Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
576s -
max time network
595s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 15:26
Behavioral task
behavioral1
Sample
Run-Malware-1.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
Run-Malware-1.bat
Resource
win11-20240802-en
Behavioral task
behavioral3
Sample
f4d2c9470b322af29b9188a3a590cbe85bacb9cc8fcd7c2e94d82271ded3f659.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
f4d2c9470b322af29b9188a3a590cbe85bacb9cc8fcd7c2e94d82271ded3f659.dll
Resource
win11-20240802-en
General
-
Target
Run-Malware-1.bat
-
Size
88B
-
MD5
2ee06c41fd75f8fabd7453d3e1240a49
-
SHA1
02b77c02c6c55b6f40ffc409860c66fda803f39f
-
SHA256
68082405a1e0bdf0a6109a0a22f93677bb25b2aba804c77f2536a8090cf1e0d0
-
SHA512
354f4fb40ce5248a68ae8a6dfdabe9476970841de22b875788f8b8ec12b529bd702d18ca9f3a1e13412c68f67a3d7326b2c37fdfa5b63ceffbb3ea85682c204c
Malware Config
Extracted
warmcookie
72.5.43.29
-
mutex
a208f030-25f9-4f41-8b57-6b0b7ecccf29
-
user_agent
Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Signatures
-
Warmcookie, Badspace
Warmcookie aka Badspace is a backdoor written in C++.
-
Blocklisted process makes network request 9 IoCs
flow pid Process 53 3528 rundll32.exe 61 3528 rundll32.exe 62 3528 rundll32.exe 63 3528 rundll32.exe 66 3528 rundll32.exe 69 3528 rundll32.exe 71 3528 rundll32.exe 72 3528 rundll32.exe 73 3528 rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 3528 rundll32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Tivix.job rundll32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4532 wrote to memory of 4712 4532 cmd.exe 90 PID 4532 wrote to memory of 4712 4532 cmd.exe 90
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Run-Malware-1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\system32\rundll32.exerundll32.exe f4d2c9470b322af29b9188a3a590cbe85bacb9cc8fcd7c2e94d82271ded3f659.dll, Start2⤵
- Drops file in Windows directory
PID:4712
-
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe "C:\ProgramData\Tivix\Updater.dll",Start /u1⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3528
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
155KB
MD57a799f4f9aa63745a75b901a392aff29
SHA1b9983463f637191ba12c2270ac52a547676a7037
SHA256f4d2c9470b322af29b9188a3a590cbe85bacb9cc8fcd7c2e94d82271ded3f659
SHA512e9eeb340dd620256d543ab43d08ccc23b555afa332c744c629fd8f40760f20a24e234955fc8d2e78a150f09028ca7a11650e0da157fff64833f13ce89a208c23