Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2024, 11:26
Static task
static1
Behavioral task
behavioral1
Sample
bb2581163aeb6121a7e36581cf01ce7e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bb2581163aeb6121a7e36581cf01ce7e.exe
Resource
win10v2004-20240226-en
General
-
Target
bb2581163aeb6121a7e36581cf01ce7e.exe
-
Size
26KB
-
MD5
bb2581163aeb6121a7e36581cf01ce7e
-
SHA1
9eb48372562b901ab97f25e9e6cbfdc6b9376327
-
SHA256
6854e3fa80c62461c88197f0161d3b4040230f86f818b626b9ffe13d61a12d87
-
SHA512
5fdd96b69490e53266a47528fc1aacaef9daba0ff9279a9e31f04cdfc4bde41609e5db0515e308472038135afbc469af3e6fcf7dc59b8edc4e359f44616781b3
-
SSDEEP
384:38zIhOcql6/i9p5GBFK08Iu/DmzATFDMCVVRNzsG5jtkeYI4awzfMGNtoXaAiF:38KCpIFHEYknzsG5jWU4jvoXfS
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bb2581163aeb6121a7e36581cf01ce7e.exe" bb2581163aeb6121a7e36581cf01ce7e.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\urschipidea.inf_amd64_78ad1c14e33df968\urschipidea.sys bb2581163aeb6121a7e36581cf01ce7e.exe File created C:\Windows\System32\DriverStore\FileRepository\vrd.inf_amd64_81fbd405ff2470fc\vrd.sys bb2581163aeb6121a7e36581cf01ce7e.exe File created C:\Windows\System32\DriverStore\FileRepository\swenum.inf_amd64_16a14542b63c02af\swenum.sys bb2581163aeb6121a7e36581cf01ce7e.exe File created C:\Windows\System32\DriverStore\FileRepository\genericusbfn.inf_amd64_53931f0ae21d6d2c\genericusbfn.sys bb2581163aeb6121a7e36581cf01ce7e.exe File created C:\Windows\System32\DriverStore\FileRepository\uefi.inf_amd64_c1628ffa62c8e54c\UEFI.sys bb2581163aeb6121a7e36581cf01ce7e.exe File created C:\Windows\System32\DriverStore\FileRepository\ufxchipidea.inf_amd64_1c78775fffab6a0a\UfxChipidea.sys bb2581163aeb6121a7e36581cf01ce7e.exe File created C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_b78a9c5b6fd62c27\umbus.sys bb2581163aeb6121a7e36581cf01ce7e.exe File created C:\Windows\System32\DriverStore\FileRepository\urssynopsys.inf_amd64_057fa37902020500\urssynopsys.sys bb2581163aeb6121a7e36581cf01ce7e.exe File created C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_7500cffa210c6946\CompositeBus.sys bb2581163aeb6121a7e36581cf01ce7e.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3420 bb2581163aeb6121a7e36581cf01ce7e.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3420 bb2581163aeb6121a7e36581cf01ce7e.exe 3420 bb2581163aeb6121a7e36581cf01ce7e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3420 bb2581163aeb6121a7e36581cf01ce7e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3420 wrote to memory of 796 3420 bb2581163aeb6121a7e36581cf01ce7e.exe 10 PID 3420 wrote to memory of 4604 3420 bb2581163aeb6121a7e36581cf01ce7e.exe 92 PID 3420 wrote to memory of 4604 3420 bb2581163aeb6121a7e36581cf01ce7e.exe 92 PID 3420 wrote to memory of 4604 3420 bb2581163aeb6121a7e36581cf01ce7e.exe 92
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:796
-
C:\Users\Admin\AppData\Local\Temp\bb2581163aeb6121a7e36581cf01ce7e.exe"C:\Users\Admin\AppData\Local\Temp\bb2581163aeb6121a7e36581cf01ce7e.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" %12⤵PID:4604
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5a240958fe9d5acbe71a2b3c3a11e1102
SHA1b9413646979bb90da854a8509aa3594fb5e2a79b
SHA2566118af8a4e3c776f412e026bbaac204714d787036eeafb0406685d1f65ce7be3
SHA51209667b4fda6b8276b428fcbe57f66acb317b7e21b1e22d55ecb354e54b1352e697dcb5e2d9d9be890f694d6e1deaadda86ebca008c25eca084c2ea89678c1944