Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

2024-08-29...il.exe

windows7-x64

6

2024-08-29...il.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/08/2024, 12:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe

  • Size

    15.7MB

  • MD5

    7579555177f0851d82b416c87e4f809d

  • SHA1

    04998bfed4c632fb42b4be4c52b1b04964b7ad37

  • SHA256

    be2f54f7285dd05c6054b6560e4576d88e699c858ffd6daa2da3017cb1e6a9ea

  • SHA512

    ed820f9921006213a6aa9e394814e0d7163c4db314fb349b020551cffe32605d26108d119a47c38a9999af40153c781bd17428c1b9ec0b450c6a5d612945003c

  • SSDEEP

    196608:PfEkDV4aV49RjOF5hK9TMICeEnE5rigt/a4PKKOjw+dLnWaKxYfRNrcAGTeOSKxS:3gs09TMJeEnEQoKgaKxYpSAP87w5Fz

Score
6/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe"
    1⤵
    • Enumerates connected drives
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\WirelessMedia\WMMeeting.msi"
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3216
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 11B5D848A748A5D2FB176B6A17805D3A C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSI89A2.tmp
    Filesize

    285KB

    MD5

    db6ba08b76531f4e4cabb16e591ba8dc

    SHA1

    3912d40f26dbe43b456f17141545b5cba9bcd875

    SHA256

    83e33f07f0a0ef4ef54c32ece108a932a93567fb4699692e375026170b8f87c4

    SHA512

    c4867d48360eaf78606fedc504d2d896fbc4e85acbe567ff89cf6c71586f4939340194988c8c826484d8e08b66c30598095ab5f888b9b9b64bd49a66e383becf

    Download Submit

  • C:\Users\Admin\AppData\Local\WirelessMedia\WMMeeting.msi
    Filesize

    891KB

    MD5

    e582489b588726147e5ecceb9286ea8d

    SHA1

    bcfbffafcd947fab7c0ccf16cd24ffd27d9907bf

    SHA256

    f7acb2ffe0f45083acf9f24c7b8d7baf90146065973ebe1a609874b2ecd233b8

    SHA512

    a4bd54dc3712f20dc1b49caddadd6e9cf5bcfa73fdad325d719cd68a6f0b1c897b532c5fd7e19a7c9dca97b9d18fb9659c667755a1c407c5883a045408e91d1e

    Download Submit

  • C:\Users\Admin\AppData\Local\WirelessMedia\config.ini
    Filesize

    29B

    MD5

    07b6a1e0c5ee0bdf354868d45b80f325

    SHA1

    37aeb217266dd8a71cfff7c6b93d03ca55d5085c

    SHA256

    9f09af33af7d82b40e9c2aa28e27dce4058766ac59708af216ed6ff7d1fadd9b

    SHA512

    a1a0cd7692a0646bd2d1c7698505a140fb9d5cc3e63f53b2bd348d91db43d09338f322c2a3c14ee8bc2e9f588dc4fc6e2dcac2be04df7ac5b8f7bb0648287d31

    Download Submit