Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

11a186984a...8e.exe

windows7-x64

10

11a186984a...8e.exe

windows10-2004-x64

10

12085ebb04...95.exe

windows7-x64

7

12085ebb04...95.exe

windows10-2004-x64

7

12106013cf...70.exe

windows7-x64

7

12106013cf...70.exe

windows10-2004-x64

10

12199d72af...85.exe

windows7-x64

7

12199d72af...85.exe

windows10-2004-x64

7

1221040998...44.exe

windows7-x64

1

1221040998...44.exe

windows10-2004-x64

1

124dba0b2d...f5.exe

windows7-x64

10

124dba0b2d...f5.exe

windows10-2004-x64

10

1277e3138b...40.exe

windows7-x64

7

1277e3138b...40.exe

windows10-2004-x64

7

128d992668...24.exe

windows7-x64

128d992668...24.exe

windows10-2004-x64

12ad57fc11...51.exe

windows7-x64

10

12ad57fc11...51.exe

windows10-2004-x64

10

12c28767fd...83.exe

windows7-x64

7

12c28767fd...83.exe

windows10-2004-x64

7

12c96664a8...ef.exe

windows7-x64

1

12c96664a8...ef.exe

windows10-2004-x64

8

12d3790d20...e3.exe

windows7-x64

10

12d3790d20...e3.exe

windows10-2004-x64

10

12e02e413d...cd.exe

windows7-x64

10

12e02e413d...cd.exe

windows10-2004-x64

10

1300fbf843...ba.exe

windows7-x64

1

1300fbf843...ba.exe

windows10-2004-x64

1

1302b023e7...d0.exe

windows7-x64

10

1302b023e7...d0.exe

windows10-2004-x64

10

132d07a999...ba.exe

windows7-x64

10

132d07a999...ba.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12c96664a866ff277b9245ef96eb64bd45af3f29145600b828a14312ba332fef.exe

  • Size

    7KB

  • MD5

    052f8da8eca0f195329d1a618a6683ce

  • SHA1

    8c087025e9b024e25e27ab00ddc048293c54d412

  • SHA256

    12c96664a866ff277b9245ef96eb64bd45af3f29145600b828a14312ba332fef

  • SHA512

    c476be2aa32aa6b580bec8999f3c8c117ef11c671b41dc901c3a696b229039955af88db981b51557503e489307e5afa526a9f17898d1705c3ebd4488203d0ab4

  • SSDEEP

    96:Mf3XHOS6XdF4T8IMcE6eKAZZ0QIiyBLyAO61V3iKUNDNQa90a:MP/6XdOTztwZ0QIr31V3KNDr

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Enumerates connected drives 3 TTPs 6 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3516
    • C:\Users\Admin\AppData\Local\Temp\12c96664a866ff277b9245ef96eb64bd45af3f29145600b828a14312ba332fef.exe
      "C:\Users\Admin\AppData\Local\Temp\12c96664a866ff277b9245ef96eb64bd45af3f29145600b828a14312ba332fef.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4656
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2824
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2268
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4680
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies registry class
    PID:3368
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2432
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4400
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:1788
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
        PID:3876
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:1440

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
          Filesize

          471B

          MD5

          bc9ee90f5632c849c038af0b4f633a56

          SHA1

          acb037c3af64f9c0297e9a664262e5fdc7db7844

          SHA256

          ae633ee941cf706045373cd46e793c7846f6b7b73d8933053e17c93ee9234e14

          SHA512

          b1819e29f71f4f5e08dd2d75480e3fe4aabfd7507c9ec00d093cfb0ea94bcb028780c4a543330a58b0678a19a201e2adc08a35310de65c92f358376b7dbdc3ed

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
          Filesize

          412B

          MD5

          07aaf9f09444c2ceaf4b561c74e8e2a7

          SHA1

          fba59adf8c70d884a7a1dfde45d3f69a5ae988e3

          SHA256

          e5e1d37987c3a130b38452eedbd944d77e0610f5a087780e63711e3dbcc4ed27

          SHA512

          56bca40659d96cd4cc5b20d9fcaf2fa4db7cee7fc2fe33936c8f02b694e0b65a8a0a154b2204f7ae0d40787d2bd60a2349782daa12f7ff1b48fa3799d7aefb7e

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133870974763929371.txt
          Filesize

          84KB

          MD5

          1dc1e3ced20d8c9b4eae58b51b5376d8

          SHA1

          42a9b0271e3113b28b9592f1763e0d9c80ededc5

          SHA256

          1de8d9dfb2402b62115db69c0ed4334debbf3c3a59666a87aadffd3e6898e75c

          SHA512

          d022fb5833377949c0fc50467ebbda112f2c2c02476580218c8a21be3f034f5c9f6baf75403e59ebf3b01a4d0b047dbb3496159ced3214c2eb1899f5041d8508

          Download Submit

        • memory/3368-35-0x000001C0681D0000-0x000001C0682D0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/3368-65-0x000001C068BB0000-0x000001C068BD0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3368-66-0x000001C0691C0000-0x000001C0691E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3368-38-0x000001C068E00000-0x000001C068E20000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3368-33-0x000001C0681D0000-0x000001C0682D0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/3516-2-0x0000000000570000-0x0000000000571000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3516-6-0x00000000005D0000-0x00000000005D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3876-32-0x0000000004770000-0x0000000004771000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4656-0-0x00007FFC919E3000-0x00007FFC919E5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4656-5-0x00007FFC919E0000-0x00007FFC924A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4656-4-0x00007FFC919E0000-0x00007FFC924A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4656-1-0x0000000000760000-0x000000000076A000-memory.dmp

          Filesize

          40KB

          Download