Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
27/08/2023, 15:29
Static task
static1
Behavioral task
behavioral1
Sample
5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe
Resource
win10v2004-20230703-en
General
-
Target
5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe
-
Size
2.6MB
-
MD5
583f6b00c52bd5afc1d8056fc545fca7
-
SHA1
e820d03d6eac8af0cef5e9737738bec7b491d432
-
SHA256
5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866
-
SHA512
e78e58b832a1965889991f235d728661229a1b18a81420d600d695c4b6cd2e4d54ff317591ecd9ec710e49e020b2392b584fc5cfbaeb6f8a07caa4284a3f5130
-
SSDEEP
49152:RbIrl/Uxldber4n1GVxBQb0OuNoe1IF/E0YoNFaHGuQBffy:RErl/UH9j1sBQbTuNKdEVHGuQdf
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3372 bcqqblosrm.exe 4888 bcqqblosrm.tmp -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files (x86)\XYRadish\is-SDAJ0.tmp bcqqblosrm.tmp File created C:\Program Files (x86)\XYRadish\is-HG24F.tmp bcqqblosrm.tmp File created C:\Program Files (x86)\XYRadish\is-K90Q0.tmp bcqqblosrm.tmp File created C:\Program Files (x86)\XYRadish\is-C4ET0.tmp bcqqblosrm.tmp File opened for modification C:\Program Files (x86)\XYRadish\unins000.dat bcqqblosrm.tmp File opened for modification C:\Program Files (x86)\XYRadish\ScreenCapture.exe bcqqblosrm.tmp File opened for modification C:\Program Files (x86)\XYRadish\libEGL.dll bcqqblosrm.tmp File created C:\Program Files (x86)\XYRadish\is-89B1C.tmp bcqqblosrm.tmp File created C:\Program Files (x86)\XYRadish\unins000.dat bcqqblosrm.tmp File created C:\Program Files (x86)\XYRadish\is-L6505.tmp bcqqblosrm.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 900 5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe 900 5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe 900 5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe 900 5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe 4888 bcqqblosrm.tmp 4888 bcqqblosrm.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4888 bcqqblosrm.tmp -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 900 wrote to memory of 3872 900 5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe 81 PID 900 wrote to memory of 3872 900 5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe 81 PID 900 wrote to memory of 3872 900 5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe 81 PID 3872 wrote to memory of 3372 3872 cmd.exe 83 PID 3872 wrote to memory of 3372 3872 cmd.exe 83 PID 3872 wrote to memory of 3372 3872 cmd.exe 83 PID 3372 wrote to memory of 4888 3372 bcqqblosrm.exe 85 PID 3372 wrote to memory of 4888 3372 bcqqblosrm.exe 85 PID 3372 wrote to memory of 4888 3372 bcqqblosrm.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe"C:\Users\Admin\AppData\Local\Temp\5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\bcqqblosrm.exe" /VERYSILENT2⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Users\Admin\AppData\Local\Temp\bcqqblosrm.exe"C:\Users\Admin\AppData\Local\Temp\bcqqblosrm.exe" /VERYSILENT3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Users\Admin\AppData\Local\Temp\is-JNU6G.tmp\bcqqblosrm.tmp"C:\Users\Admin\AppData\Local\Temp\is-JNU6G.tmp\bcqqblosrm.tmp" /SL5="$13003C,150686,54272,C:\Users\Admin\AppData\Local\Temp\bcqqblosrm.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4888
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
446KB
MD584e9fe774a5f14512c5b23ac3fd41304
SHA1a503ab93af16de8be4f303ae145ada68ea9a7843
SHA2567ae568a3f72711d951aaa97c5b7e4dd1494be3cacda512f8226740000db1c679
SHA51204b85fa32434dbf4d09b04a148fd2cb0fdffcafe1b5304d89f7a4b549a09f55779908de2c9895a8a3ed0bfb79fbf7ffe932bdee389e3ba6a5c7bf4bb345271b5
-
Filesize
446KB
MD584e9fe774a5f14512c5b23ac3fd41304
SHA1a503ab93af16de8be4f303ae145ada68ea9a7843
SHA2567ae568a3f72711d951aaa97c5b7e4dd1494be3cacda512f8226740000db1c679
SHA51204b85fa32434dbf4d09b04a148fd2cb0fdffcafe1b5304d89f7a4b549a09f55779908de2c9895a8a3ed0bfb79fbf7ffe932bdee389e3ba6a5c7bf4bb345271b5
-
Filesize
900KB
MD5f8b110dc2063d3b29502aa7042d26122
SHA11a0fd3db79eadc1ce714f6267d476ddbec0f5e79
SHA256e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762
SHA512f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f
-
Filesize
900KB
MD5f8b110dc2063d3b29502aa7042d26122
SHA11a0fd3db79eadc1ce714f6267d476ddbec0f5e79
SHA256e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762
SHA512f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f