Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
9Static
static
3breakaway_...1).exe
windows7-x64
7breakaway_...1).exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3BaDeskband.dll
windows7-x64
3BaDeskband.dll
windows10-2004-x64
3BaDeskband2_32.dll
windows7-x64
3BaDeskband2_32.dll
windows10-2004-x64
3BaDeskband2_64.dll
windows7-x64
7BaDeskband2_64.dll
windows10-2004-x64
7breakaway.exe
windows7-x64
9breakaway.exe
windows10-2004-x64
9endpoint_volume.dll
windows7-x64
3endpoint_volume.dll
windows10-2004-x64
3uninstall_...ay.exe
windows7-x64
7uninstall_...ay.exe
windows10-2004-x64
7Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 20:10
Static task
static1
Behavioral task
behavioral1
Sample
breakaway_setup_1.44.00 (1).exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
breakaway_setup_1.44.00 (1).exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
BaDeskband.dll
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
BaDeskband.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
BaDeskband2_32.dll
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
BaDeskband2_32.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
BaDeskband2_64.dll
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
BaDeskband2_64.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
breakaway.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
breakaway.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
endpoint_volume.dll
Resource
win7-20240729-en
Behavioral task
behavioral18
Sample
endpoint_volume.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
uninstall_breakaway.exe
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
uninstall_breakaway.exe
Resource
win10v2004-20240802-en
General
-
Target
breakaway_setup_1.44.00 (1).exe
-
Size
4.4MB
-
MD5
11925cf38de9313e87a3980a53ac0be6
-
SHA1
a9d2e27a4b789fbef8b23e740753b6eb85e65516
-
SHA256
8efb44d31cb52a7087fd2b76b8650cab8a39616106189fa732f44ea676c6035a
-
SHA512
67bee82ab48cb75d49679060180225ce1c18530a942089b4e9d531849bc087b08bab2a13c9bd1eae758543f82bb1bcadb16981e35b34c6f817a389d1147abab6
-
SSDEEP
98304:GB1HdkWyGx7qLQx+MAVkuntmGfBgLvr8uN6mjlUtA13WkRdfewG1ha4H:GBrkWUo+MAVkunlEvxllR1bRpGhH
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Loads dropped DLL 8 IoCs
pid Process 1928 breakaway_setup_1.44.00 (1).exe 1928 breakaway_setup_1.44.00 (1).exe 1928 breakaway_setup_1.44.00 (1).exe 1928 breakaway_setup_1.44.00 (1).exe 2612 regsvr32.exe 2888 regsvr32.exe 1928 breakaway_setup_1.44.00 (1).exe 1928 breakaway_setup_1.44.00 (1).exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Breakaway = "\"C:\\Program Files (x86)\\Breakaway\\breakaway.exe\" force" breakaway_setup_1.44.00 (1).exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Breakaway\BaDeskband2_64.dll breakaway_setup_1.44.00 (1).exe File created C:\Program Files (x86)\Breakaway\endpoint_volume.dll breakaway_setup_1.44.00 (1).exe File created C:\Program Files (x86)\Breakaway\pipeline_icon.ico breakaway_setup_1.44.00 (1).exe File created C:\Program Files (x86)\Breakaway\breakaway.exe breakaway_setup_1.44.00 (1).exe File created C:\Program Files (x86)\Breakaway\uninstall_breakaway.exe breakaway_setup_1.44.00 (1).exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language breakaway_setup_1.44.00 (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4621432F-171A-4B7E-8AA2-E560810DAB15} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4621432F-171A-4B7E-8AA2-E560810DAB15}\ = "Breakaway" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4621432F-171A-4B7E-8AA2-E560810DAB15}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4621432F-171A-4B7E-8AA2-E560810DAB15}\InprocServer32\ = "C:\\Program Files (x86)\\Breakaway\\badeskband2_64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4621432F-171A-4B7E-8AA2-E560810DAB15}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4621432F-171A-4B7E-8AA2-E560810DAB15}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4621432F-171A-4B7E-8AA2-E560810DAB15}\Implemented Categories\{00021492-0000-0000-C000-000000000046} regsvr32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1928 wrote to memory of 2612 1928 breakaway_setup_1.44.00 (1).exe 28 PID 1928 wrote to memory of 2612 1928 breakaway_setup_1.44.00 (1).exe 28 PID 1928 wrote to memory of 2612 1928 breakaway_setup_1.44.00 (1).exe 28 PID 1928 wrote to memory of 2612 1928 breakaway_setup_1.44.00 (1).exe 28 PID 1928 wrote to memory of 2612 1928 breakaway_setup_1.44.00 (1).exe 28 PID 1928 wrote to memory of 2612 1928 breakaway_setup_1.44.00 (1).exe 28 PID 1928 wrote to memory of 2612 1928 breakaway_setup_1.44.00 (1).exe 28 PID 2612 wrote to memory of 2888 2612 regsvr32.exe 29 PID 2612 wrote to memory of 2888 2612 regsvr32.exe 29 PID 2612 wrote to memory of 2888 2612 regsvr32.exe 29 PID 2612 wrote to memory of 2888 2612 regsvr32.exe 29 PID 2612 wrote to memory of 2888 2612 regsvr32.exe 29 PID 2612 wrote to memory of 2888 2612 regsvr32.exe 29 PID 2612 wrote to memory of 2888 2612 regsvr32.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\breakaway_setup_1.44.00 (1).exe"C:\Users\Admin\AppData\Local\Temp\breakaway_setup_1.44.00 (1).exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Breakaway\badeskband2_64.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\Breakaway\badeskband2_64.dll"3⤵
- Loads dropped DLL
- Modifies registry class
PID:2888
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD505a8856111f44dc232911ebf06963037
SHA132bc0ae743c6b05beae7a58bdf2c8abe2d91cba8
SHA256e9bd6f43cc6779b328887d250cf3f67b56375d633f53fd38b549b11156074549
SHA5124c3d01c355ccaba32aced45a8bc3ee115a7875bafd2a8fd03cccebf637c7438c5ecce25b1500252532a0512b9fdfe94ec5c3ab98cf4995d1063d281347365e42
-
Filesize
51KB
MD5307075f9904572d515813fdfc88c10eb
SHA10b88ce4b791bc1cf80dce6d7e0601233d9046de1
SHA2564da390a13cabfbd3f94537a021a4b21f69f089d44d4e496af6d6090a046cc52c
SHA5127de16df50e66d22b169c9300ebf6cf70a0a4cd0b4a8bc82ea70111b55d89c7eb9e7e46191c4b918db7cf0574b3218e99d286b55c14ef0e6e455b5d7ff0a7c28d
-
Filesize
5.9MB
MD51b90da8b29716405565d08d8fdd116a9
SHA1e211b215f4d2dd03a8047241bb2fd689baca5c61
SHA2561a8ed7a0e13fb993a71d03574b3a54ecc8488c626baa4783de541373bf4e0fae
SHA512374284ba521de59cf3ca7bd9aba4bd08f395a8465e56c97d323e712e8dfed0090dac339a85ccf1c93eadec52e69de919626c67d33eff1d6c2e6de285e8dd82ab
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
14KB
MD5b7d7324f2128531c9777d837516b65a6
SHA1e15e44fc7c907329e1cd3985e8666b4332f4fa48
SHA256530dc2b26366fc86072487438317a5723a10ff8b38522f9e813df19146a31033
SHA512829fc241cd377de094faf80bb38828c3d877170ca4a3fd85810bc911d2ce38941f8067ef681c21d8bbc04be8a99a3d32b3aec51ae7b32d3a89e5a9d9597ed8d5
-
Filesize
9KB
MD5c10e04dd4ad4277d5adc951bb331c777
SHA1b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e