Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2024, 13:04
Static task
static1
Behavioral task
behavioral1
Sample
b777afa8c515a3deb45611907d350624.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b777afa8c515a3deb45611907d350624.exe
Resource
win10v2004-20240226-en
General
-
Target
b777afa8c515a3deb45611907d350624.exe
-
Size
312KB
-
MD5
b777afa8c515a3deb45611907d350624
-
SHA1
9e75245975c93fc166a693c9dcf5128529bb19c1
-
SHA256
66a1fd5ad16c8abc8c00d795c26f66d01df55e3e6ca7568e6aed9724a73068d3
-
SHA512
429902b42423a3c9cc9daa729816ce8ae03f5af57554a11f69a67e894d881ec14b766127885ffefc0709666387bafa4e7c5527b7cbfd49cf80e1ab5423943394
-
SSDEEP
6144:lGS1Y9k1YS0m8z4By4u4QAGcZO3aijDSHXPzDd8tVxKxG1BrsFFeBOw3Sc8c0e8r:j1YgY1muRcOjIzDd8tLKxG1BrBfSXZ
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3248 bIfBbLkGjNb06511.exe -
Executes dropped EXE 1 IoCs
pid Process 3248 bIfBbLkGjNb06511.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bIfBbLkGjNb06511 = "C:\\ProgramData\\bIfBbLkGjNb06511\\bIfBbLkGjNb06511.exe" bIfBbLkGjNb06511.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: bIfBbLkGjNb06511.exe File opened (read-only) \??\Y: bIfBbLkGjNb06511.exe File opened (read-only) \??\E: bIfBbLkGjNb06511.exe File opened (read-only) \??\J: bIfBbLkGjNb06511.exe File opened (read-only) \??\Q: bIfBbLkGjNb06511.exe File opened (read-only) \??\W: bIfBbLkGjNb06511.exe File opened (read-only) \??\Z: bIfBbLkGjNb06511.exe File opened (read-only) \??\G: bIfBbLkGjNb06511.exe File opened (read-only) \??\O: bIfBbLkGjNb06511.exe File opened (read-only) \??\V: bIfBbLkGjNb06511.exe File opened (read-only) \??\M: bIfBbLkGjNb06511.exe File opened (read-only) \??\S: bIfBbLkGjNb06511.exe File opened (read-only) \??\K: bIfBbLkGjNb06511.exe File opened (read-only) \??\L: bIfBbLkGjNb06511.exe File opened (read-only) \??\N: bIfBbLkGjNb06511.exe File opened (read-only) \??\P: bIfBbLkGjNb06511.exe File opened (read-only) \??\R: bIfBbLkGjNb06511.exe File opened (read-only) \??\T: bIfBbLkGjNb06511.exe File opened (read-only) \??\H: bIfBbLkGjNb06511.exe File opened (read-only) \??\I: bIfBbLkGjNb06511.exe File opened (read-only) \??\U: bIfBbLkGjNb06511.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 4676 b777afa8c515a3deb45611907d350624.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4676 b777afa8c515a3deb45611907d350624.exe Token: SeDebugPrivilege 3248 bIfBbLkGjNb06511.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3248 bIfBbLkGjNb06511.exe 3248 bIfBbLkGjNb06511.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4676 wrote to memory of 3248 4676 b777afa8c515a3deb45611907d350624.exe 89 PID 4676 wrote to memory of 3248 4676 b777afa8c515a3deb45611907d350624.exe 89 PID 4676 wrote to memory of 3248 4676 b777afa8c515a3deb45611907d350624.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\b777afa8c515a3deb45611907d350624.exe"C:\Users\Admin\AppData\Local\Temp\b777afa8c515a3deb45611907d350624.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\ProgramData\bIfBbLkGjNb06511\bIfBbLkGjNb06511.exe"C:\ProgramData\bIfBbLkGjNb06511\bIfBbLkGjNb06511.exe" "C:\Users\Admin\AppData\Local\Temp\b777afa8c515a3deb45611907d350624.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3248
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312KB
MD52e457cf85716989322623ef1c21d8a09
SHA1984cb9e7339b847abbf34f562671faaecbd14604
SHA2562844ea2ad013dc1295b8a9d22590f01670268e946166d35e39994fba24345682
SHA5120fa403767e49edca8186913e357b865f8b75559385a865c4eac7fb8108ab1583f9d14811817bb13bbc47c8452766910c091d85723330b4843da4214a4dc0146a