Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

089deaa7ae...bN.exe

windows7-x64

8

089deaa7ae...bN.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/10/2024, 02:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe

  • Size

    90KB

  • MD5

    036af28a3626935da0c91c6fb5330de0

  • SHA1

    0592ebfd56003f59065eea1b10087021188c5447

  • SHA256

    089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71ceb

  • SHA512

    05feaec791bb54c847dd41d8501db632ff8d859dfb25e7655208f95336d5083aae75a0b28004ca385e5226aac12b2b7c82abba732d8c6e5c6172adfe88cfe7bc

  • SSDEEP

    768:Qvw9816vhKQLroL4/wQRNrfrunMxVFA3b7glws:YEGh0oLl2unMxVS3Hgz

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe
    "C:\Users\Admin\AppData\Local\Temp\089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4508
    • C:\Windows\{5F793CBF-651C-4930-AB3F-381573F43BD8}.exe
      C:\Windows\{5F793CBF-651C-4930-AB3F-381573F43BD8}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\{43168434-64E0-4f35-8C02-7ABC3F5E16DC}.exe
        C:\Windows\{43168434-64E0-4f35-8C02-7ABC3F5E16DC}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4776
        • C:\Windows\{1C86DCDE-E042-4a7f-AC49-179E7B751BC0}.exe
          C:\Windows\{1C86DCDE-E042-4a7f-AC49-179E7B751BC0}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2688
          • C:\Windows\{AA25C917-AB30-4597-B67B-0C7F69A96D68}.exe
            C:\Windows\{AA25C917-AB30-4597-B67B-0C7F69A96D68}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\{26BDA393-062C-47f8-9CB1-3FD35676BB85}.exe
              C:\Windows\{26BDA393-062C-47f8-9CB1-3FD35676BB85}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4888
              • C:\Windows\{BEEB5FAA-66BA-4f54-941A-E63920789B86}.exe
                C:\Windows\{BEEB5FAA-66BA-4f54-941A-E63920789B86}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:804
                • C:\Windows\{5A4C7176-44D5-48f8-A1FC-7DDE6F60ABD4}.exe
                  C:\Windows\{5A4C7176-44D5-48f8-A1FC-7DDE6F60ABD4}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4460
                  • C:\Windows\{F56261F1-9F98-4058-8700-092FBFE641DF}.exe
                    C:\Windows\{F56261F1-9F98-4058-8700-092FBFE641DF}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1580
                    • C:\Windows\{A2F4DB42-B958-45c2-BB90-56B1ADE7DE4E}.exe
                      C:\Windows\{A2F4DB42-B958-45c2-BB90-56B1ADE7DE4E}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:672
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{F5626~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2912
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{5A4C7~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2896
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{BEEB5~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3488
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{26BDA~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3824
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{AA25C~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4592
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{1C86D~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2832
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{43168~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5016
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F793~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3192
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\089DEA~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1C86DCDE-E042-4a7f-AC49-179E7B751BC0}.exe
    Filesize

    90KB

    MD5

    68467f5ca5fa2ad11b7da0878a245dc3

    SHA1

    693fe46593d4199032d68180073119eaf049deab

    SHA256

    5f0a208c3206ee1770f25312cf6d8c0e918bf965249c09379bc692e71ab0098d

    SHA512

    cc8b28497192dd2ac97a045d76e1bad4cf067ff8e317d6e3a72c22b5af9bf95af4b543a4c1e617f73b1532b619c8ac0529681d7231a62f387cb09741b8840491

    Download Submit

  • C:\Windows\{26BDA393-062C-47f8-9CB1-3FD35676BB85}.exe
    Filesize

    90KB

    MD5

    0f2bd7f789da430309b9c289c113610e

    SHA1

    edd20f4e4651bc8f7144bdf22b57e4e11f5bb936

    SHA256

    70c05bfa22b6cc7ed12a8941f16de0908ad3ebd6c22dfbd9b4c4400febcf45e9

    SHA512

    76ad28350f13f3998639fcf21363adf2b5cd5a48a4407682490422e63616dfefd98f015d85ce54160cc61d68fa9ec62cc09373f36916940fe4f51ebf38359cd8

    Download Submit

  • C:\Windows\{43168434-64E0-4f35-8C02-7ABC3F5E16DC}.exe
    Filesize

    90KB

    MD5

    d4ed33a732805e87a534142a752d97ac

    SHA1

    a4247b1cb04327fad28502071e249822647f9020

    SHA256

    ac939531488a62028b45fdfa4b5dcc2927747c1808bd7c102fc44a282ec7ca17

    SHA512

    18d9bd2cf0994bd5101b1151d91cbf362fdfef5b6b25a011c7337cada51924f2ea814d6306b5b2779d3b8c8f17b78fe6ff73942561e61e9749ddec4c5857b33c

    Download Submit

  • C:\Windows\{5A4C7176-44D5-48f8-A1FC-7DDE6F60ABD4}.exe
    Filesize

    90KB

    MD5

    b8d46f5d0c7942afd7a4bf4dadd7d5db

    SHA1

    4c3d687e13e0e6dd1e31acc6504b64223f4954bf

    SHA256

    8ba085d4b3f181710b7bb1c7035e5f6e404454b13c65db620c2dc0174ba3ef42

    SHA512

    cd85c5aa3aec684698d3341719ba2ae4a0320cfc2ac5e69245244e7b9ce78ad0c9cd09784f910f0a83aab4a580669429484ddde2779954a0873eb6e3e90b6c1f

    Download Submit

  • C:\Windows\{5F793CBF-651C-4930-AB3F-381573F43BD8}.exe
    Filesize

    90KB

    MD5

    83ab6d3b45aaa6590bcfbcd4a0f273be

    SHA1

    149eb7723b9484cd9679937cfd77086e5058f88e

    SHA256

    7d31207aea288d031180bf53c22e92931e82cc9c3cb550962a71598879af3b22

    SHA512

    b0e94ed2088549e5e6fdcb3568ca121b411980847b7d52b5a7d12039d3cffaeae94b51c2105e727782a36d73d5c96c05c27439e3b1bf3312c03a87f598ff3d30

    Download Submit

  • C:\Windows\{A2F4DB42-B958-45c2-BB90-56B1ADE7DE4E}.exe
    Filesize

    90KB

    MD5

    ebdeef657c458558d3e1e666b9179d83

    SHA1

    d2ab136043478b52f6393491a283637b9254abf9

    SHA256

    eeae60b106650b1043ccee0bac6c8e87278000eef5be05e0be033810cdabdfad

    SHA512

    47dadccbe1061ebff40585101b93c8944e7625f3f0bcb7d4dc0d9258687df1f1a0f621b7ec2905ab5cf3fe76d4242a73be0d14ed4ce048d0ada91c95d8e49883

    Download Submit

  • C:\Windows\{AA25C917-AB30-4597-B67B-0C7F69A96D68}.exe
    Filesize

    90KB

    MD5

    ab2a8e6bf39e8ab503c0882729740eb4

    SHA1

    093931bad037bb258822127414a83a12f13018f9

    SHA256

    d0f28c6d7a242ab850a478bac57777906cd43830fc2323f3591d63f8fedc11b8

    SHA512

    28936b66e4501b6ab2f0ab5df36c2e4a81a5d94267b3ef850da05fd4961fc2a85415f394a99c14169faaf105ca13b1e5fed8abaf017c3b7b4e05570aed4069d0

    Download Submit

  • C:\Windows\{BEEB5FAA-66BA-4f54-941A-E63920789B86}.exe
    Filesize

    90KB

    MD5

    a900d59b11816d8bad05a077e591dd34

    SHA1

    6ce5d7c764f663b544aad8735aadae80ad9c579c

    SHA256

    f6ee8de3ffdce26fbf2fa5179074f8d04e07811d4acf465f2034906cad1ef677

    SHA512

    ebc3e30047947712a22431352ce1cb1ab5684b99ef924b96e02aad0471769d15dbbd9f9d0cf9a1edc385d29ac16840cdd6a455eb74c7996b78ade8d800484f27

    Download Submit

  • C:\Windows\{F56261F1-9F98-4058-8700-092FBFE641DF}.exe
    Filesize

    90KB

    MD5

    c8b2e3c916b684aa6edea24dc2bb7daa

    SHA1

    3bfa854314b975ffe11a8ab9a29e0c79ba163fea

    SHA256

    9d287790c9e377b61b91d62787cdc94c186fd6aefab91382de6a8e63af008bee

    SHA512

    bd3edef3da33ac8fcc1105e31ea4ff779fe372a7e84e631a8b597c0cec38a3805961cf7c054c916531f924043527965fed499c9bc414c99e0a9ada6018589853

    Download Submit