Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
188s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 16:34
Static task
static1
Behavioral task
behavioral1
Sample
e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe
Resource
win10v2004-20220812-en
General
-
Target
e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe
-
Size
248KB
-
MD5
57f0412f08760330c2a2ac2a341b90e0
-
SHA1
d6aca870cc491c1284c0ac566512d6719fd86b8b
-
SHA256
e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38
-
SHA512
bd6b5b1fc475d8c91daa3c7aae86e7a3a4d025f6e14afc8a212cb13a0cd71c39f5f3ca0142cee1852842f6ad0a3aed7e1b80e9ddffb4c4eef33eca35862667c6
-
SSDEEP
3072:+R4XzdJvRlFD1yPBYEmaHtGG2gqZ+/9A+JRjKY5Md41gfLX:P/h1yPptGG2gqZ+FfKqDs
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bitab.exe -
Executes dropped EXE 1 IoCs
pid Process 5036 bitab.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe -
Adds Run key to start application 2 TTPs 55 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /a" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /Z" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /k" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /x" bitab.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /X" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /b" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /e" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /m" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /T" e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /t" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /q" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /w" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /L" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /r" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /v" bitab.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /J" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /K" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /D" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /c" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /U" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /n" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /h" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /l" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /A" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /Q" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /d" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /V" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /y" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /O" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /j" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /F" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /W" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /s" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /T" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /G" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /S" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /M" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /g" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /N" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /p" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /u" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /i" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /o" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /B" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /R" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /z" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /H" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /C" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /Y" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /P" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /I" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /E" bitab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitab = "C:\\Users\\Admin\\bitab.exe /f" bitab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 448 e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe 448 e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe 5036 bitab.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 448 e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe 5036 bitab.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 448 wrote to memory of 5036 448 e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe 82 PID 448 wrote to memory of 5036 448 e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe 82 PID 448 wrote to memory of 5036 448 e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe"C:\Users\Admin\AppData\Local\Temp\e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Users\Admin\bitab.exe"C:\Users\Admin\bitab.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5036
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD5b46bb31b7ca192efe35af14ebcb2f41b
SHA1d3afc639b327c23ce1653c6cb1174b98794fae97
SHA2560089509f80ae54c570537067ccd9b0351a603782788f46e9e66b8819bac2d746
SHA51292c4c0518c61a34adbf475d7656d92b5bc8f1ae724d3b01c8df2a6852859b1541afbf22e77b149a8b2a19e6e283de58ad7b23a82e68ca010ec1c460e0a11d159
-
Filesize
248KB
MD5b46bb31b7ca192efe35af14ebcb2f41b
SHA1d3afc639b327c23ce1653c6cb1174b98794fae97
SHA2560089509f80ae54c570537067ccd9b0351a603782788f46e9e66b8819bac2d746
SHA51292c4c0518c61a34adbf475d7656d92b5bc8f1ae724d3b01c8df2a6852859b1541afbf22e77b149a8b2a19e6e283de58ad7b23a82e68ca010ec1c460e0a11d159