c4

    SHA1

    1fb0cc08f27352ef622b1209fb143edf3f14b872

    SHA256

    54a2a2c363e17ab0b39d0ce85c428e4add610ad254e88847ab7291e7bf27e030

    SHA512

    f8ca659abfa138bd4d41e89833b66deecf134f3c5564d40e7cd79adad9ec5a2de6c66f7bd954dcfa65930510fc80dac7ccc94e3646411b06f102aa0db24b6c5f

    Download Submit

  • C:\Windows\{5F689424-7D49-4632-97AF-09DDCB519D66}.exe
    Filesize

    90KB

    MD5

    56852ce00f2aecc0a71684fe43d2ece9

    SHA1

    7e33c31910cf937164edb911cd0b5538b7d96a78

    SHA256

    c262379bbb39a7eb48956f31fcc198a8127ca2d510023afda2b813ebc6502c4b

    SHA512

    6cbf87f94f9ee8d406effc17a737943d43dcb901a67977be6c314d8290d8a65cfe9c1459b8f081e88e789b09c37a2ac6a45ebfb02101fb1165b41cc3dd563343

    Download Submit

  • C:\Windows\{6C47BBD5-DA2C-4dc3-AD25-9F58BC8A3CED}.exe
    Filesize

    90KB

    MD5

    67191ab37c5ef8dc3b17fa8f37652fee

    SHA1

    9e9f150a6ec88ee855a5f9a120bca3b5991d38aa

    SHA256

    53b70e7bc5f505733dbca079d82ec3649850a0b28b3c5e37d07d243d326aa0ba

    SHA512

    9fa2e8d778633e463236fb98cc9f2f0556faa3d40995de69f10daaf0786e2154536fdab763f19bfc75eddacd0bd8d245e50c2dc2fc860948ac27ce7d1693fd05

    Download Submit

  • C:\Windows\{8D3F4F06-57D3-4344-B4A1-A27931E2EAED}.exe
    Filesize

    90KB

    MD5

    d4b00eed7195065348d474af090fd037

    SHA1

    0505171b91941bec9fa0ea60e331e2110c616d1d

    SHA256

    4ed51d9641c3c449a7b09424e114ea24a9478485a597350eb55d175d54a6ff67

    SHA512

    cc34cbcadd4c1ce29847b8336b3a9113fad19265adc295ef56fcec0a5d6139b1548fe1e4d858406d6508ae1e4529e7bfaa0b92168bffa4ed2b2083d014a4298e

    Download Submit

  • C:\Windows\{9A20AAF6-4589-4ad8-A559-DAA06BF4487A}.exe
    Filesize

    90KB

    MD5

    bd52c6f5580fabd6020e9d03ffa08fc1

    SHA1

    7317cc6f1ca0c73663aca3f90f4d6bfa21ac711a

    SHA256

    552db01dc853206786e5a37d500f6917eb503df9563b32b3753406dd2544d738

    SHA512

    eb6e1ee0f025ed1dc7faf8a87dfc0221df57222b9c14de353e8de54907f840b653f100ad7b9f7cd30cfd30496c5ce7c46ec50cdb1496f1e1ce85b5e05fab3b97

    Download Submit

  • C:\Windows\{9A464D94-2319-4c39-8F5F-E4E576269C71}.exe
    Filesize

    90KB

    MD5

    84476f8f2f83215ed7e84868ec718bbb

    SHA1

    bb7c5793c410172c803af66e3929205e00dbe25e

    SHA256

    c8c2e0a9894b9a247600d5921fee2e86a11582bc9220509ab6aa6011966a17d1

    SHA512

    f7a1a7eb1cb4ecb594c6db323ce203d924270edf3b0f701b318acf75a6986025f40cc63230338a12480b8535b31d966f0df183a768540b4081887af1583ad6e7

    Download Submit

  • C:\Windows\{EB9BF7B5-E01D-4832-BF37-324758E393EB}.exe
    Filesize

    90KB

    MD5

    dfcd4fc76323859c3250697b7cfc0c73

    SHA1

    0cead5fb94e530bf0cbf3e20597f0879af4a8cfd

    SHA256

    3becbce97a078f72a8919ecdff59fd897e6b3e6e3b81be73d89f3bfb2ca31b2b

    SHA512

    55bd588053c3bbf203d0b609a54f1ddf29e4b8501106df84da8df9e33d24779030124525e645354cf85f94bbd75e9fde9213f55ed3079a56aef47f0cfc8a2295

    Download Submit

  • C:\Windows\{EF470168-616D-41cd-87B5-223CBE56C894}.exe
    Filesize

    90KB

    MD5

    c5bda861b350285883690c1b6a69ab4c

    SHA1

    9d2507fc811f68b847bfdb1081d19e2b89b14124

    SHA256

    08976dfee5c52151ebf59cb63f1bb3ed20a800afa9ca91aee3048d4a3f8def50

    SHA512

    ee6268a5628ca4154dfeaece274ce6205c3b6f4fa25524ea26aa32b447ec16e6e3bb35885c80ee4bacecea341de049cedf3864e194a921110982ae0f0ed073b4

    Download Submit