Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2024, 00:44

General

  • Target

    95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe

  • Size

    408KB

  • MD5

    6f750833147e8499ca4a8e61cf2a9516

  • SHA1

    5475e5936df9783a78bc4043f936b696968be6f7

  • SHA256

    95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1

  • SHA512

    f9182d032a230be2109a4048f872c85b568b8d8eda3fc74c721ec9102b478b9fc99e8e8a7c0d320a90013a3b71a35648db2578d1734c686eceda31a1cf24021c

  • SSDEEP

    3072:CEGh0oZl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG7ldOe2MUVg3vTeKcAEciTBqr3jy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe
    "C:\Users\Admin\AppData\Local\Temp\95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Windows\{B1445D2C-D164-4bc5-B64A-B6197CF43C72}.exe
      C:\Windows\{B1445D2C-D164-4bc5-B64A-B6197CF43C72}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4336
      • C:\Windows\{D881EA96-B6D8-489b-AC9A-0A836CA10A15}.exe
        C:\Windows\{D881EA96-B6D8-489b-AC9A-0A836CA10A15}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2448
        • C:\Windows\{AEB668C7-9527-4bd6-B99E-FE2E1A822896}.exe
          C:\Windows\{AEB668C7-9527-4bd6-B99E-FE2E1A822896}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1644
          • C:\Windows\{682B0D0F-F5F3-4cc6-B38C-078D3688DFF7}.exe
            C:\Windows\{682B0D0F-F5F3-4cc6-B38C-078D3688DFF7}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3748
            • C:\Windows\{68DBC167-0770-42fa-9916-C0F1A2AA89CB}.exe
              C:\Windows\{68DBC167-0770-42fa-9916-C0F1A2AA89CB}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2256
              • C:\Windows\{29011393-91C1-476e-84EC-DCE0B28776D0}.exe
                C:\Windows\{29011393-91C1-476e-84EC-DCE0B28776D0}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4416
                • C:\Windows\{2D76BC7A-7985-4556-974A-5C36CF61FD39}.exe
                  C:\Windows\{2D76BC7A-7985-4556-974A-5C36CF61FD39}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1404
                  • C:\Windows\{EB09737E-F79F-4956-B471-2A2FB791A24B}.exe
                    C:\Windows\{EB09737E-F79F-4956-B471-2A2FB791A24B}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3304
                    • C:\Windows\{D8D618E1-344D-4a78-9DB1-56B535FFB0FB}.exe
                      C:\Windows\{D8D618E1-344D-4a78-9DB1-56B535FFB0FB}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1392
                      • C:\Windows\{1CF8C34F-8F26-4a18-B758-D59FCE05B009}.exe
                        C:\Windows\{1CF8C34F-8F26-4a18-B758-D59FCE05B009}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1716
                        • C:\Windows\{F271CE71-9ABC-40f5-8D2F-67E218E255C2}.exe
                          C:\Windows\{F271CE71-9ABC-40f5-8D2F-67E218E255C2}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3276
                          • C:\Windows\{7B3BF131-BCB2-4c20-B427-E68F023BF309}.exe
                            C:\Windows\{7B3BF131-BCB2-4c20-B427-E68F023BF309}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3660
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F271C~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:5024
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1CF8C~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:5040
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8D61~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3040
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{EB097~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2460
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{2D76B~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3636
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{29011~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:5028
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{68DBC~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4476
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{682B0~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4780
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{AEB66~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4064
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{D881E~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2532
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1445~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1264
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\95A0A1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1CF8C34F-8F26-4a18-B758-D59FCE05B009}.exe

    Filesize

    408KB

    MD5

    04fbd9a66443e51825936ba60c47c578

    SHA1

    b11690dd5b20649a5b4167a237907e1d91c53033

    SHA256

    213c4382d81821b36a5ca21799a4fb34c85c0eceeb20dd6a38de74ad80080753

    SHA512

    a661d87bb14629fcc07dde50179beca2018f9444c2369b654c50d46bd91eb5fb25626ef7e7fff1dfe9ca7a8be3799803cb22019e0d0f48d94954577acd2ff5df

  • C:\Windows\{29011393-91C1-476e-84EC-DCE0B28776D0}.exe

    Filesize

    408KB

    MD5

    95bc11f47e2adca89a7b1f01aae7354d

    SHA1

    cccb420eeb5f3dad6672973c3d3c9fca14d53c75

    SHA256

    a6696c9d382c5825ee0534664bf59ce23d1093206198afa7259b2d2162d353e2

    SHA512

    9bd88cc4aeb281889f93d76d619b857265756957c4b6c5db24250f03d0a49e4d58c5c3db5325f5d8f51bdf83bc2d0240cb109d98e7485d90da4c8329f1c6314e

  • C:\Windows\{2D76BC7A-7985-4556-974A-5C36CF61FD39}.exe

    Filesize

    408KB

    MD5

    16b00ca9c815824a58e5ff1bce31aeca

    SHA1

    b3cce46ba9a742963d26ffd27537c465ac1ca44c

    SHA256

    bfcc2d4b72909c67516387235a25ba21b64347606e967314b522539cc8e29744

    SHA512

    791452ad116c9e15ca034017f7f5b088bc7df494d875a8b7b47dade00794d40fee5eab2e80b793b569b9272068fe38eccbef6dd7ec542dd520b1bc7506ffa4cf

  • C:\Windows\{682B0D0F-F5F3-4cc6-B38C-078D3688DFF7}.exe

    Filesize

    408KB

    MD5

    94af3bbca1d4183cd7ecdcedb0e1eb96

    SHA1

    41af88075d7b68c5de9c9cff8952192d8efe8ca8

    SHA256

    79d6fca45bdd749f93d182aaf719657de92c361342821438168613521280bce7

    SHA512

    0331d92ff13b8ed2b796f7a0d4072ab1a4a2c072ebd5b3145e775e315984755ac7ba1335528d3a28cf85f5bcbc46982d8e419a61c9f7c72f79dd80ec7cc5f321

  • C:\Windows\{68DBC167-0770-42fa-9916-C0F1A2AA89CB}.exe

    Filesize

    408KB

    MD5

    bb720f615008a21e927abec4a492b1ab

    SHA1

    e7571c948eccc9e7e87709702cfad904bada1824

    SHA256

    8463e3f779940ded834ba46f8ae563400dbba0ef919572e700c8109732bc462e

    SHA512

    da8f84def1bd7b5a2573ef3a4ba296763994184d2e7012dc7c6a659d9470c3d3ac612efa82fe777e674e59a2dde7632e28e945a8ada543c9cb01f22df4f9db82

  • C:\Windows\{7B3BF131-BCB2-4c20-B427-E68F023BF309}.exe

    Filesize

    408KB

    MD5

    03b1219e04e601eb041af192fbd15265

    SHA1

    0441996365558a354b230493653943c3f365c24e

    SHA256

    df5b48f682ce526f16f7197ab2c75db084dd4656779be776b550edaed4de1911

    SHA512

    63123d522a8bf73f72ba1ea5f114aa55c8ca3edac17fb760dcacd46b9954c440f49a144aa027628ad5aa8a41295b8ef088c393175ae778058e85fac5a06d1818

  • C:\Windows\{AEB668C7-9527-4bd6-B99E-FE2E1A822896}.exe

    Filesize

    408KB

    MD5

    cf455018c6db0bb4e6cafef782d6d27b

    SHA1

    ee6244357be2884afa8297271f6ff3402f2a897f

    SHA256

    30072ffb078058ea2ac239e5111c85c769996a55bbd8567700f20e2649f58a3d

    SHA512

    00b204ee7baaca40f0aafd5a29f204fe643f95072d0181cc3948a1be6e1b86a62a4a118f38c35b9cf4b7fc6320546b87b813448281a3a40da54dd0f0281fac47

  • C:\Windows\{B1445D2C-D164-4bc5-B64A-B6197CF43C72}.exe

    Filesize

    408KB

    MD5

    fe69bcd0fda9fa554e967e48e6af061f

    SHA1

    03d0775863215a66cbb1438b288665a27e1d3d21

    SHA256

    3a71af28b79347f085f5a76bc01b2764aaf5019fcfb7c85af28c29dbc24fe9f0

    SHA512

    a25ee5da9845da58ec11f70fdda9f654634eacbae427db520e8e15fcf358de66ff0fca43d522d15cf8bc1044d8dc7574fcad8e56d2428699edac0578f2c64523

  • C:\Windows\{D881EA96-B6D8-489b-AC9A-0A836CA10A15}.exe

    Filesize

    408KB

    MD5

    804e38cdceeff642fbe0ceca78eab02f

    SHA1

    cc048cfc0d9098f3445fd4492262c997488f95aa

    SHA256

    ecd165cfe15a05618a79e0e095c5d4ff85742e697f53ac8e93e5cc6bcdb1fb39

    SHA512

    d351dd397007206352ac0db8312ee575a7d14445d74646dd6f34db2a78407a6ec8fc9e522e51fe27c1bc71ef3af3451dbd4f72d7653226938384d2af25c0c674

  • C:\Windows\{D8D618E1-344D-4a78-9DB1-56B535FFB0FB}.exe

    Filesize

    408KB

    MD5

    bd994b5cc3bddb6baf5d431a90f7d4bb

    SHA1

    6e962ff80db2493698c780889b37acb4668a5627

    SHA256

    cf044b65a0bfe64c79f1bea73bc5169951884383598fa7fbd656e4a2e764cb26

    SHA512

    e280bb6a99d8c22c7fa5ac5ec81998be95d07e19ada23f246780d0c43c53e6703965ae15c6fe8a328a9211b98433c16e89051079681f0a7d97de9eb592c87f34

  • C:\Windows\{EB09737E-F79F-4956-B471-2A2FB791A24B}.exe

    Filesize

    408KB

    MD5

    b08a9b661ade4e08fcb9032725bc0782

    SHA1

    c743c64fc83e8b432d269979f25913b3c15837aa

    SHA256

    bc8bf5eaf7ab9def489f693aca9462b505b2081e672044a4ff23ec8a722f98d0

    SHA512

    fb15d5dc835c2fc6dda9d7ccd8ba9a86913f08489385862c20e4240dbd519095137abdfb61c630984b7d14e09aca4e9b80e777b6071b2b0861e25d1cc3b8ff39

  • C:\Windows\{F271CE71-9ABC-40f5-8D2F-67E218E255C2}.exe

    Filesize

    408KB

    MD5

    54ea48086675198c0e3e9d0e5b4683ef

    SHA1

    d8eb4434fcb554904af591b7c3b13d7969c8e522

    SHA256

    5f8e09a5f94472935986f9c26efb55106d1366cf9c50abc1b49e988c48e0261c

    SHA512

    c4d8db5387dfbeefc62db1c66f573edcd639e7d4902555c74729782027e487241d717776a1246bd707f1da5ffd94a90e0cbf14fea6a06118eb72defece601e8b