Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2024, 13:00

General

  • Target

    fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe

  • Size

    90KB

  • MD5

    59c3a2ba46fbef9e82930522b8dbbc00

  • SHA1

    ffbc4a498e2cf5669714c3e9aebbdce954914a19

  • SHA256

    fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddc

  • SHA512

    b056776e5ac9b763a9046d118f54b7759b0a34a71dd585659727848ae57d7ba181935c2023e598e6b7293e3d19ab1db9cb6ea6644ed5e1d86e1516cc9768511d

  • SSDEEP

    768:Qvw9816vhKQLrolk4/wQRNrfrunMxVFA3b7glws:YEGh0oGl2unMxVS3Hgz

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe
    "C:\Users\Admin\AppData\Local\Temp\fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe
      C:\Windows\{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Windows\{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe
        C:\Windows\{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\Windows\{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe
          C:\Windows\{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Windows\{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe
            C:\Windows\{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2524
            • C:\Windows\{E35426F6-B616-4587-910A-F3A18BD61E73}.exe
              C:\Windows\{E35426F6-B616-4587-910A-F3A18BD61E73}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1524
              • C:\Windows\{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe
                C:\Windows\{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:940
                • C:\Windows\{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe
                  C:\Windows\{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1976
                  • C:\Windows\{912DF15B-C46F-4fec-870E-0D9C79820527}.exe
                    C:\Windows\{912DF15B-C46F-4fec-870E-0D9C79820527}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2000
                    • C:\Windows\{6B27DECB-AAF9-42cc-B85A-581E9EBA7C0E}.exe
                      C:\Windows\{6B27DECB-AAF9-42cc-B85A-581E9EBA7C0E}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1544
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{912DF~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2284
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{4D18D~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2296
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{B595F~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2552
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{E3542~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1844
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{1F5E7~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:568
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{8F152~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1652
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{7E86B~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2628
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30636~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2596
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FCF908~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe

    Filesize

    90KB

    MD5

    7e3b34c80d8a843aa9267b3d8e49c69d

    SHA1

    f0edc8949b04b8a9bd59695859fc5659a5836775

    SHA256

    26f6ea97c780630b56df8b72c3273db8b457128bce9d327c37d00e8e0441ac1a

    SHA512

    31308300ff4ab3097a184170d42fb1aa9ebb760ddcd8f9508d274d23583328cc64c415a851e51c33ceda4dfc742e518ff13a2a793843209c61b40c3de6eaf5d5

  • C:\Windows\{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe

    Filesize

    90KB

    MD5

    c550641bb6489533d40b8f181470b516

    SHA1

    afe1935812eebdb629f4808640d82d287af5995e

    SHA256

    36073ac0aaa01a92b620afedebe0509b55e977c400c76a34184bc888e2ba9b55

    SHA512

    b532d54c19e3041a25e3138ad213d570f18b7963ec3b79f10801ce080e7a0ba5728bbc6181e92c6a928ffb8cb20e3b38cc4e13e1e7faff904c2060a705a826c6

  • C:\Windows\{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe

    Filesize

    90KB

    MD5

    061befe7e4c71e30f905a072bf910cd0

    SHA1

    06a333f9bd874ad4b00ae9037f3d0bb4b3f732a8

    SHA256

    8889d6fd53b3bbd98ec044b85989bba6c4503d8a78a421d00b15d7b5dde26965

    SHA512

    d060ab15316d3b11451020d6b1aa06173cb3e324581fcd843622cc51f6e1dfbd502123f0e59c6736d8f9b12e7c8b03e6ddd52c9033227aa508ca373b0c874c76

  • C:\Windows\{6B27DECB-AAF9-42cc-B85A-581E9EBA7C0E}.exe

    Filesize

    90KB

    MD5

    953ae55eb546c17abce1544cbd4ab944

    SHA1

    8138d7b746d0663af91f89b85c00641e3f420f71

    SHA256

    dfa6606afaf6e03bca148d25399de787876502e773dcab2292be6bf56b641916

    SHA512

    f02af8cbedf3d5364eb8e01d57eecc82645f7fe7c4ba3dc07fd079f2c79fa165b1393829f561a0cd3b09b42b8b46ae0fb58b78cb043a689a0785711709854991

  • C:\Windows\{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe

    Filesize

    90KB

    MD5

    ebed215c8b4980512b63f3358d908964

    SHA1

    1b8388a97e0a7806ce57187555a5eaadf29b44a5

    SHA256

    b6347c03c57aa0ca7e3f31a7e5dbb9f6ba1d048829e5dc17be00cd16e55c1e99

    SHA512

    a6b61d5d166cf6e015f4e5be153562ffe4486c771d2cf8cbe13e136af63eeefebbac28ceb6256a96783307d546b3a504d15124391ac5e73e92a1a13ce8cfd301

  • C:\Windows\{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe

    Filesize

    90KB

    MD5

    e88b82f56a654b41a6d907073dd57d12

    SHA1

    352ad518dfe47b9066f6f1ce24e8e703a3b62bb7

    SHA256

    73519470ab6ac235298843e4a49b03093c0048f3cb8df46fd77d02b8d210148e

    SHA512

    adaedc4227cd58e4e7b16f24f6dfadc72a3d24c69814aa039acd7c05144d0530529290f41b770cb8776e4f8a547b29ae473e8fb47f47626fb71a081968064cb5

  • C:\Windows\{912DF15B-C46F-4fec-870E-0D9C79820527}.exe

    Filesize

    90KB

    MD5

    3cd8fb7665f59cf2c0f0c58d3b771660

    SHA1

    38baee14a1a7e76448a4c3ec736b3e2d2b313156

    SHA256

    5d99c7f3bb73b63900e596ece237beb0e96f6163b08fc105d565715152d8ad2f

    SHA512

    34af2d0c3f7c51985df51476eefbe008ae3a05c64b6c89e76b352cb156f0d4c2fb16c68035feb3730b53602ba96798beb8057c9e3179f751ab49b17c8d41abeb

  • C:\Windows\{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe

    Filesize

    90KB

    MD5

    b2b656d7b1e783e38a30b362541178f8

    SHA1

    a753562e1b2f9959b86862480d2245f7e5d3c3fb

    SHA256

    9adb7c7f4ef5bc813e408de8ff8e450a78ad340644b3b29c70eda1cfb64af3b2

    SHA512

    344a5eddb4a10879e42c179bb15cbdf0552443fcd1298a30325aca2c53e5aa571da7233467a5bf26711b93bd930480a0af31611ce0911245a3d2d029864374b3

  • C:\Windows\{E35426F6-B616-4587-910A-F3A18BD61E73}.exe

    Filesize

    90KB

    MD5

    cc5b5c0cad104723b7bbfb4de3eae568

    SHA1

    2e62536306ea309ce108dd326fe22db5bf25e695

    SHA256

    07235627ab45d097ca47e7e6421fcf54b851b51a1a2434c737e1969459ccc6cb

    SHA512

    380f3815539f18ebe754906c66c329464812ac56fc6a1ef83809d8c2bf99841c28491a3bb0813bde476056350d126f255a00a736c59b690b477504df478175c9