Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

breakaway_...1).exe

windows7-x64

7

breakaway_...1).exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

BaDeskband.dll

windows7-x64

3

BaDeskband.dll

windows10-2004-x64

3

BaDeskband2_32.dll

windows7-x64

3

BaDeskband2_32.dll

windows10-2004-x64

3

BaDeskband2_64.dll

windows7-x64

7

BaDeskband2_64.dll

windows10-2004-x64

7

breakaway.exe

windows7-x64

9

breakaway.exe

windows10-2004-x64

9

endpoint_volume.dll

windows7-x64

3

endpoint_volume.dll

windows10-2004-x64

3

uninstall_...ay.exe

windows7-x64

7

uninstall_...ay.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23/08/2024, 20:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    breakaway_setup_1.44.00 (1).exe

  • Size

    4.4MB

  • MD5

    11925cf38de9313e87a3980a53ac0be6

  • SHA1

    a9d2e27a4b789fbef8b23e740753b6eb85e65516

  • SHA256

    8efb44d31cb52a7087fd2b76b8650cab8a39616106189fa732f44ea676c6035a

  • SHA512

    67bee82ab48cb75d49679060180225ce1c18530a942089b4e9d531849bc087b08bab2a13c9bd1eae758543f82bb1bcadb16981e35b34c6f817a389d1147abab6

  • SSDEEP

    98304:GB1HdkWyGx7qLQx+MAVkuntmGfBgLvr8uN6mjlUtA13WkRdfewG1ha4H:GBrkWUo+MAVkunlEvxllR1bRpGhH

Score
7/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 7 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\breakaway_setup_1.44.00 (1).exe
    "C:\Users\Admin\AppData\Local\Temp\breakaway_setup_1.44.00 (1).exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Breakaway\badeskband2_64.dll"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\Breakaway\badeskband2_64.dll"
        3⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:2888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Breakaway\badeskband2_64.dll
    Filesize

    27KB

    MD5

    05a8856111f44dc232911ebf06963037

    SHA1

    32bc0ae743c6b05beae7a58bdf2c8abe2d91cba8

    SHA256

    e9bd6f43cc6779b328887d250cf3f67b56375d633f53fd38b549b11156074549

    SHA512

    4c3d01c355ccaba32aced45a8bc3ee115a7875bafd2a8fd03cccebf637c7438c5ecce25b1500252532a0512b9fdfe94ec5c3ab98cf4995d1063d281347365e42

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nso54E5.tmp\modern-wizard.bmp
    Filesize

    51KB

    MD5

    307075f9904572d515813fdfc88c10eb

    SHA1

    0b88ce4b791bc1cf80dce6d7e0601233d9046de1

    SHA256

    4da390a13cabfbd3f94537a021a4b21f69f089d44d4e496af6d6090a046cc52c

    SHA512

    7de16df50e66d22b169c9300ebf6cf70a0a4cd0b4a8bc82ea70111b55d89c7eb9e7e46191c4b918db7cf0574b3218e99d286b55c14ef0e6e455b5d7ff0a7c28d

    Download Submit

  • \Program Files (x86)\Breakaway\breakaway.exe
    Filesize

    5.9MB

    MD5

    1b90da8b29716405565d08d8fdd116a9

    SHA1

    e211b215f4d2dd03a8047241bb2fd689baca5c61

    SHA256

    1a8ed7a0e13fb993a71d03574b3a54ecc8488c626baa4783de541373bf4e0fae

    SHA512

    374284ba521de59cf3ca7bd9aba4bd08f395a8465e56c97d323e712e8dfed0090dac339a85ccf1c93eadec52e69de919626c67d33eff1d6c2e6de285e8dd82ab

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nso54E5.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nso54E5.tmp\UAC.dll
    Filesize

    14KB

    MD5

    b7d7324f2128531c9777d837516b65a6

    SHA1

    e15e44fc7c907329e1cd3985e8666b4332f4fa48

    SHA256

    530dc2b26366fc86072487438317a5723a10ff8b38522f9e813df19146a31033

    SHA512

    829fc241cd377de094faf80bb38828c3d877170ca4a3fd85810bc911d2ce38941f8067ef681c21d8bbc04be8a99a3d32b3aec51ae7b32d3a89e5a9d9597ed8d5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nso54E5.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    c10e04dd4ad4277d5adc951bb331c777

    SHA1

    b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

    SHA256

    e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

    SHA512

    853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

    Download Submit

  • memory/1928-32-0x0000000000570000-0x0000000000580000-memory.dmp

    Filesize

    64KB

    Download