Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

27/05/2024, 22:11

240527-14ae9ada43 10

27/05/2024, 21:15

240527-z3zhbabd59 10

13/02/2024, 12:11

240213-pcwzdshd2w 10

13/02/2024, 12:08

240213-pa6qtahc7y 10

18/12/2023, 08:13

231218-j4g2nabaf5 10

05/12/2023, 08:54

231205-kt32taae27 10

05/12/2023, 07:41

231205-jjdthahh6w 10

05/12/2023, 07:38

231205-jgmcvshh5x 10

26/11/2023, 09:39

231126-lmxf5agd87 10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2024, 12:08

General

  • Target

    Malware-database-main/butterflyondesktop.exe

  • Size

    2.8MB

  • MD5

    1535aa21451192109b86be9bcc7c4345

  • SHA1

    1af211c686c4d4bf0239ed6620358a19691cf88c

  • SHA256

    4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

  • SHA512

    1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

  • SSDEEP

    49152:5aA7f7tlVmdqK23H2bpHI4Qs5ABV9WRHZRsgI82lcHGAaKLinXBgJ:Q+VMkX224QsWBq5SfARGRgJ

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Malware-database-main\butterflyondesktop.exe
    "C:\Users\Admin\AppData\Local\Temp\Malware-database-main\butterflyondesktop.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Users\Admin\AppData\Local\Temp\is-NE61N.tmp\butterflyondesktop.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NE61N.tmp\butterflyondesktop.tmp" /SL5="$6006A,2719719,54272,C:\Users\Admin\AppData\Local\Temp\Malware-database-main\butterflyondesktop.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4988
      • C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
        "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3532
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3348
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0x44,0x114,0x7ffe5b0346f8,0x7ffe5b034708,0x7ffe5b034718
          4⤵
            PID:1664
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,12807144930957365702,5545969871727516137,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
            4⤵
              PID:4604
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,12807144930957365702,5545969871727516137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2096
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,12807144930957365702,5545969871727516137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
              4⤵
                PID:1368
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12807144930957365702,5545969871727516137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
                4⤵
                  PID:3308
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12807144930957365702,5545969871727516137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
                  4⤵
                    PID:1220
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12807144930957365702,5545969871727516137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
                    4⤵
                      PID:3432
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12807144930957365702,5545969871727516137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
                      4⤵
                        PID:1340
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12807144930957365702,5545969871727516137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
                        4⤵
                          PID:808
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12807144930957365702,5545969871727516137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
                          4⤵
                            PID:1280
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12807144930957365702,5545969871727516137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
                            4⤵
                              PID:1732
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,12807144930957365702,5545969871727516137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
                              4⤵
                                PID:1072
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,12807144930957365702,5545969871727516137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
                                4⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3468
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12807144930957365702,5545969871727516137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
                                4⤵
                                  PID:2820
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12807144930957365702,5545969871727516137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
                                  4⤵
                                    PID:1448
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12807144930957365702,5545969871727516137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
                                    4⤵
                                      PID:4788
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12807144930957365702,5545969871727516137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
                                      4⤵
                                        PID:976
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:2524
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:2556

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

                                      Filesize

                                      3.0MB

                                      MD5

                                      81aab57e0ef37ddff02d0106ced6b91e

                                      SHA1

                                      6e3895b350ef1545902bd23e7162dfce4c64e029

                                      SHA256

                                      a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

                                      SHA512

                                      a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      3e71d66ce903fcba6050e4b99b624fa7

                                      SHA1

                                      139d274762405b422eab698da8cc85f405922de5

                                      SHA256

                                      53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

                                      SHA512

                                      17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                      Filesize

                                      648B

                                      MD5

                                      b2427638595cf3b9d9e92320d356ff32

                                      SHA1

                                      cf9515818fc7058a1496c09490a7db994556b538

                                      SHA256

                                      9be22ed126eaa6601f13a43b2ff9f9224a5bc301a407b915e7dccb85b047d911

                                      SHA512

                                      be8c91abeb972b8ec326be455193d0b1f7e96f9744b85e696dd526212b5d2bb582d11c3d8c38792df39a09f37f79d90fa0375a51df3aaf88200515134acd84b9

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      7KB

                                      MD5

                                      2eeb735470ad4f74fa58f6f6da4352f4

                                      SHA1

                                      57580e1e6af4a842b3720bd6ce03e2681b74522d

                                      SHA256

                                      f62edf2a4b056224ce32e43ae4eac87d4f3d9058280157b4bdc94ace44abc880

                                      SHA512

                                      91019e01082aa438b6b060e4cec682e6fb772086d0c930f327c4484d3d33d048a80a519d9bfd2d55240401e1b7603ed50c2ea5b0660b3338aee2d4427e7f4453

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      5KB

                                      MD5

                                      11aef1dd4a471d875e425ba6100ae2d2

                                      SHA1

                                      990347cc43fd3afb346c816cc42721de57f750a1

                                      SHA256

                                      8907650ae6bf40f1356d41f4633f129030c369d34d0a148fd8ccf6d4af897214

                                      SHA512

                                      369b2249ef876236fa4a1f80098ce642ecf4dfef6835023fafe6721d02b1276ae700f02f2514e11401103881eaaa40379c32ba5d743a4e52265f14c7a13eac74

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                      Filesize

                                      24KB

                                      MD5

                                      1b1b142e24215f033793d1311e24f6e6

                                      SHA1

                                      74e23cffbf03f3f0c430e6f4481e740c55a48587

                                      SHA256

                                      3dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1

                                      SHA512

                                      a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      6752a1d65b201c13b62ea44016eb221f

                                      SHA1

                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                      SHA256

                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                      SHA512

                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      10KB

                                      MD5

                                      d48b88722a3c241636f2cec6550eb19a

                                      SHA1

                                      df4c9eb33ced2722b7300608061e4a7e14b130b2

                                      SHA256

                                      032294d6a1bfdb0b381d037bdae71049d05c094b21176f0b646730bce7cf96b6

                                      SHA512

                                      0c8aa1d101a40ddd681664e723e6e4e22333aaec952cf1ac5b787cd6aee225516a461c440a39b5d5e3caf6490ca1c519dce4b4ce65151e36adfabbf07b95ead2

                                    • C:\Users\Admin\AppData\Local\Temp\is-NE61N.tmp\butterflyondesktop.tmp

                                      Filesize

                                      688KB

                                      MD5

                                      c765336f0dcf4efdcc2101eed67cd30c

                                      SHA1

                                      fa0279f59738c5aa3b6b20106e109ccd77f895a7

                                      SHA256

                                      c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

                                      SHA512

                                      06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

                                    • memory/2928-12-0x0000000000400000-0x0000000000414000-memory.dmp

                                      Filesize

                                      80KB

                                    • memory/2928-58-0x0000000000400000-0x0000000000414000-memory.dmp

                                      Filesize

                                      80KB

                                    • memory/2928-0-0x0000000000400000-0x0000000000414000-memory.dmp

                                      Filesize

                                      80KB

                                    • memory/3532-211-0x0000000000400000-0x000000000070B000-memory.dmp

                                      Filesize

                                      3.0MB

                                    • memory/3532-185-0x0000000000400000-0x000000000070B000-memory.dmp

                                      Filesize

                                      3.0MB

                                    • memory/3532-53-0x0000000002370000-0x0000000002371000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/3532-221-0x0000000002370000-0x0000000002371000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/3532-227-0x0000000000400000-0x000000000070B000-memory.dmp

                                      Filesize

                                      3.0MB

                                    • memory/3532-228-0x0000000000400000-0x000000000070B000-memory.dmp

                                      Filesize

                                      3.0MB

                                    • memory/4988-32-0x0000000000400000-0x00000000004BC000-memory.dmp

                                      Filesize

                                      752KB

                                    • memory/4988-16-0x00000000006A0000-0x00000000006A1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4988-13-0x0000000000400000-0x00000000004BC000-memory.dmp

                                      Filesize

                                      752KB

                                    • memory/4988-57-0x0000000000400000-0x00000000004BC000-memory.dmp

                                      Filesize

                                      752KB

                                    • memory/4988-6-0x00000000006A0000-0x00000000006A1000-memory.dmp

                                      Filesize

                                      4KB