Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/03/2024, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
b24fa78084497f1d9208787d96f9b6ea.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b24fa78084497f1d9208787d96f9b6ea.exe
Resource
win10v2004-20240226-en
General
-
Target
b24fa78084497f1d9208787d96f9b6ea.exe
-
Size
13KB
-
MD5
b24fa78084497f1d9208787d96f9b6ea
-
SHA1
7aae7bea4fd0b2bf120487aa84093e4d74fd2dd5
-
SHA256
9c827fd486fcee65b93a58241b455a89be45b56046d3b78e695f4d6cd1b29e2c
-
SHA512
8f6b1f35f10e0a54a6d8aaaeab4c5a59b0fa3ec802a756e9385e16cd1197ac05443f6dad34a55ad50ed630fc65542f592b0786287145e4e458ec2104f3e349c7
-
SSDEEP
384:HPIXVcXVihJ9OawDh21kk9Qsr9GlllaOYuI76D8:gXVAVQrOaj1kk9J9GjlaO7I/
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bzrljqjr.dll = "{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}" b24fa78084497f1d9208787d96f9b6ea.exe -
Loads dropped DLL 1 IoCs
pid Process 904 b24fa78084497f1d9208787d96f9b6ea.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\bzrljqjr.tmp b24fa78084497f1d9208787d96f9b6ea.exe File opened for modification C:\Windows\SysWOW64\bzrljqjr.tmp b24fa78084497f1d9208787d96f9b6ea.exe File opened for modification C:\Windows\SysWOW64\bzrljqjr.nls b24fa78084497f1d9208787d96f9b6ea.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ThreadingModel = "Apartment" b24fa78084497f1d9208787d96f9b6ea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9} b24fa78084497f1d9208787d96f9b6ea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32 b24fa78084497f1d9208787d96f9b6ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ = "C:\\Windows\\SysWow64\\bzrljqjr.dll" b24fa78084497f1d9208787d96f9b6ea.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 904 b24fa78084497f1d9208787d96f9b6ea.exe 904 b24fa78084497f1d9208787d96f9b6ea.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 904 b24fa78084497f1d9208787d96f9b6ea.exe 904 b24fa78084497f1d9208787d96f9b6ea.exe 904 b24fa78084497f1d9208787d96f9b6ea.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 904 wrote to memory of 748 904 b24fa78084497f1d9208787d96f9b6ea.exe 93 PID 904 wrote to memory of 748 904 b24fa78084497f1d9208787d96f9b6ea.exe 93 PID 904 wrote to memory of 748 904 b24fa78084497f1d9208787d96f9b6ea.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe"C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\BAA5.tmp.bat2⤵PID:748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
179B
MD5bc2c7a46b8faafa782a38495979dffc2
SHA1a4f2c3a6b109ef2f174e59ec6286cc1044dac2a4
SHA25607c5c747b0b199326070ab07d4c72977367dd7bb0588eca3dac145f2a96c8a9a
SHA512025109f02c5705e96a19adff95c8cbce475a8b2c57806a1896d623fcbd5df5633b65320b23985063e2b59a9ab4cfb269bd46f98c6c45685e6eac6c23b3562065
-
Filesize
428B
MD576a3016d1defcd1798f893e3859616dd
SHA15a8f2f3c94f8aec0dd573e54083a6c6d3b09d047
SHA256f9a7e55649b01160bea0a1daf490dd85e5d25e8ff038434d381b2053fab40b74
SHA512812649bf9278a938c2d87d3b9f0ed1c5177a4f9464750ee22f178399d948d45c9dff1e28db3eb1edd0673b775fdf7246635f684332a413ef64e3d67a9295b977
-
Filesize
2.3MB
MD57ec881dcfb336244abb3d5257be23959
SHA1c86a7171239cc46e1054e8199f70777ff50b198f
SHA256d22baaa57d5e54c02bd28a5269ee9815f7b8c7576d7851a4e40e06e7f878371e
SHA512c047523ef8b4cae110b4e45231a7684f73e37b4e3e1c82534d5d341da15023053a8a3f6208c6a90262cd6dbd19aab577fd023306aa969700d466283b0cc767ba