Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    91s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/03/2024, 14:03

General

  • Target

    b24fa78084497f1d9208787d96f9b6ea.exe

  • Size

    13KB

  • MD5

    b24fa78084497f1d9208787d96f9b6ea

  • SHA1

    7aae7bea4fd0b2bf120487aa84093e4d74fd2dd5

  • SHA256

    9c827fd486fcee65b93a58241b455a89be45b56046d3b78e695f4d6cd1b29e2c

  • SHA512

    8f6b1f35f10e0a54a6d8aaaeab4c5a59b0fa3ec802a756e9385e16cd1197ac05443f6dad34a55ad50ed630fc65542f592b0786287145e4e458ec2104f3e349c7

  • SSDEEP

    384:HPIXVcXVihJ9OawDh21kk9Qsr9GlllaOYuI76D8:gXVAVQrOaj1kk9J9GjlaO7I/

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe
    "C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\BAA5.tmp.bat
      2⤵
        PID:748

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\BAA5.tmp.bat

      Filesize

      179B

      MD5

      bc2c7a46b8faafa782a38495979dffc2

      SHA1

      a4f2c3a6b109ef2f174e59ec6286cc1044dac2a4

      SHA256

      07c5c747b0b199326070ab07d4c72977367dd7bb0588eca3dac145f2a96c8a9a

      SHA512

      025109f02c5705e96a19adff95c8cbce475a8b2c57806a1896d623fcbd5df5633b65320b23985063e2b59a9ab4cfb269bd46f98c6c45685e6eac6c23b3562065

    • C:\Windows\SysWOW64\bzrljqjr.nls

      Filesize

      428B

      MD5

      76a3016d1defcd1798f893e3859616dd

      SHA1

      5a8f2f3c94f8aec0dd573e54083a6c6d3b09d047

      SHA256

      f9a7e55649b01160bea0a1daf490dd85e5d25e8ff038434d381b2053fab40b74

      SHA512

      812649bf9278a938c2d87d3b9f0ed1c5177a4f9464750ee22f178399d948d45c9dff1e28db3eb1edd0673b775fdf7246635f684332a413ef64e3d67a9295b977

    • C:\Windows\SysWOW64\bzrljqjr.tmp

      Filesize

      2.3MB

      MD5

      7ec881dcfb336244abb3d5257be23959

      SHA1

      c86a7171239cc46e1054e8199f70777ff50b198f

      SHA256

      d22baaa57d5e54c02bd28a5269ee9815f7b8c7576d7851a4e40e06e7f878371e

      SHA512

      c047523ef8b4cae110b4e45231a7684f73e37b4e3e1c82534d5d341da15023053a8a3f6208c6a90262cd6dbd19aab577fd023306aa969700d466283b0cc767ba

    • memory/904-17-0x0000000010000000-0x0000000010009000-memory.dmp

      Filesize

      36KB

    • memory/904-21-0x0000000010000000-0x0000000010009000-memory.dmp

      Filesize

      36KB