Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
193s -
max time network
210s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
30/06/2024, 01:58
General
-
Target
BORAT-main.zip
-
Size
13.8MB
-
MD5
3b9307e06439febe3e03944137d080d0
-
SHA1
47b2616ae3fe2354829891a92742749bbcf913c0
-
SHA256
e9937032474f980b76234ad658d7f7dcbdbfc7104fa33fad4acc2e159f5e3e5b
-
SHA512
2c66d6e271b86ecd3174ccc9f2dad3343624308b0c92e2c6a74da45f7caaaafb28696c5df5229be5d6feb31bac7f9be41e26a0ba7b836ae02d54af6379c3cb2c
-
SSDEEP
393216:yHsoma5HAgeaAMEnayaSaBUeCsz/qbIzp6vZ+K:+xanHcUej/qbaGH
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\BORAT-main.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.0.2043451625\180226375" -parentBuildID 20221007134813 -prefsHandle 1672 -prefMapHandle 1660 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25297acc-0fa0-4f47-9bb2-046fbd360509} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 1764 1c151eeb858 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.1.1436521861\1861474563" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e16fff8-58bf-42c7-a96f-9e826d930bd0} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 2120 1c13fc70d58 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.2.808709140\1987469792" -childID 1 -isForBrowser -prefsHandle 2780 -prefMapHandle 2888 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a95a245-7b01-4116-b08e-b814b7b25ad2} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 2860 1c151e5f458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.3.844285158\672572658" -childID 2 -isForBrowser -prefsHandle 3436 -prefMapHandle 3432 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9ea93b1-0641-47e4-a564-1615a7d82c79} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 3428 1c154414558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.4.4033760\2035757536" -childID 3 -isForBrowser -prefsHandle 4292 -prefMapHandle 4288 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {872c621e-0e85-4da0-807d-221b3e8cbe90} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 4304 1c157f7ec58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.5.948516969\250000007" -childID 4 -isForBrowser -prefsHandle 4848 -prefMapHandle 4844 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5510db5e-6799-43a2-8f7f-9b904751a9ad} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 4840 1c13fc60d58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.6.810934446\1294863115" -childID 5 -isForBrowser -prefsHandle 5000 -prefMapHandle 5004 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {67d00756-0603-495b-94e0-a21d842f154d} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 5084 1c1586d9458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.7.1198715410\185748636" -childID 6 -isForBrowser -prefsHandle 5196 -prefMapHandle 5200 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3167c915-c02f-4373-9c42-4628674790c1} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 5280 1c15891e858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.8.1066610317\1804715997" -parentBuildID 20221007134813 -prefsHandle 2628 -prefMapHandle 3076 -prefsLen 26328 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ece311a-7b8d-40f6-8ceb-4925652d2779} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 2916 1c159b62358 rdd3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.9.1186223032\1148136889" -childID 7 -isForBrowser -prefsHandle 2628 -prefMapHandle 1524 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e501bc7-9480-4ce7-b9bf-efbca94fe181} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 5748 1c159ce2e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.10.780677955\1588418728" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 4424 -prefMapHandle 4368 -prefsLen 26503 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9074c453-da00-4dcc-a1f8-0cd16503ee95} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 4508 1c1595cc358 utility3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.11.782395412\986359368" -childID 8 -isForBrowser -prefsHandle 6212 -prefMapHandle 2564 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {efbd93d6-1b4d-4ec7-b78c-20e9537ec3c0} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 4088 1c13fc63558 tab3⤵
-
-
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BORAT-main\BORAT-main\" -an -ai#7zMap2357:116:7zEvent309001⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5af28a826702c88c0ee9dcdf3d0c7753c
SHA19943aabcf38702f78d54b355259846bbe7b6c4ef
SHA256752bf69c5ad14469e2c7577be4e21db9c707523480793361d74e707bc3f0141f
SHA51270ccdefe480eeffb0c45d7777336951cc9ac7e367a8837448f90cdb9539add5373b4fb837e6a3e6d1f88e812a79064e0834bbd696cb1a762b53cbda045531fa1
-
Filesize
9KB
MD54fb6e1168e844e085084c8e4398b18d4
SHA1fd0bc0fd354db233f95b06a2fde14869321a8010
SHA256fa226fcfd614d064c45ddf2c8e45df060eb497d380ffd3be5a7d3c7e2e36b1f0
SHA51223be2eac62246718d114203f53f373e425a2a9e8bf12bdfa8db5f8b122cc0dbf40391422a73a98605d88cfad08929f4eb54d454aeaf68291d708ba98e6157fe8
-
Filesize
734B
MD54784f13fda4b00c1a6cdf012a7b7c26c
SHA1d9f55d066ff9b48349085589c17a3077b4c62bc1
SHA256881dd442186cb21e6249a55e60e4ce5009cb2a52135ea87698d8a4b3c9a23b46
SHA512f00c453297c157281a6937252c09ba2e1e1ab01f30241aeed2deb388c9a7d9cb3ef6147c3a08a0b2603f89a48aaf6542a08e112d1c6c67bf8b1abaaf91afc857
-
Filesize
6KB
MD5815afe68a49a0c2d333ce8d98a0dd9a9
SHA17666b3b265ca0a8e3cb068b5f34161986cb91c74
SHA2568f83c1b7e1d0de82136839760d9c5106751d61c25e02ea4bc2fadd326b466f4a
SHA512b0c64662be6a33b254d4318dc43f8beaa0a9ba9cbde60ccd8a37083ff7d0a32c2b7e444dbf4edb15ea721cbb10464dba95e54615145712693b3930c2136a5098
-
Filesize
6KB
MD58d0c5af86a699922accd266029077f8a
SHA14c8ce6ca1358307473da595eece2e02c5bcb1479
SHA256eb44ed6f051e7ad987057e119c5cd659003cfce1ad8fd8b8f3de969ced9325e7
SHA512d4ef45b3258d8fab4856a3fd548bcc119fe038ddbe006cbe7bff67acd539de2a3790726878a70bbe3fd924709bf9464b7d60d40eed774ba342d776c795539b9b
-
Filesize
6KB
MD5df7c2c8224613e6a6dd714d5d9fa247d
SHA1d6e0a108494ef7ab2756250c5df5cae8b3a994a7
SHA256ccab09bd3486976b4aa17b48e31bcaf8e6be365ea6605e168bf203d7e5b3e818
SHA512af1ff3b3a71e764ea507503637896f3dfe69d16e201b0be9bcf4c728700e1a30685028f6be57609fb685571c71baefb476103d96d8b7f034d492eb373ed33b0a
-
Filesize
6KB
MD5e22985b155334b67704a89731868c07a
SHA158b600462e5a119e4fc2b11afa55d8a687520217
SHA256cdfb80fe20dca809645b6ed50f81fbfde3335a7e8b7fafdbffd233fecbebece3
SHA5121c95c4940271139e2fb5358265820838d99463b4e86c9ac47c835de2422f40a0ec24fff3084983170d254e9242e8f3fe2aed544c54040e32ca88fd52fb6dd158
-
Filesize
8KB
MD5db15ad4796483d36a1e2ed715ecc7ae2
SHA1287ab33b278b0b5c388c4cbf9cd4db1bf6eb91a0
SHA256b9bdaf34b2af639edbee9602027a79b19f395dc6017ccda8e7ae4a8e6e093f9a
SHA5123195f224ba18f38653a567dec8f9b4740b50eb6a2916b45c673481e5a6f04f4c2339906e84ce1d38734d6746cf935e7ff39cdf56908ad4f5e3a6c8b9d371b2ed
-
Filesize
1KB
MD5a12a15a0bcd07c4529e86b8865ae8820
SHA10eb308fed7f03c5379075630e4835e64bf574cc6
SHA2563d032ee30aea8a08f492997d78a34aef7af860c68e84344319015bdd98e60e97
SHA512761f5808aaaaf27a84cea228c00ebe12a401d46eabbbf7af16d9c19cd2643f2c7673736f0716e393aac6842500ff4d733798806dde46296ecaed0013754dc8f3
-
Filesize
6KB
MD53ef652a3fcf0cfab650e99f906c6f47d
SHA1025ef16e27ed7c07e4dce4c6e403b7f052941a67
SHA256402bd0ea7242633fec2d743c841cf2b3156bfa38c38b0b2fddecfd9f4dda1192
SHA512c0e6e2b82eaf42f88cc906d95699814c10c0b8a5fa6202e4960aaa3fe4e8ea92e347da7a6d9de61a01ea6ea4a7dbb661679640ac0d9b5b8d0ce622de0bc55b49
-
Filesize
8KB
MD51881b96fef737cd6f117550bf1665560
SHA19c27dd92f10f1641477e4f0af512bc8968fc6d3c
SHA2563c15361bca2c7063e3baa466880b7e3b3f01cfba27cf1613d8e0470f6e273944
SHA512fd1885edaeef789cb05cabf2eb67801aa246cb2b82e67b1a81f36d134b60752970392d13c7ce20caed76d48e8c94bf25766be62a0441367da4dc7eaf75f7662f
-
Filesize
3KB
MD5bd62fd7d0347b02934ac3e356df9140b
SHA15ab94a2841a291c9a14b478de298871fbcd5020d
SHA256274d116873c532d3baa1044d1d06947d33d784a3940fb9c9e0fb04fc3c1fc8a6
SHA512ea22626d297cc61be9de5ade67647fafa7f673b4004a2933282e38baf6c23d599278949253c8817093613f1b51715795465f90fe1f046fff6d0924e61854ab26
-
Filesize
6KB
MD5f8d60af7fdd175c87123eafd2879e415
SHA14ce721ee3710af5517b0ce2aca22b40dec744c0e
SHA256da92015fd0b237ce695b89a847abe89dcda7166f1bf656d17c4d70f409486ce6
SHA51216c0e6809fac1438dfea3d8be8cd08347be2d4927156255b9104654db0e6b075cf13a8e1a42d78aa81ee02624450939a1e204c738d4f22e987996be94c92cc3d
-
Filesize
184KB
MD5e7d901ad03d22078f4c42ecc83c3bd45
SHA113ffe2ced2026e6b99c39a96d006c7832a72ba17
SHA256fddee54013f830a84e74dce5679f6e4c3c71b4c5c51ecdf58bcef7e27eba4f17
SHA5128e7373116183db845f03c74e28effbe85b53c6c109f0a1a867fc4daa2944c099846644c5b6ecfa6408091d097a08b3f1b8cedcbeffbdcfaa14147f6b76663ec9
-
Filesize
13.8MB
MD53b9307e06439febe3e03944137d080d0
SHA147b2616ae3fe2354829891a92742749bbcf913c0
SHA256e9937032474f980b76234ad658d7f7dcbdbfc7104fa33fad4acc2e159f5e3e5b
SHA5122c66d6e271b86ecd3174ccc9f2dad3343624308b0c92e2c6a74da45f7caaaafb28696c5df5229be5d6feb31bac7f9be41e26a0ba7b836ae02d54af6379c3cb2c
-
Filesize
14KB
MD5c950eeeb9c11bb4b8170340d98669c57
SHA13de218cd5389b5a5161b5242b651d673412ce12c
SHA256795dcc146bad17355974a538aac24acd99337b3a1ddad9fa5c9a891810c2ec92
SHA512d4723a169acf8b64ff15a42e1330ea5c0c06e8906a1d294bdef14b2b027cf911e0bd37bd029f5dd3aac86553feef571c02a2d11ede49101a98a68cc1cb305111
-
Filesize
3.7MB
MD53a2f16a044d8f6d2f9443dff6bd1c7d4
SHA148c6c0450af803b72a0caa7d5e3863c3f0240ef1
SHA25631f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6
SHA51261daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6