Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

d719688d3c...fN.exe

windows7-x64

8

d719688d3c...fN.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/10/2024, 15:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9fN.exe

  • Size

    90KB

  • MD5

    6c76a2756679ccdd6a605cb320f6ba50

  • SHA1

    af8b289f703229a1f661c2a1c18446b4c09f37e1

  • SHA256

    d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9f

  • SHA512

    1fe6aa32f32fbcde444efe7acec7de24ba6dcdc10a078ab424056731c0e4f43589d7dd34db3f2424c27e25ec14537b057461f94c16d4ecf564da9bed3e4866d6

  • SSDEEP

    768:5vw9816uhKiroD4/wQNNrfrunMxVFA3bA:lEGkmoDlCunMxVS3c

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9fN.exe
    "C:\Users\Admin\AppData\Local\Temp\d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9fN.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3292
    • C:\Windows\{8EC2EE83-08E4-49d2-8C62-702B5D98B434}.exe
      C:\Windows\{8EC2EE83-08E4-49d2-8C62-702B5D98B434}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Windows\{74432742-22CF-4564-A159-1B6089A77058}.exe
        C:\Windows\{74432742-22CF-4564-A159-1B6089A77058}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4320
        • C:\Windows\{D4709338-C029-45be-817E-8A9993922FC7}.exe
          C:\Windows\{D4709338-C029-45be-817E-8A9993922FC7}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1368
          • C:\Windows\{E27254E0-E1A9-4b4d-9A2A-D3354086E498}.exe
            C:\Windows\{E27254E0-E1A9-4b4d-9A2A-D3354086E498}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1240
            • C:\Windows\{8A5B2078-5991-4852-BAAF-399FB2988190}.exe
              C:\Windows\{8A5B2078-5991-4852-BAAF-399FB2988190}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1068
              • C:\Windows\{5113B12C-D8DF-4d9f-B5F0-CCC303B0EA7B}.exe
                C:\Windows\{5113B12C-D8DF-4d9f-B5F0-CCC303B0EA7B}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3260
                • C:\Windows\{9A9DC91E-99AA-4bed-8DDE-EC41A6662E9A}.exe
                  C:\Windows\{9A9DC91E-99AA-4bed-8DDE-EC41A6662E9A}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4256
                  • C:\Windows\{51A58B56-50A9-4297-995E-51A9A3A1C936}.exe
                    C:\Windows\{51A58B56-50A9-4297-995E-51A9A3A1C936}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3412
                    • C:\Windows\{9C66CA8B-8960-4cdd-BB8B-52F0E552B5C3}.exe
                      C:\Windows\{9C66CA8B-8960-4cdd-BB8B-52F0E552B5C3}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1744
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{51A58~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4704
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{9A9DC~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2044
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{5113B~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3664
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{8A5B2~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3104
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{E2725~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3608
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{D4709~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2980
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{74432~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2948
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EC2E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3336
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D71968~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{5113B12C-D8DF-4d9f-B5F0-CCC303B0EA7B}.exe
    Filesize

    90KB

    MD5

    44a110ff685d204adfa93e455e3c805a

    SHA1

    08eb812b54533a3ee3122f0dbfb34afac18555ed

    SHA256

    0cd72c1bf7df8a7ceed0341e63180c59c0ec1efb7cb176c33de735e8e7d18c86

    SHA512

    c9e5a71cb1de3a6bdb6d7b7e6463fc79f68c57ea51eef37e4f133862cc36fed39b78a952b55f19105220a7aff33c0b4a3980130c9288e84c305f44fd91280af5

    Download Submit

  • C:\Windows\{51A58B56-50A9-4297-995E-51A9A3A1C936}.exe
    Filesize

    90KB

    MD5

    924ff4f30d4cb1313b85abc4acc10753

    SHA1

    9b50e06aae15c04433b3c3e713f44c232397a12a

    SHA256

    ca9c5000c8eddf5066ea3678486bf1499462a558d56d049484a0d18fd5f256b5

    SHA512

    41a983da2f65a98f5be78db658f0b3caea14a5debe790170271b5ce2d6c95834f31dfa898a2858fa762a36a02288ed07ab3a256dfc585c6943090121c7ce8418

    Download Submit

  • C:\Windows\{74432742-22CF-4564-A159-1B6089A77058}.exe
    Filesize

    90KB

    MD5

    0cb8a30c8dcb9be56f78c89529431a9a

    SHA1

    55a9f8bd10c647eaa4311275e414bbc2d52712dd

    SHA256

    4f80604a2627fd631c84c9dd35f23992a6245696f4129e9c5a107c2fde4b2ad7

    SHA512

    36466b52793ed448ed36b5a9d0a4c0983d84da569007d5a6b0ad736f177a7fa8729bd0bcfd4f0e6185422dd7b9f28c0f476e7ee827cabb9043676a2a9f571056

    Download Submit

  • C:\Windows\{8A5B2078-5991-4852-BAAF-399FB2988190}.exe
    Filesize

    90KB

    MD5

    dbf4137830b3171dac9b7320463b6107

    SHA1

    ffea3b482a83dfe1e3db325a09bd3b605b21db9b

    SHA256

    15f747f78090eb350ff1823fa7ec4997f6b92f522ecaebbd27aea7921892d661

    SHA512

    4d94161ad8eab256bc695e875bb9459061e233d725960c5ba9cadf3aabda83c0bc1ededf104f17af5d8ecbac352bebc3e47f3fa2df9f57cd357c2e0ec4a8221b

    Download Submit

  • C:\Windows\{8EC2EE83-08E4-49d2-8C62-702B5D98B434}.exe
    Filesize

    90KB

    MD5

    70e6500c2dbe1f5ca6026bf893ac2d1b

    SHA1

    3f53ebb25ad3f8c68ddbd85e51ead394d3b32d7e

    SHA256

    196a79ebeb58a646ed965324565151528d465f1b7a02317dc3edec85a5f9378c

    SHA512

    7d18612d419529e7b53de854e6b92416bb1866a10922b4d53c0c224b749d1ea89ce6a93a1bee6cd5f38b255dd20a8c0327bbd96141f5c6d3efe0d853645b8353

    Download Submit

  • C:\Windows\{9A9DC91E-99AA-4bed-8DDE-EC41A6662E9A}.exe
    Filesize

    90KB

    MD5

    478bbe55fac81d2ee65d5a39d400de95

    SHA1

    ade3fc3702b583c252c21d7b34ba0cab6d6d2146

    SHA256

    8953cea539a6f731f6268829ff0588d5b12faeb9675bc5f1ca2a50a5b56a5aaa

    SHA512

    55d9a42ecb99103fe13270610bc42aa17077a7972b1510bc262ce41fdb862be77506bab7414bb3525009955373eb026ae9e83fbc850f15bb46116302a0e3a4f0

    Download Submit

  • C:\Windows\{9C66CA8B-8960-4cdd-BB8B-52F0E552B5C3}.exe
    Filesize

    90KB

    MD5

    cb6313dfb3c923f0f4dc6d5dcccb2277

    SHA1

    7305669a5853480c325d0d8683b1a993d389ca9e

    SHA256

    8fdbf937cac6575aca3816db6ac9f88d6b97f1db3005a593c7680ee541dd9e1f

    SHA512

    2804dfdb885b45804709e5d000914efff6bfd74a8e67a7bdcd1c4ddb6047317e192245909bd225eaf6ce79d80f05da409b336faede1ad66d0ac0c0c49fef53b1

    Download Submit

  • C:\Windows\{D4709338-C029-45be-817E-8A9993922FC7}.exe
    Filesize

    90KB

    MD5

    dbdd8df023c0d2857db48be9b554b001

    SHA1

    03c3d7def6ec2dc67b64e0f3384bb54561b93cb2

    SHA256

    dc0dee3e1168a6750f4365c93a45066f993283bf04db6023b93a6f9170168160

    SHA512

    7c77eb74f5e7ed925634405af04cd1700a5ac2539df08e4ecbe33bb5710253fe748b54bb4506efe9d59c3f6185b7b3b3285ef2c0c8440082da232dc636e0618d

    Download Submit

  • C:\Windows\{E27254E0-E1A9-4b4d-9A2A-D3354086E498}.exe
    Filesize

    90KB

    MD5

    6b3a7ed9552f743c7c7c03c808027183

    SHA1

    f6ed8448a85b01556e62de821e2176b6b6966bfa

    SHA256

    63ac562588793e52692b2aaaca44a4f30edae63e9ba64af91a62ec19aa2486fd

    SHA512

    c44ea9edba6a47775a82d37df0897e2c1c6e99b290246c151daa80d540ea9837ce6711389c801d66ebf795c97d1ca6dc49664f7019b2d81eac0215f8aa6396e7

    Download Submit

  • memory/1068-31-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1068-36-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1240-24-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1240-29-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1368-23-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1380-5-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1380-8-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1380-11-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1744-54-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3260-41-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3260-37-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3292-7-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3292-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3292-1-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3412-48-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3412-52-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4256-42-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4256-47-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4320-19-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4320-13-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download