Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

01/11/2022, 19:49

221101-yj68dafdej 1

01/11/2022, 19:47

221101-yhsctsfddk 8

Analysis

  • max time kernel
    1619s
  • max time network
    1590s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/11/2022, 19:47

General

  • Target

    BloodHack.exe

  • Size

    1.8MB

  • MD5

    2370961b355c2c24ff7e6f2d850ab5e4

  • SHA1

    626655e8c4f9314be8726a1bdc0b4e87e4f4e847

  • SHA256

    9ca6536a01be198a9cad4d1df7c6d0e2c6b7d6f88ff8c8399534e93a6708565e

  • SHA512

    adbe5ce312b3bd341fbf551310260869429c29dea819d427c1644b4532e7e5c48580bec3675b9107149548e312a734e543e603cb7e81cda1bb533a647328c974

  • SSDEEP

    49152:/7n282hBSMnIQJwJ+YP/QAPYTysIWEOifkTOn:/7n2hCMI0wJAui

Score
8/10

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BloodHack.exe
    "C:\Users\Admin\AppData\Local\Temp\BloodHack.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4696
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop mhyprot2
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Windows\system32\sc.exe
        sc stop mhyprot2
        3⤵
        • Launches sc.exe
        PID:3564
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c CLS
      2⤵
        PID:4948

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads