Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2024, 08:35
Static task
static1
Behavioral task
behavioral1
Sample
bac03e7065835ff2e82f01801740a5e0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bac03e7065835ff2e82f01801740a5e0.exe
Resource
win10v2004-20240226-en
General
-
Target
bac03e7065835ff2e82f01801740a5e0.exe
-
Size
1.3MB
-
MD5
bac03e7065835ff2e82f01801740a5e0
-
SHA1
2bf512bc4f3d6f1bece40073ddedadad65264166
-
SHA256
04c031ecbff301c0c7c55c8c9352dea457370b221c314710e2e94575b8caf45b
-
SHA512
a2ee185a51f1ee7d53a622013ccb9f47c9893f304dce3413d53399ad3d757ed0dd7782f8dbe3f60c8f19c9f69fd40fc8fbb3b59aa09279871a3ee50878f50d97
-
SSDEEP
24576:r4VrnNUc9BJxetHXQf/R4GdfEzh7B905zfXKkfz+bVILjMxuY:cFNlYXI/R4GduL05zfXdfgVILY1
Malware Config
Signatures
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation bac03e7065835ff2e82f01801740a5e0.exe -
Executes dropped EXE 1 IoCs
pid Process 4012 acrobat32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\SYSTEM.LOG acrobat32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4012 acrobat32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5112 wrote to memory of 4012 5112 bac03e7065835ff2e82f01801740a5e0.exe 90 PID 5112 wrote to memory of 4012 5112 bac03e7065835ff2e82f01801740a5e0.exe 90 PID 5112 wrote to memory of 4012 5112 bac03e7065835ff2e82f01801740a5e0.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\bac03e7065835ff2e82f01801740a5e0.exe"C:\Users\Admin\AppData\Local\Temp\bac03e7065835ff2e82f01801740a5e0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Arquivos de programas\acrobat32.exe"C:\Arquivos de programas\acrobat32.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
PID:4012
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.8MB
MD51c8304b0e7284173d57f031a999293b2
SHA1d0c95f0ac564e354b77aa90b651a2d791f36d26f
SHA256109ea0be4ab5d49aa15aa19c4d0cd13e325c2ecdff5fdc4f807e9e1d2196bfbf
SHA51262631d688626ca75b7905a2502655fb87f6a621013c97b83c6a97f8bf0ed61df9f39480dfa9eef92baf1ee946f07d8eb016f8066fcd7af023d67ff0721826bde
-
Filesize
15.7MB
MD58c42df506de40711d804fe0d65dce453
SHA1d086ac98658a94559b4a7dc8bad5c086ac9bcc7f
SHA256a6bd11d5aad8c555d3e1f8f9db0cc293f184ccfd1653729299176f4a129239a9
SHA512e077f47b0e78cefc746abadb0364f1f3c345b5838becbf4153a27dad09331a3b1c3e12a8ab3aeb6fd770793441c17709cc0060e29c550cec89032a8037d2a539
-
Filesize
2.9MB
MD5d4c337ace1db41cb569e58c56afaaff9
SHA156200d1f747b6c796d155c67693b7590a3421d04
SHA2565f4b0334444feaf7299fb1ee0d46c9f844733ea9d1ee14e7f79bd80fb461a795
SHA5126c16de49d190c0797c8e7034774bd3db817212c26da68174cad501a3000f65207fa497ef7ef3d6bc1f28d01f03d2cfb1e0d5b11119bf4e1da68527fb78991260