Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2024, 00:44

General

  • Target

    95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe

  • Size

    408KB

  • MD5

    6f750833147e8499ca4a8e61cf2a9516

  • SHA1

    5475e5936df9783a78bc4043f936b696968be6f7

  • SHA256

    95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1

  • SHA512

    f9182d032a230be2109a4048f872c85b568b8d8eda3fc74c721ec9102b478b9fc99e8e8a7c0d320a90013a3b71a35648db2578d1734c686eceda31a1cf24021c

  • SSDEEP

    3072:CEGh0oZl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG7ldOe2MUVg3vTeKcAEciTBqr3jy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe
    "C:\Users\Admin\AppData\Local\Temp\95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe
      C:\Windows\{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe
        C:\Windows\{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Windows\{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe
          C:\Windows\{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3044
          • C:\Windows\{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe
            C:\Windows\{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2636
            • C:\Windows\{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe
              C:\Windows\{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1008
              • C:\Windows\{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe
                C:\Windows\{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1116
                • C:\Windows\{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe
                  C:\Windows\{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2984
                  • C:\Windows\{B142AB84-36D3-45ca-9AF0-FF6316ACE81C}.exe
                    C:\Windows\{B142AB84-36D3-45ca-9AF0-FF6316ACE81C}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3064
                    • C:\Windows\{352DB7C1-45B2-41d2-B250-459CCFCE0048}.exe
                      C:\Windows\{352DB7C1-45B2-41d2-B250-459CCFCE0048}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2276
                      • C:\Windows\{97BE3272-98CD-4a81-B387-830C73D4E009}.exe
                        C:\Windows\{97BE3272-98CD-4a81-B387-830C73D4E009}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1920
                        • C:\Windows\{F6364B69-5155-4664-BD75-643126F0BC8F}.exe
                          C:\Windows\{F6364B69-5155-4664-BD75-643126F0BC8F}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2552
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{97BE3~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1812
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{352DB~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2364
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{B142A~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2360
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{03521~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1224
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{E39B5~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1056
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{0A437~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2900
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{7D4D5~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1804
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{E52C2~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2676
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{2D369~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2664
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DA92~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2852
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\95A0A1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe

    Filesize

    408KB

    MD5

    92f99b62e591b007d0221eb69ce74575

    SHA1

    0f51816b5345d2064cc13667285878017173e663

    SHA256

    db0f642761de5140753bb8601e5af9b59b5913fbe67dd70bb46d5f2fc1668ac5

    SHA512

    7f8d73a5fb2058e4fc01d8b00393bba7fc475a4af630b2b61e621a7e99d156e6be72a4f7e9def93236c90184e259fda6a282ae9e8ab49b64597891458538728d

  • C:\Windows\{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe

    Filesize

    408KB

    MD5

    0c58e18cc8812a45a1505fd693563c8d

    SHA1

    4bdaadd619badd29daef240fd6ddef9cbc4874b4

    SHA256

    79ff898d85df51d50ec465a6a9e3dd46a704f82acf11705fd0b8366ea83e63a4

    SHA512

    603fff9e7b59471a9337bdc1b9aa875990760ea56b9df9d24aa40fe53b5b2d928cea902e9df73a715cefcad140dfe75319aa311a501ede5d0fceff17b036b71a

  • C:\Windows\{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe

    Filesize

    408KB

    MD5

    f7a1156d14f22a07f299a6f81141d223

    SHA1

    3d21e000d5979cc23807dc637372cf7bff17a7e6

    SHA256

    0d4a9b1f3f38abff8c9ff6abff9a6e4c7f33cb3d5bd8a1099e0f49c0200bb34c

    SHA512

    4d3b856d585390f09dba605495641cd7e797303a3b1923e74f25a0392f992913c65fe6c0d9c0e6748494c42f15452adfc9989e9403037495feadc5d9f9b70c77

  • C:\Windows\{352DB7C1-45B2-41d2-B250-459CCFCE0048}.exe

    Filesize

    408KB

    MD5

    cb8a6098c02934fe3a6181e6f9091335

    SHA1

    ccc31b859c63bd8bb57db3d0ad756c419c64529d

    SHA256

    fae355a13ff1b8729edf596b9281bcac23ae4e9665551416a07c078df7282d29

    SHA512

    4407aa83060eb0c5b9c28f490c526a7009a44ad114fcd1167e7be118aecffc79627b39c96d6434895e4216de5a5ed22a91b0d4cc0768c6f41f4a57e17ea5ca11

  • C:\Windows\{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe

    Filesize

    408KB

    MD5

    dc519a5c0e1a5eab35b58be24649de96

    SHA1

    534de4fa5125063098c694d534ce44d6554e4dec

    SHA256

    2cc3b2da51497b7eb87eb0349c0ab93b40c0e986064e8cddb5008e95e6169a7c

    SHA512

    53303386aea92a4cfa3e23a0957f4530ab0125d2072cf6e76c21a49258df2a4bddd0591fe96302a2fe0c024e1fb62140291e14a9a55d3b6ebeff153b3ef7e305

  • C:\Windows\{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe

    Filesize

    408KB

    MD5

    11e7054d5606c52f19cdb3db1d5882d2

    SHA1

    8af27a4e4fd82fb84c17b336a11be547bfe8f0db

    SHA256

    ce10388f00a9bd921fc48423362919c1b6ebc6e606681d7a416174ceccc5a53a

    SHA512

    2b2f0188663264d645753f74d5def35b69d4894661b51ca9ea2ee1f4183b42fdd3730aa031e17bd13c49f76fb40ba4b189d9e64c3cc8b94720aab36df35493c0

  • C:\Windows\{97BE3272-98CD-4a81-B387-830C73D4E009}.exe

    Filesize

    408KB

    MD5

    14fb3ae00c337a0907bab923b60e7f2c

    SHA1

    a1c6a723a8c73dd28d653edd2fe90d19c9f1b1c2

    SHA256

    fde91a67157a348a915e35b781f1645486538415b84f9f23efb86027935326ae

    SHA512

    8fa98c13bf7c010a1e2a9e027f6d88ad5ae5842874d7a98c587d1f7ee6458703eb654a45079593da81eba7e61c501851462da56428a0a755b21038035282c612

  • C:\Windows\{B142AB84-36D3-45ca-9AF0-FF6316ACE81C}.exe

    Filesize

    408KB

    MD5

    ce99bf4482159fbb28c45d17b9f0d8c9

    SHA1

    3ad9722824b36550048001516b5beef4d8325783

    SHA256

    4a7da75eacd1a723b44e3c2841186e9af2e476292eb211b4d7548913ee5567e5

    SHA512

    ad9f248a73fbe7ca7145a40db62355fb4c06fd13a201764d6e37d772d004d634f1e0d3151947853bb85287cec5f4a7d280963a1c8873a65888f98b43e60b5a4e

  • C:\Windows\{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe

    Filesize

    408KB

    MD5

    19eb327e45882293c0dbe13cb549c1ff

    SHA1

    ed472540bbed4f71e159d51381f3206c4639ae48

    SHA256

    c88dde16156909d9bf32d4d5520defecd8f0835e0b4df6f025742dda6cc64696

    SHA512

    6a32834afb3f014ec6e9b3b1a9e4411528ce3fd698c015948fc15c87cda379272fba2f58a647feb32018f551f8743276af3c2de95a59fd3ef258c32bee78f3f0

  • C:\Windows\{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe

    Filesize

    408KB

    MD5

    978b9157efeea88bfefde85ad5d55fe3

    SHA1

    5413aa31a2e2e4a5340a7278529d30dca6f71417

    SHA256

    e3bdc29eb8f61a685ec96fcd040d246244b42c3d8aca866d5c03c92261932b14

    SHA512

    02c079eec2f50111d64d1f0394539f0a73603dc8ee8e801bcf8f71bd7e30b0d39dad933ec2dbf9484a2d623e66eb113d1dbe4a748b7a014b3b009a04e06a1c9d

  • C:\Windows\{F6364B69-5155-4664-BD75-643126F0BC8F}.exe

    Filesize

    408KB

    MD5

    eb6f271e01e7c948a00bf6fd804a3b42

    SHA1

    df1a126cdfea35b50951742497a708a285abb038

    SHA256

    1ebf99562fd90bdd18484bf129e20baa6d44eb1eae476b0a1853b6c78410752e

    SHA512

    b230143d31ab00ede380e8b4653e796839708b6ca00e892102ce7ab860ee94b4b03e04ba10fe93295843421f7288b532e87dd10118cab80643cc076fe679e506