Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

Backdoor.W...rk.exe

windows7-x64

7

Backdoor.W...rk.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    115s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/02/2024, 06:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Backdoor.Win32.Shark.exe

  • Size

    305KB

  • MD5

    5ff4b7f5334e8c4d1f6eefe5a0af1ff6

  • SHA1

    1c65c72416a31fda76d6d824f8e739f8b24c40ea

  • SHA256

    bd3026127fe5c6e161fd612c2779efa72aa7a7d1324226a435eae8202bc7413c

  • SHA512

    8fa34cdbc48b06131cd0d24bc337dce4498f0134c81fef44a81f16ee473104cf79a880d0499415c740941ff02ccdcd428ea2172f6156d23f6fb020b8dc21dde2

  • SSDEEP

    6144:zdZOSoyCVuqaGqqCG6K3SidwlBUov2GBxgGNkVsuaRaU6mHG:pIx0UEHgA0aRz6mHG

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 12 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Shark.exe
    "C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Shark.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4556
    • C:\Users\Admin\AppData\Local\Temp\802C.tmp\b2e.exe
      "C:\Users\Admin\AppData\Local\Temp\802C.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\802C.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Shark.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:464
      • C:\Users\Admin\AppData\Local\Temp\8443.tmp\batchfile.bat
        "C:\Users\Admin\AppData\Local\Temp\8443.tmp\batchfile.bat"
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4224
        • C:\Windows\SysWOW64\My_Server.exe
          C:\Windows\system32\My_Server.exe 1
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:1548
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Windows\system32\My_Server.exe.bat
          4⤵
            PID:3928
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
          3⤵
            PID:1468
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4012 --field-trial-handle=2588,i,4353937220825226770,7138584070663735671,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:2224

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\802C.tmp\b2e.exe
          Filesize

          289KB

          MD5

          f2c1a4dddeb5e55232388f07217a7179

          SHA1

          b2e1b14180a9b7754e90a62c1786639f97d78f01

          SHA256

          35efd640ee571f7dd1d1a7ace3f0d4bc87ea6990cab5ce8a36690b58057208b8

          SHA512

          2975aea442b96034667e8ec790ddaa597ae403276c7ce3a537573c7fdd9b81a22cba276be1df04e9d58a6da21d4bbe2bf2b755ba5390b45666610259994077cc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\8443.tmp\batchfile.bat
          Filesize

          280KB

          MD5

          ad02ea686cb772689fb44cf29a8575b2

          SHA1

          aa324e5ff9ebdd718a6e8a8599d303cab23cf64b

          SHA256

          1b93b3cf95e192f8e12b47b8b4c6c2955efb5ee53053440f442896e8c7e81982

          SHA512

          1438eeed9c2fff80e47a2461dfaf615f0cf643d4cecb066715b04a9e5203ff908d9aa9348ab4cfad5a5608aa04d5239ce866485447438ba7d9d48a6b8cdfb206

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\selfdel0.bat
          Filesize

          158B

          MD5

          155eabefa3b735aa25f14f334f26b07b

          SHA1

          8e17e05be722e4d43cf30136bdcc57ca051d6944

          SHA256

          5e3b8b1e6977fe4ed4454c6101ba58ee0908f6fa6535c886fb5de2ed814c738b

          SHA512

          203368b07223175e726d265ce9b00b3597aacfa338736c73d16ef8d26b0c66fca1a062b503feff25621a749bc08fefacec20e5e5d1a685535734681f97cb40a6

          Download Submit

        • C:\Windows\SysWOW64\My_Server.exe.bat
          Filesize

          153B

          MD5

          35787cf5c673ad0a13cba2a42de512e2

          SHA1

          4ba2e80ac23e99224364cbf14960b15b39df8abc

          SHA256

          8721c034ea16feba2add9fe9d5c0d0aa5f41522c53ee90e2007036fe9cd0c60d

          SHA512

          fc4866fcaf1dc0a4f33e7939ae48c61bd15fee9f825140ebbb924bae5c9111e2a7fafbfe5f0bb95d15727cfa4096667841c7f45d41720e2c22288bc0d2c2fa0f

          Download Submit

        • memory/464-8-0x0000000000400000-0x0000000000405000-memory.dmp

          Filesize

          20KB

          Download

        • memory/464-34-0x0000000000400000-0x0000000000405000-memory.dmp

          Filesize

          20KB

          Download