Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

bd8ebc8a73...ad.exe

windows7-x64

8

bd8ebc8a73...ad.exe

windows10-2004-x64

8

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PROGRAMFI...it.dll

windows7-x64

1

$PROGRAMFI...it.dll

windows10-2004-x64

1

$PROGRAMFI...ge.dll

windows7-x64

1

$PROGRAMFI...ge.dll

windows10-2004-x64

1

$PROGRAMFI...er.dll

windows7-x64

1

$PROGRAMFI...er.dll

windows10-2004-x64

1

4.exe

windows7-x64

7

4.exe

windows10-2004-x64

7

vpn.exe

windows7-x64

8

vpn.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/03/2024, 03:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd8ebc8a73354d912d96648c0a4924ad.exe

  • Size

    1.2MB

  • MD5

    bd8ebc8a73354d912d96648c0a4924ad

  • SHA1

    341395c5e8160febd846c8e45897d60e5d73c985

  • SHA256

    ab5fd5b542977645488e296770bbb76137d4893ecb9eddaf3e492bce5f5aa6ce

  • SHA512

    4b4db5d676b158b7861ffaa9ad5287d0315d61f0f8c44ece5abb2572047ab3729694b6fec55e3a581fd23cb3447e476d6299b8e9dd176f1f40b0cf9e08b184e7

  • SSDEEP

    24576:ZB51ZMgyuhpuwvq8qLduQgfbZi9jnv5GtWKjN0:p1ZbhTvq8qLBgjZsjKWK50

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd8ebc8a73354d912d96648c0a4924ad.exe
    "C:\Users\Admin\AppData\Local\Temp\bd8ebc8a73354d912d96648c0a4924ad.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3696
    • C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c LvTasfZdX
        3⤵
          PID:4708
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c cmd < Rapiva.mov
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1412
          • C:\Windows\SysWOW64\cmd.exe
            cmd
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:808
            • C:\Windows\SysWOW64\findstr.exe
              findstr /V /R "^pAvofqIrkohjdrCgCTcBhWrPbuXmHqloifUaNcpwSZexQIXXPwRGojGjbGKoroclYytqolBuKxJgUJZOpqKGoDZUJIVuKqXJDRcKDXOFmLVODaaNHWZrnPwxulsAgccJvZKehgkkktubI$" Sento.mov
              5⤵
                PID:4300
              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arteria.exe.com
                Arteria.exe.com U
                5⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:408
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arteria.exe.com
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arteria.exe.com U
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks processor information in registry
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:1332
                  • C:\Windows\SysWOW64\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vgjqwhqqj.vbs"
                    7⤵
                    • Blocklisted process makes network request
                    PID:512
              • C:\Windows\SysWOW64\PING.EXE
                ping localhost -n 30
                5⤵
                • Runs ping.exe
                PID:1648
        • C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
          "C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
          2⤵
          • Drops startup file
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3400
          • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
            "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: AddClipboardFormatListener
            PID:5044
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 1004
            3⤵
            • Program crash
            PID:1612
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3400 -ip 3400
        1⤵
          PID:1700

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\33ED.tmp
          Filesize

          313B

          MD5

          bee55e52500f967c3d9402e05dd57f65

          SHA1

          d8dc65ec97c6288e1fd10b8c4f8502e5a8a5bbf6

          SHA256

          b90eae4b05d321efc4519963349c1775dcea8e3b0ae53b50285545380b6539c0

          SHA512

          b8624a934fb74760f5b231ca97e89074b227ad9fe3bb08b01a81cf35760f06b346f395cf6683df5881dc429ae77af0d0a07cfeb9c9ec127e4e917191bf8c91da

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arteria.exe.com
          Filesize

          872KB

          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Disconosci.mov
          Filesize

          139KB

          MD5

          21f79182b467153526fb9e97b33ef0d5

          SHA1

          c9f7939dc228b53f3993e6262f609bd915187ef1

          SHA256

          4cae657014aa9d240dca1339626ea9ff4442695b7c758e77146803da475d31a0

          SHA512

          8ce012401417e02c90b09f18cf736355fb2628f0f97bc4fa6bbab3e123ae107713e774ddd7628748d2407443e001734a6d0d8418d849827104d5c0721a88ed37

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mutato.mov
          Filesize

          713KB

          MD5

          a4f3ac1965f029dfee419427023a353f

          SHA1

          747f357205809bb3732d65d1dd4c814ec2c5bf47

          SHA256

          13cf314114608f1b8277ca7647b5210a60275469567967080a689c6c0fdf4533

          SHA512

          7f471b096547015c69a886c7d376a352fc7c93aee7ed18b57079768027d557902d5c32a314ab4bee00f79c284981e2c3571e8314b9914bf00e984503ec450178

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rapiva.mov
          Filesize

          497B

          MD5

          83641c3aa461594855a69ea3be59c332

          SHA1

          d45ea8168604649acc3a896c4b4a06ed63f8413e

          SHA256

          e64a1cb9aa2c169c8edb5d962f9bc679f852b6ae4364cca86e7b01b1c0d4479d

          SHA512

          5bca38d69d9f959d762e52fa69e3471c90f052d664f7fb899183fa099835e1a03e71fa14379ad99f5198d5d64ac2522145e3bc6056a67af0a7d4412e5a9cd084

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.mov
          Filesize

          872KB

          MD5

          37612b1671d135e0be914f0106f397f7

          SHA1

          cde049dcdc196d2174925b5a06fbb22d424ad2ac

          SHA256

          7167e77a7461f0acb586e23ec43ad218fa5cea2ecd6dd80c62d35be452680912

          SHA512

          4d08c4b79fcb70d70a82e365231354f5f6e67d0a3ccb58a97733e416cf731422479525a45a0e3a782dc045420e89f6fa79e3a8665ff2ef44a8fb1e2dc6f621a5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
          Filesize

          356KB

          MD5

          63298373ec0b3d06cd3b6e9cffd4ab79

          SHA1

          2f6482a9d617e7d0bc21e78258cb08677de52e69

          SHA256

          eebd782f6612da1133b0e130bf751578de50cadfd0268b98ce4a31815edc636c

          SHA512

          3948a304b82c055e37082948668c11b39cb3c47adc729cb2d7018fde5b78441f84420b101122360906f03c5299eb543082cc55513bfc84513042416faa5276a1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
          Filesize

          1.0MB

          MD5

          c947291b42012d2f82b7d9896630584b

          SHA1

          0854ce780aa21d642d03269fb6977370af1a254c

          SHA256

          b317a4e36ea8c4f943d6f1d3f933bb96d29aa6ba16c48a7b5c9db07b5a17bbd2

          SHA512

          f74987266c2df4acfb2c02a162e0028ca2a7b3c611ff041531c34d3a0cf5bcd4f458f846713e1384731087848c42a84b6b51ed6e6f6ead6a75c14845e808276e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsn7408.tmp\UAC.dll
          Filesize

          14KB

          MD5

          adb29e6b186daa765dc750128649b63d

          SHA1

          160cbdc4cb0ac2c142d361df138c537aa7e708c9

          SHA256

          2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

          SHA512

          b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\vgjqwhqqj.vbs
          Filesize

          138B

          MD5

          0f29d1055617a1643ef0e71e5258d187

          SHA1

          b85c6e32e0b99b7470404cfd118a01a3bc422f7e

          SHA256

          bb49e19ac1dccbfcceb5ff1506533fdcf76ee4f7266796de4e11379b0b7e7483

          SHA512

          90ec50bac8f7981bd578cfe8342e0fc8db2907c4d11aa5f125bb95303ff9446d5a3cb3ddbad47bc733dfb6e2e61fbf84494c49b19416b461689896d573ba2c99

          Download Submit

        • memory/1332-60-0x0000000003C60000-0x0000000003C87000-memory.dmp

          Filesize

          156KB

          Download

        • memory/1332-62-0x0000000003C60000-0x0000000003C87000-memory.dmp

          Filesize

          156KB

          Download

        • memory/1332-80-0x0000000003C60000-0x0000000003C87000-memory.dmp

          Filesize

          156KB

          Download

        • memory/1332-66-0x0000000003C60000-0x0000000003C87000-memory.dmp

          Filesize

          156KB

          Download

        • memory/1332-63-0x0000000003C60000-0x0000000003C87000-memory.dmp

          Filesize

          156KB

          Download

        • memory/1332-57-0x0000000000C70000-0x0000000000C71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1332-58-0x0000000003C60000-0x0000000003C87000-memory.dmp

          Filesize

          156KB

          Download

        • memory/1332-59-0x0000000003C60000-0x0000000003C87000-memory.dmp

          Filesize

          156KB

          Download

        • memory/1332-61-0x0000000003C60000-0x0000000003C87000-memory.dmp

          Filesize

          156KB

          Download

        • memory/3400-45-0x0000000000400000-0x0000000003255000-memory.dmp

          Filesize

          46.3MB

          Download

        • memory/3400-52-0x0000000000400000-0x0000000003255000-memory.dmp

          Filesize

          46.3MB

          Download

        • memory/3400-38-0x00000000033E0000-0x0000000003406000-memory.dmp

          Filesize

          152KB

          Download

        • memory/3400-36-0x0000000003490000-0x0000000003590000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/5044-50-0x0000000003610000-0x0000000003710000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/5044-56-0x0000000003610000-0x0000000003710000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/5044-51-0x0000000000400000-0x0000000003255000-memory.dmp

          Filesize

          46.3MB

          Download