Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/08/2024, 10:26
Behavioral task
behavioral1
Sample
cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
Resource
win10v2004-20240802-en
General
-
Target
cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
-
Size
1.9MB
-
MD5
863d307dd132c2a7502946280257e058
-
SHA1
f7ec3a87c5e4cb87ec39e1b62b741b8e45eab1ba
-
SHA256
cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8
-
SHA512
1575d8c638038a4ae3b46913e874f3c4a50a45f1de1cc4527afb7853b0e683d336ecf879198c41add1f7c59056c59892754603317bc1dcd2e6d3287105d5f862
-
SSDEEP
49152:E6tTHSd+IGgCNiJrAVja0W0iVwZJOorqGW:E8q+I6NQrS80iVwTjr7W
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4148 Bugreport-1310826.dll -
Loads dropped DLL 1 IoCs
pid Process 1212 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe -
resource yara_rule behavioral2/memory/1212-0-0x0000000000400000-0x00000000008EF200-memory.dmp upx behavioral2/memory/1212-33-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-17-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-41-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-49-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-52-0x0000000002DF0000-0x0000000002E62000-memory.dmp upx behavioral2/memory/1212-51-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-45-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-39-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-37-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-35-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-31-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-29-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-28-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-26-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-50-0x0000000002DF0000-0x0000000002E62000-memory.dmp upx behavioral2/memory/1212-23-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-21-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-19-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-15-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-13-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-47-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-11-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-43-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-9-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-8-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-7-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-6-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-55-0x0000000000400000-0x00000000008EF200-memory.dmp upx behavioral2/memory/1212-56-0x0000000000400000-0x00000000008EF200-memory.dmp upx behavioral2/memory/1212-58-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/1212-59-0x0000000002DF0000-0x0000000002E62000-memory.dmp upx behavioral2/files/0x00070000000234ba-66.dat upx behavioral2/memory/1212-67-0x0000000000400000-0x00000000008EF200-memory.dmp upx behavioral2/memory/4148-69-0x0000000000400000-0x0000000000442200-memory.dmp upx behavioral2/memory/4148-87-0x0000000000400000-0x0000000000442200-memory.dmp upx behavioral2/memory/1212-180-0x0000000000400000-0x00000000008EF200-memory.dmp upx behavioral2/memory/1212-276-0x0000000000400000-0x00000000008EF200-memory.dmp upx behavioral2/memory/1212-286-0x0000000000400000-0x00000000008EF200-memory.dmp upx -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bugreport-1310826.dll -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1212 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 1212 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 1212 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 1212 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1212 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 1212 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 1212 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 1212 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 1212 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 1212 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 4148 Bugreport-1310826.dll -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1212 wrote to memory of 4148 1212 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 88 PID 1212 wrote to memory of 4148 1212 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 88 PID 1212 wrote to memory of 4148 1212 cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe"C:\Users\Admin\AppData\Local\Temp\cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-1310826.dllC:\Users\Admin\AppData\Local\Temp\data\Bugreport-1310826.dll Bugreport %E9%AA%A8%E5%A4%B4QQ%E9%99%8C%E7%94%9F%E7%A9%BA%E9%97%B4%E7%95%99%E7%97%95%E8%B5%9E%202⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4148
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82KB
MD5b03a141036cb4e2bb0b5501e3f95fd8d
SHA1cbc5a9a10b75ad292fd11ddd8a865987e710429e
SHA2566a40fdde989da032b7fcf575184907ef04cf145ae132ee8bd973628121d77f94
SHA51233a544c10919b9a4f016735b3a3f8659281fa06fb0da7a91ede0bb12c52c28ed58b605ae98cba469bd0bfc67b02692fbb49c7d1ba0a7dba4e4df380e036705b6
-
Filesize
114B
MD50ff667932e31a9fbc36cf42807c3ee83
SHA1e34531ce173b11c340986720c858ab4383af93b9
SHA256f5f723c76d0c7fe4916ef33ffd62621e88cd83a2331ce3c178c3e05ace70288d
SHA5124cfdb31cb3589b6105493997e7dda37c50f6f3f650207647e9af0c5bfd13e28c854f43ac79565b799d732d49effc649283cd5a14c14962a3456d3b19693f3564
-
Filesize
133B
MD52ed5b8cb96f07059db005a7d2330c068
SHA1f522e9e21ba6ea2eed1cb126eeeec3081619dc3b
SHA2568b07da021071c82a55287184a611ae758aa87c5ad28246f6c37c85485595de5d
SHA512e8683b7d16ae160a377e902392b9ce1ee7e66e06b3250cd30dffaa80803453e4bebf90db6b5035cb8521446e3fe676745b6c73b759895db0d5e07da628c601bd
-
Filesize
548B
MD5c86b5d4573b5033f5aa44e574219923d
SHA1e69d2a26235abbbfd483910e9a4064042a12fa96
SHA2560563973d5e68d56173f00d7b07defcab4ba648424d7a200db1fa230f7be10783
SHA512d36784361b0ff4b7685081b30a4344ec3a38c4e9ebe8b17d18be176c94319328900e48901ca9b55dc63b5eaca949c9c35d09e84e032e0e0f7cd6a26c49b5801e
-
Filesize
724KB
MD5a96fbd5e66b31f3d816ad80f623e9bd9
SHA14eda42260bd3eb930cd4eafd7d15c6af367bcf18
SHA2562e67ba278646fde95bb614dcbcc7da1c6bf7976c918b2c6ad3d78640000326f3
SHA51243921107313775ea14b1bd33cf758c13798f4fa1c1074771c1c96b1b43b98f3416d249ed8ab3171383772d0054829c3754a91b5e94135f1df6d67a76f599c80e