Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

686f76c2a2...ca.exe

windows7-x64

7

686f76c2a2...ca.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/07/2024, 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    686f76c2a283db1cfdc79ed605c41c2ca1913f5d4f515643fc939395f80490ca.exe

  • Size

    1.9MB

  • MD5

    79d7dd4400288279ece780e707a911ac

  • SHA1

    40a0ac3d2ff4534ca9282ea1684dec6ab60779e9

  • SHA256

    686f76c2a283db1cfdc79ed605c41c2ca1913f5d4f515643fc939395f80490ca

  • SHA512

    c7eb3c5fbbe576645caeba85be887d3bc267445188561e70401e88f791c355184fb218fd38b3d4b2019d57ab0e1fc8a5ab9a362ab6b94ca1fe8136427ef5078a

  • SSDEEP

    24576:2TbBv5rUyXVcVJZE3O6g58ZPND7ugL+m8GTmm3MYG+rnmq9LRosKjkPSrKu0v1wR:IBJcmOGug7VTcT4mCRocSNdR

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\686f76c2a283db1cfdc79ed605c41c2ca1913f5d4f515643fc939395f80490ca.exe
    "C:\Users\Admin\AppData\Local\Temp\686f76c2a283db1cfdc79ed605c41c2ca1913f5d4f515643fc939395f80490ca.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\componentbrokernet\8TuIVkBC8udAUaP0Rc2MpVeb7zFdLU6vNcbxXlVW8.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\componentbrokernet\mL3g.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:792
        • C:\componentbrokernet\BridgeBlockContainerRuntime.exe
          "C:\componentbrokernet/BridgeBlockContainerRuntime.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1416
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dyQsgeeECJ.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2724
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:4224
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4964
              • C:\Recovery\WindowsRE\RuntimeBroker.exe
                "C:\Recovery\WindowsRE\RuntimeBroker.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:4372

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\dyQsgeeECJ.bat
      Filesize

      167B

      MD5

      782ff630a78779dcdbb04b6bf40d996e

      SHA1

      fa3bc673261f6c665fab020da861e67426a0a07d

      SHA256

      cd410de810b3744392bb5a97c6f394b1f645652af533e4acc85908a8175dbcaf

      SHA512

      830f3be33999627ee4e73c8f24d5b4548bc3d17e6331be9dbed992da62e0040809995736402ac4faa6e33caafee5bf56acb39b845027f4069b2667f3224e506a

      Download Submit

    • C:\componentbrokernet\8TuIVkBC8udAUaP0Rc2MpVeb7zFdLU6vNcbxXlVW8.vbe
      Filesize

      200B

      MD5

      25df5f3232c0133e1faaf48085b264d7

      SHA1

      03560488b8aa802ae3665b9bf9ca4436f1065933

      SHA256

      4c9439f92cc3953f454c8bc58271edc9cadeda8610952c9e67f786c192bda5d9

      SHA512

      ac2102fe76c14db3eca1044d8d38bc7722b1e59731dd88b6c23fde3458db54d0eb3e76ad42e267d0953e4fd8938887fa1de84fa9f00c6ad4df3fc4b7fb1543ba

      Download Submit

    • C:\componentbrokernet\BridgeBlockContainerRuntime.exe
      Filesize

      1.6MB

      MD5

      0c240a7d7bc13d6d2891cb5214a2d006

      SHA1

      5ba479c284ca1df322ca13cb760320a2378e3c65

      SHA256

      5b0082b78172c0ea4274c777a3d5b94e568523e79d2fc897d122a0474f6dd52d

      SHA512

      81bf288c882abf9480c033494c79b62e5ab856f11e9284ab4e4f1f98b094ad0a3cc5fe2be70578591e04932df855d15f6d2bbb2562592800be7926669e8e87ee

      Download Submit

    • C:\componentbrokernet\mL3g.bat
      Filesize

      104B

      MD5

      619e812e9a3821ada2f1158d6524323c

      SHA1

      9b0c8ef31e5ab144718e1400773120e32353e098

      SHA256

      68d4338917dd4dd49ecf9d6171aef03f49ffa9c4320f46cc01a3208f2ba5377e

      SHA512

      ccd05ecd1598ed7bbb85a28c9594f5d0521dd0d792c9f6ad17a87fd9192c07afdf8c212ac7ab180e149ebfbb19fc51d48753a097c1acf1385ee131e4bfdfa783

      Download Submit

    • memory/1416-12-0x00007FFDA28D3000-0x00007FFDA28D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1416-13-0x00000000002A0000-0x000000000043A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1416-15-0x000000001B040000-0x000000001B048000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4372-37-0x000000001C100000-0x000000001C16B000-memory.dmp

      Filesize

      428KB

      Download