Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
576s -
max time network
595s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
22/08/2024, 15:26
General
-
Target
Run-Malware-1.bat
-
Size
88B
-
MD5
2ee06c41fd75f8fabd7453d3e1240a49
-
SHA1
02b77c02c6c55b6f40ffc409860c66fda803f39f
-
SHA256
68082405a1e0bdf0a6109a0a22f93677bb25b2aba804c77f2536a8090cf1e0d0
-
SHA512
354f4fb40ce5248a68ae8a6dfdabe9476970841de22b875788f8b8ec12b529bd702d18ca9f3a1e13412c68f67a3d7326b2c37fdfa5b63ceffbb3ea85682c204c
Malware Config
Extracted
warmcookie
72.5.43.29
-
mutex
a208f030-25f9-4f41-8b57-6b0b7ecccf29
-
user_agent
Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Signatures
-
Warmcookie, Badspace
Warmcookie aka Badspace is a backdoor written in C++.
-
Blocklisted process makes network request 9 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Run-Malware-1.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe f4d2c9470b322af29b9188a3a590cbe85bacb9cc8fcd7c2e94d82271ded3f659.dll, Start2⤵
- Drops file in Windows directory
-
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe "C:\ProgramData\Tivix\Updater.dll",Start /u1⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
155KB
MD57a799f4f9aa63745a75b901a392aff29
SHA1b9983463f637191ba12c2270ac52a547676a7037
SHA256f4d2c9470b322af29b9188a3a590cbe85bacb9cc8fcd7c2e94d82271ded3f659
SHA512e9eeb340dd620256d543ab43d08ccc23b555afa332c744c629fd8f40760f20a24e234955fc8d2e78a150f09028ca7a11650e0da157fff64833f13ce89a208c23