Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
13/10/2024, 00:44
General
-
Target
95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe
-
Size
408KB
-
MD5
6f750833147e8499ca4a8e61cf2a9516
-
SHA1
5475e5936df9783a78bc4043f936b696968be6f7
-
SHA256
95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1
-
SHA512
f9182d032a230be2109a4048f872c85b568b8d8eda3fc74c721ec9102b478b9fc99e8e8a7c0d320a90013a3b71a35648db2578d1734c686eceda31a1cf24021c
-
SSDEEP
3072:CEGh0oZl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG7ldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe"C:\Users\Admin\AppData\Local\Temp\95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B1445D2C-D164-4bc5-B64A-B6197CF43C72}.exeC:\Windows\{B1445D2C-D164-4bc5-B64A-B6197CF43C72}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D881EA96-B6D8-489b-AC9A-0A836CA10A15}.exeC:\Windows\{D881EA96-B6D8-489b-AC9A-0A836CA10A15}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{AEB668C7-9527-4bd6-B99E-FE2E1A822896}.exeC:\Windows\{AEB668C7-9527-4bd6-B99E-FE2E1A822896}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{682B0D0F-F5F3-4cc6-B38C-078D3688DFF7}.exeC:\Windows\{682B0D0F-F5F3-4cc6-B38C-078D3688DFF7}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{68DBC167-0770-42fa-9916-C0F1A2AA89CB}.exeC:\Windows\{68DBC167-0770-42fa-9916-C0F1A2AA89CB}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{29011393-91C1-476e-84EC-DCE0B28776D0}.exeC:\Windows\{29011393-91C1-476e-84EC-DCE0B28776D0}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2D76BC7A-7985-4556-974A-5C36CF61FD39}.exeC:\Windows\{2D76BC7A-7985-4556-974A-5C36CF61FD39}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{EB09737E-F79F-4956-B471-2A2FB791A24B}.exeC:\Windows\{EB09737E-F79F-4956-B471-2A2FB791A24B}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D8D618E1-344D-4a78-9DB1-56B535FFB0FB}.exeC:\Windows\{D8D618E1-344D-4a78-9DB1-56B535FFB0FB}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1CF8C34F-8F26-4a18-B758-D59FCE05B009}.exeC:\Windows\{1CF8C34F-8F26-4a18-B758-D59FCE05B009}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F271CE71-9ABC-40f5-8D2F-67E218E255C2}.exeC:\Windows\{F271CE71-9ABC-40f5-8D2F-67E218E255C2}.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{7B3BF131-BCB2-4c20-B427-E68F023BF309}.exeC:\Windows\{7B3BF131-BCB2-4c20-B427-E68F023BF309}.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F271C~1.EXE > nul13⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1CF8C~1.EXE > nul12⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D8D61~1.EXE > nul11⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EB097~1.EXE > nul10⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2D76B~1.EXE > nul9⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{29011~1.EXE > nul8⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{68DBC~1.EXE > nul7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{682B0~1.EXE > nul6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AEB66~1.EXE > nul5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D881E~1.EXE > nul4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B1445~1.EXE > nul3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\95A0A1~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD504fbd9a66443e51825936ba60c47c578
SHA1b11690dd5b20649a5b4167a237907e1d91c53033
SHA256213c4382d81821b36a5ca21799a4fb34c85c0eceeb20dd6a38de74ad80080753
SHA512a661d87bb14629fcc07dde50179beca2018f9444c2369b654c50d46bd91eb5fb25626ef7e7fff1dfe9ca7a8be3799803cb22019e0d0f48d94954577acd2ff5df
-
Filesize
408KB
MD595bc11f47e2adca89a7b1f01aae7354d
SHA1cccb420eeb5f3dad6672973c3d3c9fca14d53c75
SHA256a6696c9d382c5825ee0534664bf59ce23d1093206198afa7259b2d2162d353e2
SHA5129bd88cc4aeb281889f93d76d619b857265756957c4b6c5db24250f03d0a49e4d58c5c3db5325f5d8f51bdf83bc2d0240cb109d98e7485d90da4c8329f1c6314e
-
Filesize
408KB
MD516b00ca9c815824a58e5ff1bce31aeca
SHA1b3cce46ba9a742963d26ffd27537c465ac1ca44c
SHA256bfcc2d4b72909c67516387235a25ba21b64347606e967314b522539cc8e29744
SHA512791452ad116c9e15ca034017f7f5b088bc7df494d875a8b7b47dade00794d40fee5eab2e80b793b569b9272068fe38eccbef6dd7ec542dd520b1bc7506ffa4cf
-
Filesize
408KB
MD594af3bbca1d4183cd7ecdcedb0e1eb96
SHA141af88075d7b68c5de9c9cff8952192d8efe8ca8
SHA25679d6fca45bdd749f93d182aaf719657de92c361342821438168613521280bce7
SHA5120331d92ff13b8ed2b796f7a0d4072ab1a4a2c072ebd5b3145e775e315984755ac7ba1335528d3a28cf85f5bcbc46982d8e419a61c9f7c72f79dd80ec7cc5f321
-
Filesize
408KB
MD5bb720f615008a21e927abec4a492b1ab
SHA1e7571c948eccc9e7e87709702cfad904bada1824
SHA2568463e3f779940ded834ba46f8ae563400dbba0ef919572e700c8109732bc462e
SHA512da8f84def1bd7b5a2573ef3a4ba296763994184d2e7012dc7c6a659d9470c3d3ac612efa82fe777e674e59a2dde7632e28e945a8ada543c9cb01f22df4f9db82
-
Filesize
408KB
MD503b1219e04e601eb041af192fbd15265
SHA10441996365558a354b230493653943c3f365c24e
SHA256df5b48f682ce526f16f7197ab2c75db084dd4656779be776b550edaed4de1911
SHA51263123d522a8bf73f72ba1ea5f114aa55c8ca3edac17fb760dcacd46b9954c440f49a144aa027628ad5aa8a41295b8ef088c393175ae778058e85fac5a06d1818
-
Filesize
408KB
MD5cf455018c6db0bb4e6cafef782d6d27b
SHA1ee6244357be2884afa8297271f6ff3402f2a897f
SHA25630072ffb078058ea2ac239e5111c85c769996a55bbd8567700f20e2649f58a3d
SHA51200b204ee7baaca40f0aafd5a29f204fe643f95072d0181cc3948a1be6e1b86a62a4a118f38c35b9cf4b7fc6320546b87b813448281a3a40da54dd0f0281fac47
-
Filesize
408KB
MD5fe69bcd0fda9fa554e967e48e6af061f
SHA103d0775863215a66cbb1438b288665a27e1d3d21
SHA2563a71af28b79347f085f5a76bc01b2764aaf5019fcfb7c85af28c29dbc24fe9f0
SHA512a25ee5da9845da58ec11f70fdda9f654634eacbae427db520e8e15fcf358de66ff0fca43d522d15cf8bc1044d8dc7574fcad8e56d2428699edac0578f2c64523
-
Filesize
408KB
MD5804e38cdceeff642fbe0ceca78eab02f
SHA1cc048cfc0d9098f3445fd4492262c997488f95aa
SHA256ecd165cfe15a05618a79e0e095c5d4ff85742e697f53ac8e93e5cc6bcdb1fb39
SHA512d351dd397007206352ac0db8312ee575a7d14445d74646dd6f34db2a78407a6ec8fc9e522e51fe27c1bc71ef3af3451dbd4f72d7653226938384d2af25c0c674
-
Filesize
408KB
MD5bd994b5cc3bddb6baf5d431a90f7d4bb
SHA16e962ff80db2493698c780889b37acb4668a5627
SHA256cf044b65a0bfe64c79f1bea73bc5169951884383598fa7fbd656e4a2e764cb26
SHA512e280bb6a99d8c22c7fa5ac5ec81998be95d07e19ada23f246780d0c43c53e6703965ae15c6fe8a328a9211b98433c16e89051079681f0a7d97de9eb592c87f34
-
Filesize
408KB
MD5b08a9b661ade4e08fcb9032725bc0782
SHA1c743c64fc83e8b432d269979f25913b3c15837aa
SHA256bc8bf5eaf7ab9def489f693aca9462b505b2081e672044a4ff23ec8a722f98d0
SHA512fb15d5dc835c2fc6dda9d7ccd8ba9a86913f08489385862c20e4240dbd519095137abdfb61c630984b7d14e09aca4e9b80e777b6071b2b0861e25d1cc3b8ff39
-
Filesize
408KB
MD554ea48086675198c0e3e9d0e5b4683ef
SHA1d8eb4434fcb554904af591b7c3b13d7969c8e522
SHA2565f8e09a5f94472935986f9c26efb55106d1366cf9c50abc1b49e988c48e0261c
SHA512c4d8db5387dfbeefc62db1c66f573edcd639e7d4902555c74729782027e487241d717776a1246bd707f1da5ffd94a90e0cbf14fea6a06118eb72defece601e8b