Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/03/2024, 14:01
Static task
static1
Behavioral task
behavioral1
Sample
b24eaa2502c9bb6d741e56302451a47c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b24eaa2502c9bb6d741e56302451a47c.exe
Resource
win10v2004-20240226-en
General
-
Target
b24eaa2502c9bb6d741e56302451a47c.exe
-
Size
502KB
-
MD5
b24eaa2502c9bb6d741e56302451a47c
-
SHA1
dae6f7d8b2c26fa0de919188d5cd14165cc1652c
-
SHA256
e7337744b755cc039f32348a645ac4cdac01fec4f4725403e2b7d677e7c3c245
-
SHA512
9ee25d8dd49539e0bd4c79c22f1a2ccb5a5024017e7a1dbd6638f7bb98eb894296c86751c1f41bc41e9355ab4bd05dd19babea2a4a5d74ca0cb7224b8d438707
-
SSDEEP
6144:cWwMnudHJHp7/be/jYB2nhw5MvSSJTpYLm+4NYLDBT2l8mIRhlfcCfVGojI/YW/O:xuZ7TebG2h1jWL3Np2lPCkuUIWgR
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 2636 b24eaa2502c9bb6d741e56302451a47c.exe 2636 b24eaa2502c9bb6d741e56302451a47c.exe 2636 b24eaa2502c9bb6d741e56302451a47c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\BaiduInstall = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~2\\baidu\\bar\\BaiduBar.dll,Install" b24eaa2502c9bb6d741e56302451a47c.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\L b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ì b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ôº b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÔÛ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\¯ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\É b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\L b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\A b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\̬ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Œs b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T½ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\À b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T— b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ŒÉ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Œ& b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\L‹ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ô b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Tí b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ìm b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ø b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T• b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Tà b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ô b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\{ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ôb b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\”õ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\g b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ŒÔ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Œ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ê b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ôƒ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Œý b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\”· b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ŒÁ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\› b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ìî b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\LH b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\k b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\”£ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ô‰ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ìÿ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Œ÷ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\”” b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ì( b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\” b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ô b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\”¨ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ü b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\L4 b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Œ¾ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Œ– b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ôë b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\L˜ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÔÄ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\”C b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\V b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ý b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Lý b24eaa2502c9bb6d741e56302451a47c.exe File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÌÏ b24eaa2502c9bb6d741e56302451a47c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3804 2636 WerFault.exe 89 -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\{0ô:@Y b24eaa2502c9bb6d741e56302451a47c.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2636 b24eaa2502c9bb6d741e56302451a47c.exe 2636 b24eaa2502c9bb6d741e56302451a47c.exe 2636 b24eaa2502c9bb6d741e56302451a47c.exe 2636 b24eaa2502c9bb6d741e56302451a47c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe"C:\Users\Admin\AppData\Local\Temp\b24eaa2502c9bb6d741e56302451a47c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2636 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 10122⤵
- Program crash
PID:3804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2636 -ip 26361⤵PID:3256
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD51b8f4df33e4b9a3ea2e4616a148b35b4
SHA1c4ebaa3dfcc8ed0311807c5a812f5a4a02dd6e9b
SHA2561413011151fc984be69fa146ea07acc692e18bd3993e20b8654a2b4134937852
SHA51290b41c98d09ec27ed401af0016fb2852b030d18f93ceb40486d825993f03884f00a3996332b4f673394825723fc2cb0c9bb24fe2944c5e6a8456aaf21c88c762