Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

BPSGUwLrgDqB.exe

windows7-x64

6

BPSGUwLrgDqB.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    204s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    20/08/2024, 15:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BPSGUwLrgDqB.exe

  • Size

    1.4MB

  • MD5

    025c9c1d81a59636b571bdeb5771e88b

  • SHA1

    1699b594612cb29084c10117dc17762ee94c2f78

  • SHA256

    d16f4df6d0a0b0993748bd01ffd6f4ef8bdf1a57399f4310583986b9fbf0be40

  • SHA512

    06fda7f365306f717cf328d56f4be0c8ee5f3752dc09d2d2dcaabdf225bed13e7a02478543aedb01cec47ea39d8d59a85939515066dadc37e951ec3c95c93139

  • SSDEEP

    24576:iJgvkMzSYAM9YSlbczEpQizftQDc06WogeOfQr0W:itMzLAVStcdiTgFoR2A0W

Score
6/10
discovery

Malware Config

Signatures

  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\BPSGUwLrgDqB.exe
    "C:\Users\Admin\AppData\Local\Temp\BPSGUwLrgDqB.exe"
    1⤵
      PID:2536
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:2248
      • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
        1⤵
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:716
        • C:\Program Files (x86)\Windows Media Player\wmpshare.exe
          "C:\Program Files (x86)\Windows Media Player\wmpshare.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:328
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:3012
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.0.1410138331\604192006" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1144 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86e17afe-9e3b-4e9f-b0e0-cbd1938b811b} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 1344 43ddc58 gpu
            3⤵
              PID:1760
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.1.2520605\827461754" -parentBuildID 20221007134813 -prefsHandle 1480 -prefMapHandle 1476 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11a506f9-1098-45b1-85cb-c7dda54364cf} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 1492 d72b58 socket
              3⤵
              • Checks processor information in registry
              PID:2880
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.2.674371520\1629182619" -childID 1 -isForBrowser -prefsHandle 2104 -prefMapHandle 2100 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {825e3bdb-a23a-47c8-bbd3-e92b730d6133} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 2116 435eb58 tab
              3⤵
                PID:1964
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.3.197845192\533471775" -childID 2 -isForBrowser -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f964e39-c2b9-4d00-900c-0acecaf7446d} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 2456 17e68558 tab
                3⤵
                  PID:276
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.4.1947638184\914428633" -childID 3 -isForBrowser -prefsHandle 2580 -prefMapHandle 2576 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2470f89e-6bdd-450e-aa5e-8e9fbe7e3074} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 2592 1c7bc558 tab
                  3⤵
                    PID:1524
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.5.1045710828\714498925" -childID 4 -isForBrowser -prefsHandle 3760 -prefMapHandle 3852 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1b9c307-d571-4846-9b5b-72610b88cca7} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 3872 1eef3c58 tab
                    3⤵
                      PID:2636
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.6.1046326875\1687281140" -childID 5 -isForBrowser -prefsHandle 3984 -prefMapHandle 3988 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {540d2fee-7475-4ee1-8905-04b1336a0caf} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 3972 1eef1e58 tab
                      3⤵
                        PID:1620
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.7.1846474700\1262293955" -childID 6 -isForBrowser -prefsHandle 4164 -prefMapHandle 4168 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b6e0b09-afdf-4e84-80cd-75ec4a588036} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 4152 1eef1b58 tab
                        3⤵
                          PID:2696
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3012.8.2064974969\1618670485" -childID 7 -isForBrowser -prefsHandle 4512 -prefMapHandle 4516 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de9ca10c-cbd1-49c5-9950-7e806c255802} 3012 "\\.\pipe\gecko-crash-server-pipe.3012" 4496 239da158 tab
                          3⤵
                            PID:1740

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{7D375758-C9F2-48C0-973F-4C267C6311CD}.jpg
                        Filesize

                        22KB

                        MD5

                        35e787587cd3fa8ed360036c9fca3df2

                        SHA1

                        84c76a25c6fe336f6559c033917a4c327279886d

                        SHA256

                        98c49a68ee578e10947209ebc17c0ad188ed39c7d0c91a2b505f317259c0c9b2

                        SHA512

                        aeec3eed5a52670f4cc35935005bb04bb435964a1975e489b8e101adfbce278142fd1a6c475860b7ccb414afe5e24613361a66d92f457937de9b21a7a112e1f9

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{F1071AF1-3CB7-4932-B4EF-BB2B28D9C224}.jpg
                        Filesize

                        23KB

                        MD5

                        fd5fd28e41676618aac733b243ad54db

                        SHA1

                        b2d69ad6a2e22c30ef1806ac4f990790c3b44763

                        SHA256

                        a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431

                        SHA512

                        4c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\activity-stream.discovery_stream.json.tmp
                        Filesize

                        34KB

                        MD5

                        898cde6c2a747903682477871576da2a

                        SHA1

                        1b3aee6f0d1dbcff10b82520156a26c1bc295da5

                        SHA256

                        5724e14d1646ac93d92ae6e068dd05624e3b18fe333ce0d58fcf84b2c5387c58

                        SHA512

                        0c56a6b43333d0b480e8315eca78e52142d9deb3e6c15c96dca6f6b4cd5346c836fce2e4c44a0b7395c8db6c3d600a400b1b6340e091d0c3328926fbf679aaaa

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\datareporting\glean\pending_pings\14bf525e-4ce2-4d92-a561-39ed7a5bcdfb
                        Filesize

                        10KB

                        MD5

                        12746066f02f715b745dd11b8f09147a

                        SHA1

                        f3e205ae3d92eb610411eb687173e5f9e1e96f5e

                        SHA256

                        6e352a014e49105d6e3c35ba300c3315e7bd34039194fe73e1baeaf6c4cb1920

                        SHA512

                        13b01584f4e3d071fe73b70ec62adeaf01ff2f188b3e66e1a34d34d68249c259eb8b4ac4503b0eaa0e9b4aed4d365a5e9c8a3ad242d0559dc62022e3d1eedcb2

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\datareporting\glean\pending_pings\edfb544b-82de-45e6-94c0-02aaaf9814c5
                        Filesize

                        745B

                        MD5

                        83d59416dd4ed2a0337e8b156700da1e

                        SHA1

                        a63402e0487de1f5fc49c76f60650936702361d8

                        SHA256

                        8f0bc070d913c630dc94ac44d65864024dbf47eb7c6a13a2fe614f974af8c4af

                        SHA512

                        fdc77f7d38b07fc192bd38c6c6e7bfd3801769618a9205a7138a21d62d04f28bf5bdfa8406250e54b57d6182f9238487c3e4aa54fcc96ab71bc57a0bd10ca192

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        d1f6387d981a18620ab34af3ec93d917

                        SHA1

                        5bf9dd059f939c91f98c203cdd0ae1b428b4497b

                        SHA256

                        4abe4ef07a4fd82281e314db65f443fc25a1058c5ff691ae99767add4f879cd0

                        SHA512

                        2d1983cea2ed0ae74dd240e5223f404573585297b66136fd2e77feacea79558c6120a6742869349f714e7c0fcb696fa83d3a601b1bf78de3b6115aec4223adda

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        c1ce8acb92dc382cacf18e7acd542f76

                        SHA1

                        5e8befca4f68cdd2025d9bc06489d1ef047e26d3

                        SHA256

                        91a15c2bf762529f563dae3df3f6e92ecf5e3d909b7465c750feceac3a9a07a5

                        SHA512

                        cdfb027c9983425c92745c5b0dcc680b22435d8acce84ad77330ce5a37d7c565f418632a99a9a48bb67c64c9fb73eb3ce18a9027a16ead97a35ce3a1ce42173a

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        4KB

                        MD5

                        3da5ed2d4d43b2bcb59b6706021a6b18

                        SHA1

                        2b3b356b4f77701a8fa5410c4f7dc160e5935273

                        SHA256

                        18a37b456bf672adc0ec0f18d0cded6f0ce7732c162074c99da792d3c0dc80da

                        SHA512

                        e80c6b04cf0f4aa933c65e2cbab50c4d75b94715313ac344f7be241c0e27dd3a39016f8f3e996c9e5eeaa85b70e4fca656d994e211c896e91f2c61d110501d9d

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        3KB

                        MD5

                        b0a2b3db5ebb05c93087499e97c008ef

                        SHA1

                        d663881a4be231f49fda0bc3519dfe328f5c2119

                        SHA256

                        a0b4ee187be414926b26e2224638e3c187e72764776b4f19fa617ab2fe8cb545

                        SHA512

                        eb7bc6c1c5e15e2148a4fc749f3af0d7cdb796ae839dd01f12cf714d3fc88fa092ec770908289d13d837ba02eb4860d3ba038a8b872c7544a3067a6dc8241ac8

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\sessionstore.jsonlz4
                        Filesize

                        4KB

                        MD5

                        485a96ba28b733f6e58fdc21f7233571

                        SHA1

                        1a33d20e9b7d36d5880141e2a88bb0131912222c

                        SHA256

                        a8ba2509254a3b3123a5784136c659d78efd37a791b3ec09c0c3e740907c09a8

                        SHA512

                        d8dd55ee85d5a6cd08939008b9dffa3fea59b6c5dfc1a1aebd2df06905b8097ebd0772eff720158c1115c64b0e6b3dc17b7973de795e9aebd702e94abb1ae007

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                        Filesize

                        184KB

                        MD5

                        8b08d5db6115eeac9f905d9b0172511e

                        SHA1

                        ad7caa6a41b3a137ba79fe9397dbc5edf3dc6476

                        SHA256

                        68621fcf5df083821c4c1e37d648f6df5cc7ee1bec440037eb5d2e09bb6b50bf

                        SHA512

                        b20d42a7f0e0bd95b15cc1882969a8d842ce37bd322d3385f538df6e0f1a7fffcdc8b39eff96c9dd3463327bd4bd13667aea29b3cd3910d64b599eb6cc166173

                        Download Submit

                      • C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg
                        Filesize

                        32KB

                        MD5

                        84bba83cfbc0233517407678bb842686

                        SHA1

                        1c617de788de380d28c52dc733ad580c3745a1c1

                        SHA256

                        6ecf98adb3cd0931ec803f3a56a9563c7d60bb86ec1886b21e3d0f7eb25198d9

                        SHA512

                        a6a80c00a28c43c1c427018e6fb6dac4682d299d2f50202f520af0b1bca803546c850f04094ed2f532ff8775f6d45f2a40e4f5e069937bcaa0326a80bd818e0e

                        Download Submit

                      • memory/716-2-0x0000000000150000-0x0000000000151000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/716-188-0x0000000000150000-0x0000000000151000-memory.dmp

                        Filesize

                        4KB

                        Download