Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1088bc7b6a62...00.exe
windows7-x64
788bc7b6a62...00.exe
windows10-2004-x64
788cdf3a075...59.exe
windows7-x64
1088cdf3a075...59.exe
windows10-2004-x64
1089000a0d00...5b.exe
windows7-x64
1089000a0d00...5b.exe
windows10-2004-x64
1089270d6b49...b4.exe
windows7-x64
189270d6b49...b4.exe
windows10-2004-x64
1892ac0ac36...51.exe
windows7-x64
8892ac0ac36...51.exe
windows10-2004-x64
8894b900bb7...92.exe
windows7-x64
8894b900bb7...92.exe
windows10-2004-x64
8896493118e...17.exe
windows7-x64
10896493118e...17.exe
windows10-2004-x64
1089652cefa9...84.exe
windows7-x64
389652cefa9...84.exe
windows10-2004-x64
10897255af35...03.exe
windows7-x64
10897255af35...03.exe
windows10-2004-x64
10897b60be56...d4.exe
windows7-x64
6897b60be56...d4.exe
windows10-2004-x64
689a1a21003...9d.exe
windows7-x64
389a1a21003...9d.exe
windows10-2004-x64
389ed231ad6...9a.exe
windows7-x64
1089ed231ad6...9a.exe
windows10-2004-x64
108a4e1b5c29...83.exe
windows7-x64
108a4e1b5c29...83.exe
windows10-2004-x64
108a7ce080bb...ba.exe
windows7-x64
108a7ce080bb...ba.exe
windows10-2004-x64
108aa071d8cc...3d.exe
windows7-x64
78aa071d8cc...3d.exe
windows10-2004-x64
78acb86332d...4c.exe
windows7-x64
108acb86332d...4c.exe
windows10-2004-x64
10Analysis
-
max time kernel
91s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 06:13
Behavioral task
behavioral1
Sample
88bc7b6a627017c4f048d13e756f27b0adc94dc25d0b53c42a2cbdac36177600.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
88bc7b6a627017c4f048d13e756f27b0adc94dc25d0b53c42a2cbdac36177600.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
88cdf3a075a9f38022db50379cd5771e1992a58af68f516812b40c8320dabc59.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
88cdf3a075a9f38022db50379cd5771e1992a58af68f516812b40c8320dabc59.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral7
Sample
89270d6b49877a5303ff4416c74830b4.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
89270d6b49877a5303ff4416c74830b4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
892ac0ac36d3e692e581bde711ae2651.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
892ac0ac36d3e692e581bde711ae2651.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
894b900bb7817bc5ddd0e3ad48eb9c6fbe4ad9ad7741358d311bafe03b988a92.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
894b900bb7817bc5ddd0e3ad48eb9c6fbe4ad9ad7741358d311bafe03b988a92.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Resource
win7-20250207-en
Behavioral task
behavioral14
Sample
896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
89652cefa9366ca2d97d0e0b49525984.exe
Resource
win7-20250207-en
Behavioral task
behavioral16
Sample
89652cefa9366ca2d97d0e0b49525984.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
897255af3577597d102569ae36e4a05af7c024eaaaf4b26d4515002d2b257303.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
897255af3577597d102569ae36e4a05af7c024eaaaf4b26d4515002d2b257303.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
897b60be5611091a83c5ceb48f7d2bd4.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
897b60be5611091a83c5ceb48f7d2bd4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
89a1a21003baf78498607da9565222de2ca042713740ff1005123e24f6b2449d.exe
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
89a1a21003baf78498607da9565222de2ca042713740ff1005123e24f6b2449d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
8a4e1b5c2998360f622e0279dee68fb7e7130c4a0fa23749b404f70c10dfcd83.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
8a4e1b5c2998360f622e0279dee68fb7e7130c4a0fa23749b404f70c10dfcd83.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
8a7ce080bb43fc3edf2ddf3b300355ba.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
8a7ce080bb43fc3edf2ddf3b300355ba.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
8aa071d8cc2dd74176f041bba8762b3d.exe
Resource
win7-20250207-en
Behavioral task
behavioral30
Sample
8aa071d8cc2dd74176f041bba8762b3d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
8acb86332d3165ca0750e27ecd4b4948ab35ade98d43820de667e14ff849c64c.exe
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
8acb86332d3165ca0750e27ecd4b4948ab35ade98d43820de667e14ff849c64c.exe
Resource
win10v2004-20250314-en
General
-
Target
8aa071d8cc2dd74176f041bba8762b3d.exe
-
Size
509KB
-
MD5
8aa071d8cc2dd74176f041bba8762b3d
-
SHA1
600a6b37b8ef0216dbb2a1b0089b47e8e0121f77
-
SHA256
ac0f2c31139dba2b54497d4c90022629da055b9e9ae49d2eb780bedcf70fe41f
-
SHA512
a843de8b779c04f884f4faefd7933a9350855c4c15b8865334df08a2d86e51c5785d28c284ab625464de0c69191c1212a2714cb80e888a0c065f3758d5cacded
-
SSDEEP
1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2416 audiohd.exe -
Loads dropped DLL 2 IoCs
pid Process 2536 8aa071d8cc2dd74176f041bba8762b3d.exe 2536 8aa071d8cc2dd74176f041bba8762b3d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8aa071d8cc2dd74176f041bba8762b3d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audiohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2536 8aa071d8cc2dd74176f041bba8762b3d.exe 2416 audiohd.exe 2316 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2536 8aa071d8cc2dd74176f041bba8762b3d.exe Token: SeDebugPrivilege 2416 audiohd.exe Token: SeDebugPrivilege 2316 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2416 2536 8aa071d8cc2dd74176f041bba8762b3d.exe 31 PID 2536 wrote to memory of 2416 2536 8aa071d8cc2dd74176f041bba8762b3d.exe 31 PID 2536 wrote to memory of 2416 2536 8aa071d8cc2dd74176f041bba8762b3d.exe 31 PID 2536 wrote to memory of 2416 2536 8aa071d8cc2dd74176f041bba8762b3d.exe 31 PID 2416 wrote to memory of 2316 2416 audiohd.exe 32 PID 2416 wrote to memory of 2316 2416 audiohd.exe 32 PID 2416 wrote to memory of 2316 2416 audiohd.exe 32 PID 2416 wrote to memory of 2316 2416 audiohd.exe 32 PID 2316 wrote to memory of 2760 2316 powershell.exe 34 PID 2316 wrote to memory of 2760 2316 powershell.exe 34 PID 2316 wrote to memory of 2760 2316 powershell.exe 34 PID 2316 wrote to memory of 2760 2316 powershell.exe 34 PID 2760 wrote to memory of 2396 2760 csc.exe 35 PID 2760 wrote to memory of 2396 2760 csc.exe 35 PID 2760 wrote to memory of 2396 2760 csc.exe 35 PID 2760 wrote to memory of 2396 2760 csc.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\8aa071d8cc2dd74176f041bba8762b3d.exe"C:\Users\Admin\AppData\Local\Temp\8aa071d8cc2dd74176f041bba8762b3d.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\44tu713_.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC43.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEC42.tmp"5⤵
- System Location Discovery: System Language Discovery
PID:2396
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5ff169c4274b91df68a1a0548b9186b29
SHA1e2a406a1a49c5825d4f4279e82d1ca369433b244
SHA2566da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc
SHA5128785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b
-
Filesize
6KB
MD5760f74558c6db6437947ab11b296d935
SHA14ba87ae26ea61905b4f6125f6141585afaf69a51
SHA256b4b343fb09c5106065870b170c7659cc245bbfa1b8f5b8ae3352ba828d48291b
SHA512b7fe41b69fe5cc6157592626a6560a4bd50a144841d1ee339c6ede5c1b6720a2e3f576026afbd25c7581ba012e854de7d5bdbdc32c642ff9813d8a6747fd342d
-
Filesize
13KB
MD55c7d114276f71104986b24511866ffba
SHA1b83a257556cd7ecdb68b56c6955dc52b4eca2264
SHA256bcf1650c17c906950eaa3ad65c540b465825db3540fd87e64ca52ed14b8f967d
SHA51278ca6ff8719f09cee765e4ceef371e336687a913ad61a542a5b8d357512cb016b564eb89605d816deaae5043ded5053578f50803d90f5074f4fc71f79cda315f
-
Filesize
1KB
MD5f80cadf71137d9c24e639e07c8579aa0
SHA12bbf40a1ebd648ae9012de206915eba0086e1bc5
SHA256d76bb17b515a3a759f27532c7782c90f26598cd58025656c054bc326d3db66bd
SHA5125d1411c05e84a13de9216efbef6e4149a394ef0e55856247a9f4c902ce95473b4d9be92b3be1cb3d5e363bbc001d2d7d48a62f8670bf943208cba3fa3c25832a
-
Filesize
309B
MD514449eac5403452a0decf6b0bb039c23
SHA1832e13b20bbd985c3815475e887ae7bb98e9560d
SHA25683048c577ea7bfb3c0887935c02a3614ae25d1d981bebdd0af52af6397c39753
SHA512ea44596bc280a0da04251b3371d4fc9f82665b8ef832872c5967dec3b02a4bcb92c3a81a09ee2f5ac85fd3ae14d234917d67bbea824fb794b42a3e22d4b08a7b
-
Filesize
652B
MD5462fc2552f11ae8815a14e79321b596a
SHA19edf39778b99392d805ccd313e6005569a64ce1f
SHA2565004ee69632264d898bd34d3750ed91946e26ea8ba9e2403ef31b86a80424ce0
SHA51278eeabb453b883450e9c10ebb9cd01259a9591fc43b026980980828639e3b80d1e0b0887e3f78e562ff142da91969b5fee2ab37ca8757dea278e1d7b92313ddb
-
Filesize
515KB
MD59e3bcccd19638175dbadf325f6a9e176
SHA158bc0cdcc6b65c2fad5ee64783beb31ea0811ce8
SHA25689afa35121ca2cba1375e349479592c771fe951375fe882baf44955770af7c96
SHA5123bafcb13c414ee1d13c33de19aa939513064372f78ac8ebebb0a514b551821eacf9dbc3428a6a14d8f59209522203f52458f807cccf28a85776d3e56760d978b