Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    188s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 16:34

General

  • Target

    e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe

  • Size

    248KB

  • MD5

    57f0412f08760330c2a2ac2a341b90e0

  • SHA1

    d6aca870cc491c1284c0ac566512d6719fd86b8b

  • SHA256

    e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38

  • SHA512

    bd6b5b1fc475d8c91daa3c7aae86e7a3a4d025f6e14afc8a212cb13a0cd71c39f5f3ca0142cee1852842f6ad0a3aed7e1b80e9ddffb4c4eef33eca35862667c6

  • SSDEEP

    3072:+R4XzdJvRlFD1yPBYEmaHtGG2gqZ+/9A+JRjKY5Md41gfLX:P/h1yPptGG2gqZ+FfKqDs

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe
    "C:\Users\Admin\AppData\Local\Temp\e33cbc09f491b96d457f29de6855eaff681984bbf138d3f4576bed22bd68fa38.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:448
    • C:\Users\Admin\bitab.exe
      "C:\Users\Admin\bitab.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:5036

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\bitab.exe

    Filesize

    248KB

    MD5

    b46bb31b7ca192efe35af14ebcb2f41b

    SHA1

    d3afc639b327c23ce1653c6cb1174b98794fae97

    SHA256

    0089509f80ae54c570537067ccd9b0351a603782788f46e9e66b8819bac2d746

    SHA512

    92c4c0518c61a34adbf475d7656d92b5bc8f1ae724d3b01c8df2a6852859b1541afbf22e77b149a8b2a19e6e283de58ad7b23a82e68ca010ec1c460e0a11d159

  • C:\Users\Admin\bitab.exe

    Filesize

    248KB

    MD5

    b46bb31b7ca192efe35af14ebcb2f41b

    SHA1

    d3afc639b327c23ce1653c6cb1174b98794fae97

    SHA256

    0089509f80ae54c570537067ccd9b0351a603782788f46e9e66b8819bac2d746

    SHA512

    92c4c0518c61a34adbf475d7656d92b5bc8f1ae724d3b01c8df2a6852859b1541afbf22e77b149a8b2a19e6e283de58ad7b23a82e68ca010ec1c460e0a11d159