Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 16:26
Static task
static1
Behavioral task
behavioral1
Sample
c657885b18b244e54f8292933f74018e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c657885b18b244e54f8292933f74018e.exe
Resource
win10v2004-20240226-en
General
-
Target
c657885b18b244e54f8292933f74018e.exe
-
Size
432KB
-
MD5
c657885b18b244e54f8292933f74018e
-
SHA1
0e87b183da4571b9a57fc9d249c7bf9a6f0a1d41
-
SHA256
1941cf4f2cc2aba80c51002946dd2c0f75da10b0e169a5d7db67985e6d41c99c
-
SHA512
515b42b12ec93bbdd9c57b155a09e1e40d6dcacb9b466c9e08684dccf65a487eb85940df840af0676299acf9bd547b869be9caff7a61bc5d59486bc658b13aa8
-
SSDEEP
12288:441TXKOrbNfYJmiyjjM0xdeTOLG9vZ23F:4kTaO3NfSmiyjIsm5xQF
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2052 dRBAHQLTbF.exe -
Loads dropped DLL 2 IoCs
pid Process 1756 c657885b18b244e54f8292933f74018e.exe 1756 c657885b18b244e54f8292933f74018e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\dRBAHQLTbF = "C:\\ProgramData\\dRBAHQLTbF.exe" c657885b18b244e54f8292933f74018e.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum c657885b18b244e54f8292933f74018e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 c657885b18b244e54f8292933f74018e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum dRBAHQLTbF.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 dRBAHQLTbF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Download c657885b18b244e54f8292933f74018e.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" c657885b18b244e54f8292933f74018e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1756 c657885b18b244e54f8292933f74018e.exe 2052 dRBAHQLTbF.exe 1756 c657885b18b244e54f8292933f74018e.exe 2052 dRBAHQLTbF.exe 1756 c657885b18b244e54f8292933f74018e.exe 2052 dRBAHQLTbF.exe 1756 c657885b18b244e54f8292933f74018e.exe 2052 dRBAHQLTbF.exe 1756 c657885b18b244e54f8292933f74018e.exe 2052 dRBAHQLTbF.exe 1756 c657885b18b244e54f8292933f74018e.exe 2052 dRBAHQLTbF.exe 1756 c657885b18b244e54f8292933f74018e.exe 2052 dRBAHQLTbF.exe 1756 c657885b18b244e54f8292933f74018e.exe 2052 dRBAHQLTbF.exe 1756 c657885b18b244e54f8292933f74018e.exe 2052 dRBAHQLTbF.exe 1756 c657885b18b244e54f8292933f74018e.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe 2052 dRBAHQLTbF.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1756 c657885b18b244e54f8292933f74018e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1756 wrote to memory of 2052 1756 c657885b18b244e54f8292933f74018e.exe 28 PID 1756 wrote to memory of 2052 1756 c657885b18b244e54f8292933f74018e.exe 28 PID 1756 wrote to memory of 2052 1756 c657885b18b244e54f8292933f74018e.exe 28 PID 1756 wrote to memory of 2052 1756 c657885b18b244e54f8292933f74018e.exe 28 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System c657885b18b244e54f8292933f74018e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" c657885b18b244e54f8292933f74018e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c657885b18b244e54f8292933f74018e.exe"C:\Users\Admin\AppData\Local\Temp\c657885b18b244e54f8292933f74018e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1756 -
C:\ProgramData\dRBAHQLTbF.exe"C:\ProgramData\dRBAHQLTbF.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
432KB
MD5c657885b18b244e54f8292933f74018e
SHA10e87b183da4571b9a57fc9d249c7bf9a6f0a1d41
SHA2561941cf4f2cc2aba80c51002946dd2c0f75da10b0e169a5d7db67985e6d41c99c
SHA512515b42b12ec93bbdd9c57b155a09e1e40d6dcacb9b466c9e08684dccf65a487eb85940df840af0676299acf9bd547b869be9caff7a61bc5d59486bc658b13aa8