Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2024, 00:02
Static task
static1
Behavioral task
behavioral1
Sample
8572a8f4e9f1b4d6655a12f761558adf04ec5086d8d5304052cc9aa041186d32.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8572a8f4e9f1b4d6655a12f761558adf04ec5086d8d5304052cc9aa041186d32.exe
Resource
win10v2004-20240508-en
General
-
Target
8572a8f4e9f1b4d6655a12f761558adf04ec5086d8d5304052cc9aa041186d32.exe
-
Size
92KB
-
MD5
984add71480cf5c831bc05a06e650f18
-
SHA1
f1efb5c08c2d43aefcc0bfe5535eea6ba3821b63
-
SHA256
8572a8f4e9f1b4d6655a12f761558adf04ec5086d8d5304052cc9aa041186d32
-
SHA512
b644cf72c7f8ee18d81fdaa4b3088d30658e03931d26b28ec468c33067324671eb1347aea2125aaabfaf5fa7846797848877dcb667af438a493de63b81578cf7
-
SSDEEP
1536:1MIPgEm56wnbkKC2ZyBJU066lwLCRVEB+nR/y8cmNrEIviCOzuajkrDl9HNSi:11PgEOng1d66jRVa+n4NmNNouukrD7HI
Malware Config
Signatures
-
Detects executables containing base64 encoded User Agent 4 IoCs
resource yara_rule behavioral2/memory/2172-12-0x0000000010000000-0x0000000010022000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/2172-13-0x0000000010000000-0x0000000010022000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/2172-15-0x0000000010000000-0x0000000010022000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/2172-17-0x0000000010000000-0x0000000010022000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent -
UPX dump on OEP (original entry point) 6 IoCs
resource yara_rule behavioral2/memory/324-9-0x0000000000400000-0x0000000000428000-memory.dmp UPX behavioral2/files/0x0002000000022a48-10.dat UPX behavioral2/memory/2172-12-0x0000000010000000-0x0000000010022000-memory.dmp UPX behavioral2/memory/2172-13-0x0000000010000000-0x0000000010022000-memory.dmp UPX behavioral2/memory/2172-15-0x0000000010000000-0x0000000010022000-memory.dmp UPX behavioral2/memory/2172-17-0x0000000010000000-0x0000000010022000-memory.dmp UPX -
Blocklisted process makes network request 8 IoCs
flow pid Process 24 2172 rundll32.exe 31 2172 rundll32.exe 32 2172 rundll32.exe 33 2172 rundll32.exe 44 2172 rundll32.exe 47 2172 rundll32.exe 55 2172 rundll32.exe 74 2172 rundll32.exe -
Deletes itself 1 IoCs
pid Process 324 tmjiubotb.exe -
Executes dropped EXE 1 IoCs
pid Process 324 tmjiubotb.exe -
Loads dropped DLL 1 IoCs
pid Process 2172 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x0002000000022a48-10.dat upx behavioral2/memory/2172-12-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral2/memory/2172-13-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral2/memory/2172-15-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral2/memory/2172-17-0x0000000010000000-0x0000000010022000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\lnonl\\wboaa.baw\",crc32" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\p: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Kills process with taskkill 1 IoCs
pid Process 4556 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3884 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2172 rundll32.exe 2172 rundll32.exe 2172 rundll32.exe 2172 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2172 rundll32.exe Token: SeDebugPrivilege 4556 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4856 8572a8f4e9f1b4d6655a12f761558adf04ec5086d8d5304052cc9aa041186d32.exe 324 tmjiubotb.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4856 wrote to memory of 2292 4856 8572a8f4e9f1b4d6655a12f761558adf04ec5086d8d5304052cc9aa041186d32.exe 90 PID 4856 wrote to memory of 2292 4856 8572a8f4e9f1b4d6655a12f761558adf04ec5086d8d5304052cc9aa041186d32.exe 90 PID 4856 wrote to memory of 2292 4856 8572a8f4e9f1b4d6655a12f761558adf04ec5086d8d5304052cc9aa041186d32.exe 90 PID 2292 wrote to memory of 3884 2292 cmd.exe 92 PID 2292 wrote to memory of 3884 2292 cmd.exe 92 PID 2292 wrote to memory of 3884 2292 cmd.exe 92 PID 2292 wrote to memory of 324 2292 cmd.exe 96 PID 2292 wrote to memory of 324 2292 cmd.exe 96 PID 2292 wrote to memory of 324 2292 cmd.exe 96 PID 324 wrote to memory of 2172 324 tmjiubotb.exe 97 PID 324 wrote to memory of 2172 324 tmjiubotb.exe 97 PID 324 wrote to memory of 2172 324 tmjiubotb.exe 97 PID 2172 wrote to memory of 4556 2172 rundll32.exe 98 PID 2172 wrote to memory of 4556 2172 rundll32.exe 98 PID 2172 wrote to memory of 4556 2172 rundll32.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\8572a8f4e9f1b4d6655a12f761558adf04ec5086d8d5304052cc9aa041186d32.exe"C:\Users\Admin\AppData\Local\Temp\8572a8f4e9f1b4d6655a12f761558adf04ec5086d8d5304052cc9aa041186d32.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\tmjiubotb.exe "C:\Users\Admin\AppData\Local\Temp\8572a8f4e9f1b4d6655a12f761558adf04ec5086d8d5304052cc9aa041186d32.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:3884
-
-
C:\Users\Admin\AppData\Local\Temp\tmjiubotb.exeC:\Users\Admin\AppData\Local\Temp\\tmjiubotb.exe "C:\Users\Admin\AppData\Local\Temp\8572a8f4e9f1b4d6655a12f761558adf04ec5086d8d5304052cc9aa041186d32.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:324 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\lnonl\wboaa.baw",crc32 C:\Users\Admin\AppData\Local\Temp\tmjiubotb.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\windows\SysWOW64\taskkill.exetaskkill /f /im attrib.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4000 /prefetch:81⤵PID:4856
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5b5496dd6ea7d9decc892866acdbd989a
SHA1e250e7aa4af3f08ba9f81d48d91ea3659c047021
SHA2566c3c136541edcb861345a783968d0d042352f0400b1890650ddac3e57720c458
SHA512bee3117cd11adb1fd52f7bc737a1134cfef27a8a25a4dd79ada7eb9e460e7b34e0e07b818e9678e9148ad72ccbe2c10e3d3ca3ae9c76525dc061f2d01fb6aedc
-
Filesize
57KB
MD52f53f49e01f09d6e6064871eec1955cd
SHA1a6e1a6e5c2080d0fb2f7a872e3902a8a4a1a9b5f
SHA256964e4dd2532d540bb61d3c7ccc833f2358d8cd6b2eabc3a2d51183a18b59f82d
SHA5122cb98030c3df7417c04f796f78f23f96d381871d9c7ae4a14116764e915b2e2f56b9b3a6fb76fedc50a17788de9538fc7954a7b73bf17e4be43e1fc1a06bc218