Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27/07/2024, 02:07
Static task
static1
Behavioral task
behavioral1
Sample
7159d67905db8bd72ffa7889a805afa9.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
7159d67905db8bd72ffa7889a805afa9.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$TEMP/BetterInstaller.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$TEMP/BetterInstaller.exe
Resource
win10v2004-20240709-en
General
-
Target
7159d67905db8bd72ffa7889a805afa9.exe
-
Size
154KB
-
MD5
7159d67905db8bd72ffa7889a805afa9
-
SHA1
5d9c6a3ce820918978852f042d81600429b0f0a1
-
SHA256
d68d39f6e8e3feb76604def44b3e6b84b1e12898973bb706bc973d5acfb313f3
-
SHA512
7a5f69139edfd8eb2be8abdc42e8a24438f91a6b4960279fa4ad5036ec0a0515324af7c1a4ddd24e3d0aea45fc779ae4236905ca908270f7630cc3c000e0184e
-
SSDEEP
3072:y22ihA0m3BJP0A0v5CiJBqkp3O88VCca/VDILzRyTjZzb:tA0m3D0AUkkp1BI4nhb
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5056 BetterInstaller.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7159d67905db8bd72ffa7889a805afa9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BetterInstaller.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5056 BetterInstaller.exe 5056 BetterInstaller.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4248 wrote to memory of 5056 4248 7159d67905db8bd72ffa7889a805afa9.exe 87 PID 4248 wrote to memory of 5056 4248 7159d67905db8bd72ffa7889a805afa9.exe 87 PID 4248 wrote to memory of 5056 4248 7159d67905db8bd72ffa7889a805afa9.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\7159d67905db8bd72ffa7889a805afa9.exe"C:\Users\Admin\AppData\Local\Temp\7159d67905db8bd72ffa7889a805afa9.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\BetterInstaller.exe"C:\Users\Admin\AppData\Local\Temp\BetterInstaller.exe" /affid "imagebadgerroox" /id "imagebadgercbnc" /name "ImageBadger"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD5d79b88bab3231ebebd3c6505ab68ce56
SHA13222e8dab740ba1d640cc66a9cd36070969deb80
SHA256d4032354c8ca3b93fd18414d6a7935bcecb18f25534b2259eeaf7d3081ec13ec
SHA512b8afbd52e74d8611714a33bd80a907be8080195bd574ceb0aa8ce44520c9cf6c40ccce4a4db9be0808b8b5a6b7b0fee17ee42f9cca67d69152dd1f1d8ddd99a9
-
Filesize
98B
MD51c7a095b75ef7849dc48ad7b05b36af4
SHA1a5614e1f80ad0776264acec3b35a3e0326aa1d1a
SHA2567ed5c42e304cb13c36d8853f85fa804f41ae4052e847ecc2011dab6ff6426f08
SHA51251c46fe4e30cbe4157d8b8bf8be67a154af2a546af42971f68d2d185c30c1b4c1ae540658e0ca0a24bae1baeeb0ddd0e3ddf3773de58a21eedfb318dd6523e49