Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

c44a311c7e...3N.exe

windows7-x64

8

c44a311c7e...3N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06/10/2024, 10:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c44a311c7ec3ee6fb95de04bbe87916b4e8a556a083d9bf12961c2ec09273483N.exe

  • Size

    91KB

  • MD5

    9ddf8f3a225c91e4843a89cd8c98ee30

  • SHA1

    34b36e7ba162bae5982d27d07abb84a3ec176c4f

  • SHA256

    c44a311c7ec3ee6fb95de04bbe87916b4e8a556a083d9bf12961c2ec09273483

  • SHA512

    204840e7e6ec77a0335d7aa7070b8bf735454654250bef008b52c95708e05ed32349e73a869e83952c2afb077e1d1331d056fe372de244eba0087e0c4c6e4b58

  • SSDEEP

    768:5vw9816uhKiro84/wQNNrfrunMxVFA3b7t:lEGkmo8lCunMxVS3Ht

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c44a311c7ec3ee6fb95de04bbe87916b4e8a556a083d9bf12961c2ec09273483N.exe
    "C:\Users\Admin\AppData\Local\Temp\c44a311c7ec3ee6fb95de04bbe87916b4e8a556a083d9bf12961c2ec09273483N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Windows\{16AFEAE5-8BCD-4b58-B550-A36337BDC49D}.exe
      C:\Windows\{16AFEAE5-8BCD-4b58-B550-A36337BDC49D}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\{09EE6D94-1A60-4a28-8C15-FF1F5A3B2BD1}.exe
        C:\Windows\{09EE6D94-1A60-4a28-8C15-FF1F5A3B2BD1}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\{8001B1F7-4D80-4da3-9C18-0255D5AE3493}.exe
          C:\Windows\{8001B1F7-4D80-4da3-9C18-0255D5AE3493}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:848
          • C:\Windows\{20B6DE0A-9598-481c-AAD0-E7D8B033747B}.exe
            C:\Windows\{20B6DE0A-9598-481c-AAD0-E7D8B033747B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2144
            • C:\Windows\{03DDBD82-CD28-4618-A76E-3BEE51061DEE}.exe
              C:\Windows\{03DDBD82-CD28-4618-A76E-3BEE51061DEE}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2816
              • C:\Windows\{C427B646-F93D-48a1-894D-45085BFF39B9}.exe
                C:\Windows\{C427B646-F93D-48a1-894D-45085BFF39B9}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1996
                • C:\Windows\{796A02D0-4FFC-49e1-91A3-E2C8953F6571}.exe
                  C:\Windows\{796A02D0-4FFC-49e1-91A3-E2C8953F6571}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:344
                  • C:\Windows\{5EFB5DE6-5AC8-4c24-8E95-B3658C1FC6A8}.exe
                    C:\Windows\{5EFB5DE6-5AC8-4c24-8E95-B3658C1FC6A8}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2364
                    • C:\Windows\{DDEC9A49-5051-4554-93B1-AA5E0E16A8A4}.exe
                      C:\Windows\{DDEC9A49-5051-4554-93B1-AA5E0E16A8A4}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1116
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{5EFB5~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1608
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{796A0~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2496
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{C427B~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1164
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{03DDB~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1068
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{20B6D~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2984
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{8001B~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1680
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{09EE6~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2684
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16AFE~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2688
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C44A31~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{03DDBD82-CD28-4618-A76E-3BEE51061DEE}.exe
    Filesize

    91KB

    MD5

    ae3dbd3658b5930b3238d032c7887bc0

    SHA1

    e3ab23db5176bad752017a17aa49ef07e493a7f6

    SHA256

    bcd085be6421a845ddad75b007bffe086745bc1269cfeecf5529e57655b1f707

    SHA512

    310801a993de711dd7038b25cfdfaa9bc7492167a2a585dad84db338c507b7543b22b32c6f85acf8fa3ef87ea5f6490b67a826f9d003c4325536f22b95684e0c

    Download Submit

  • C:\Windows\{09EE6D94-1A60-4a28-8C15-FF1F5A3B2BD1}.exe
    Filesize

    91KB

    MD5

    10182cc3af030dc61bab6140223701a5

    SHA1

    835a6cb0e382bdbbf5ea6842e3da05143283b3ee

    SHA256

    c2a789a7012e7f3bab83ea2d45fc35519c638e2a7f4e1869f7187ca59ad9e2a6

    SHA512

    6ecef73b2181ea583714d210144a87f5a522ac68b56ed3c031d5a0d9d1af6191e7b18f1b3e4daa92849b3aae6bbba1c9da833daa8b26a66d7a0ed47c0a97a45c

    Download Submit

  • C:\Windows\{16AFEAE5-8BCD-4b58-B550-A36337BDC49D}.exe
    Filesize

    91KB

    MD5

    6a50d616de953d7634dac253f0c71885

    SHA1

    702429cf9f510dc6c42c7dea8cca12fbc154df03

    SHA256

    36886ed707a7778413dc3471ad385798ce12ed9df2b511efe789a5e807cfaa07

    SHA512

    4045321f1117122cbb029cb3d0207df48c95260810714c77ad104df63a710b0fa399f5862de09d728737394a700c66a83b89cbff899208f5b322e6c3f46c7967

    Download Submit

  • C:\Windows\{20B6DE0A-9598-481c-AAD0-E7D8B033747B}.exe
    Filesize

    91KB

    MD5

    2d97ddd4e7c7763e8755e89f6856fc8b

    SHA1

    a096f54482434284ab82f9ca1d4b5f9ccd11a995

    SHA256

    53fd542fba532309fb8f3105613d104b2431500ae2d01aa86eb5594eca1f4a42

    SHA512

    092bb726251eff66ac80ab7b89e84db30167bffa4964a87028a1a88f9d3af92b16fcbb19f2ba65a80e35bb4c32986e16312c0c32b665e1b160e7052b65fc6619

    Download Submit

  • C:\Windows\{5EFB5DE6-5AC8-4c24-8E95-B3658C1FC6A8}.exe
    Filesize

    91KB

    MD5

    e5aede94a0856e8bd7f00036167946b3

    SHA1

    eb536aa23de16d0dc3d3cee34cf6b1e60dc0f0cb

    SHA256

    0a088eae3c9e9fc1a78b1695b6b1354ebd2e56c1e1746209f1306855d2cb0455

    SHA512

    ec11192c06fde8d829e54f542819002060e1d1e6010b3e17779a1ec2c948a3ec943d89e2b10eb305565eb22ec815f9efe9da0df7e0bd9c814f33554aa9dbf4c5

    Download Submit

  • C:\Windows\{796A02D0-4FFC-49e1-91A3-E2C8953F6571}.exe
    Filesize

    91KB

    MD5

    94f4c0c01fe357de7a15029647745806

    SHA1

    1c53b96088db333ba7d797318939178422a7ad0e

    SHA256

    27e379276b8e1b7d37eeb17d3e45206dd3f71f8012be8e88f0825b3b07e62891

    SHA512

    8e3c61309688633946461164062a18b1a68f404ee14e33f6d2f18bab2affbe60127e1a4b962e51211b6b8919b7389e64660b4ce50ff8f44826b4778f1027c387

    Download Submit

  • C:\Windows\{8001B1F7-4D80-4da3-9C18-0255D5AE3493}.exe
    Filesize

    91KB

    MD5

    2dc3218c7241489783797d5632ad5080

    SHA1

    3e77a91cb8d7050e1ffad757b90461a6b351c8c0

    SHA256

    39cd639d35257ae70fe759df75dbebbe72e31414e9b406c5eb6d1237589f3604

    SHA512

    337d1e4718b3604fab4a6d4cdf563dc1319d56db22f76b5fcaeecee5f3d53c41a59102d9d7b84ba44f8ce4021365187c36c041f9d789ca91404746fea6b42457

    Download Submit

  • C:\Windows\{C427B646-F93D-48a1-894D-45085BFF39B9}.exe
    Filesize

    91KB

    MD5

    85f022c6d3d55c2268d20ce86cf7b7e6

    SHA1

    3e50bdc484a581f3d761d817a973cfc2cb125429

    SHA256

    e76e05ecaaf575db3ab50809138ecd290410c4d6e89c8b1ea74641b764bab44b

    SHA512

    43773e81d410d09841bd07a615c081c0ddb766332a32613eae5260736a23721c0ef7c2408d6a26208fc355aa44368b0bc9564733a7f1fde266db5051938d746a

    Download Submit

  • C:\Windows\{DDEC9A49-5051-4554-93B1-AA5E0E16A8A4}.exe
    Filesize

    91KB

    MD5

    cb325b3989a575654215e44d3b7a985e

    SHA1

    064f42ae5cb623f14932f77fd5a748a3356cc829

    SHA256

    8b18a72ea08d47c26c7dc4c3b4f2d0e10c9bd0e725ac02872ce2829cf7a996b1

    SHA512

    d90bf87d68d9f8a1faf43df0597f0f6ea14d46ca8d63653440cf108a865112ce45c034c1829fc8fa1f109eecb7874f569cf75317acd82e8f2148a380a69cf55a

    Download Submit

  • memory/344-80-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/344-68-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/344-77-0x00000000005E0000-0x00000000005F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/344-76-0x00000000005E0000-0x00000000005F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/848-30-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/848-34-0x0000000000430000-0x0000000000441000-memory.dmp

    Filesize

    68KB

    Download

  • memory/848-38-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1996-69-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1996-65-0x00000000003A0000-0x00000000003B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1996-66-0x00000000003A0000-0x00000000003B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2144-43-0x0000000000280000-0x0000000000291000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2144-49-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2144-40-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2364-89-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2364-84-0x0000000000330000-0x0000000000341000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2364-79-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2628-19-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2628-24-0x0000000000310000-0x0000000000321000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2628-20-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2628-29-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2720-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2720-9-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2720-3-0x00000000003A0000-0x00000000003B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2720-1-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2744-18-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2744-13-0x0000000000320000-0x0000000000331000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2816-58-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2816-53-0x0000000000340000-0x0000000000351000-memory.dmp

    Filesize

    68KB

    Download