Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

15/03/2024, 08:35

240315-khfr5scb41 10

08/03/2024, 06:28

240308-g8rqjsac9y 10

Analysis

  • max time kernel
    142s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/03/2024, 08:35

General

  • Target

    bac03e7065835ff2e82f01801740a5e0.exe

  • Size

    1.3MB

  • MD5

    bac03e7065835ff2e82f01801740a5e0

  • SHA1

    2bf512bc4f3d6f1bece40073ddedadad65264166

  • SHA256

    04c031ecbff301c0c7c55c8c9352dea457370b221c314710e2e94575b8caf45b

  • SHA512

    a2ee185a51f1ee7d53a622013ccb9f47c9893f304dce3413d53399ad3d757ed0dd7782f8dbe3f60c8f19c9f69fd40fc8fbb3b59aa09279871a3ee50878f50d97

  • SSDEEP

    24576:r4VrnNUc9BJxetHXQf/R4GdfEzh7B905zfXKkfz+bVILjMxuY:cFNlYXI/R4GduL05zfXdfgVILY1

Score
10/10

Malware Config

Signatures

  • Brute Ratel C4

    A customized command and control framework for red teaming and adversary simulation.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bac03e7065835ff2e82f01801740a5e0.exe
    "C:\Users\Admin\AppData\Local\Temp\bac03e7065835ff2e82f01801740a5e0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5112
    • C:\Arquivos de programas\acrobat32.exe
      "C:\Arquivos de programas\acrobat32.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      PID:4012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Arquivos de programas\acrobat32.exe

    Filesize

    12.8MB

    MD5

    1c8304b0e7284173d57f031a999293b2

    SHA1

    d0c95f0ac564e354b77aa90b651a2d791f36d26f

    SHA256

    109ea0be4ab5d49aa15aa19c4d0cd13e325c2ecdff5fdc4f807e9e1d2196bfbf

    SHA512

    62631d688626ca75b7905a2502655fb87f6a621013c97b83c6a97f8bf0ed61df9f39480dfa9eef92baf1ee946f07d8eb016f8066fcd7af023d67ff0721826bde

  • C:\Arquivos de programas\acrobat32.exe

    Filesize

    15.7MB

    MD5

    8c42df506de40711d804fe0d65dce453

    SHA1

    d086ac98658a94559b4a7dc8bad5c086ac9bcc7f

    SHA256

    a6bd11d5aad8c555d3e1f8f9db0cc293f184ccfd1653729299176f4a129239a9

    SHA512

    e077f47b0e78cefc746abadb0364f1f3c345b5838becbf4153a27dad09331a3b1c3e12a8ab3aeb6fd770793441c17709cc0060e29c550cec89032a8037d2a539

  • C:\Arquivos de programas\acrobat32.exe

    Filesize

    2.9MB

    MD5

    d4c337ace1db41cb569e58c56afaaff9

    SHA1

    56200d1f747b6c796d155c67693b7590a3421d04

    SHA256

    5f4b0334444feaf7299fb1ee0d46c9f844733ea9d1ee14e7f79bd80fb461a795

    SHA512

    6c16de49d190c0797c8e7034774bd3db817212c26da68174cad501a3000f65207fa497ef7ef3d6bc1f28d01f03d2cfb1e0d5b11119bf4e1da68527fb78991260

  • memory/4012-12-0x00000000015F0000-0x00000000015F1000-memory.dmp

    Filesize

    4KB

  • memory/4012-14-0x0000000000280000-0x0000000001532000-memory.dmp

    Filesize

    18.7MB

  • memory/4012-16-0x00000000015F0000-0x00000000015F1000-memory.dmp

    Filesize

    4KB

  • memory/4012-17-0x0000000000280000-0x0000000001532000-memory.dmp

    Filesize

    18.7MB

  • memory/5112-13-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB