Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    31s
  • max time network
    40s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2024, 01:38

General

  • Target

    breakaway_setup_1.44.00 (1).exe

  • Size

    4.4MB

  • MD5

    11925cf38de9313e87a3980a53ac0be6

  • SHA1

    a9d2e27a4b789fbef8b23e740753b6eb85e65516

  • SHA256

    8efb44d31cb52a7087fd2b76b8650cab8a39616106189fa732f44ea676c6035a

  • SHA512

    67bee82ab48cb75d49679060180225ce1c18530a942089b4e9d531849bc087b08bab2a13c9bd1eae758543f82bb1bcadb16981e35b34c6f817a389d1147abab6

  • SSDEEP

    98304:GB1HdkWyGx7qLQx+MAVkuntmGfBgLvr8uN6mjlUtA13WkRdfewG1ha4H:GBrkWUo+MAVkunlEvxllR1bRpGhH

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
  • Modifies registry class 17 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\breakaway_setup_1.44.00 (1).exe
    "C:\Users\Admin\AppData\Local\Temp\breakaway_setup_1.44.00 (1).exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Breakaway\badeskband2_64.dll"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\Breakaway\badeskband2_64.dll"
        3⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:2740
  • C:\Program Files (x86)\Breakaway\breakaway.exe
    "C:\Program Files (x86)\Breakaway\breakaway.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://www.claessonedwards.com/download/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1696 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Breakaway\badeskband2_64.dll

    Filesize

    27KB

    MD5

    05a8856111f44dc232911ebf06963037

    SHA1

    32bc0ae743c6b05beae7a58bdf2c8abe2d91cba8

    SHA256

    e9bd6f43cc6779b328887d250cf3f67b56375d633f53fd38b549b11156074549

    SHA512

    4c3d01c355ccaba32aced45a8bc3ee115a7875bafd2a8fd03cccebf637c7438c5ecce25b1500252532a0512b9fdfe94ec5c3ab98cf4995d1063d281347365e42

  • C:\Program Files (x86)\Breakaway\endpoint_volume.dll

    Filesize

    107KB

    MD5

    6e4cdc51778d23fdf00fc7e924044721

    SHA1

    6337874b23f06596c0aec2e7ae229f524bb37f9a

    SHA256

    3ff0389a6153ec10077404435ecaa9bd9b77c4e2eccb60b44eb2a4a4b173d8fa

    SHA512

    84e26df4f7f8305fd99823af31b7e464cc19d86ed8f712a1461f6cd7cf4d9c1400cca6626707073795f8f70d5cc5cc1b8b4c11b30bc0e020a5f93accecc92a1f

  • C:\Users\Admin\AppData\Local\Temp\nsd8122.tmp\modern-wizard.bmp

    Filesize

    51KB

    MD5

    307075f9904572d515813fdfc88c10eb

    SHA1

    0b88ce4b791bc1cf80dce6d7e0601233d9046de1

    SHA256

    4da390a13cabfbd3f94537a021a4b21f69f089d44d4e496af6d6090a046cc52c

    SHA512

    7de16df50e66d22b169c9300ebf6cf70a0a4cd0b4a8bc82ea70111b55d89c7eb9e7e46191c4b918db7cf0574b3218e99d286b55c14ef0e6e455b5d7ff0a7c28d

  • \Program Files (x86)\Breakaway\breakaway.exe

    Filesize

    5.9MB

    MD5

    1b90da8b29716405565d08d8fdd116a9

    SHA1

    e211b215f4d2dd03a8047241bb2fd689baca5c61

    SHA256

    1a8ed7a0e13fb993a71d03574b3a54ecc8488c626baa4783de541373bf4e0fae

    SHA512

    374284ba521de59cf3ca7bd9aba4bd08f395a8465e56c97d323e712e8dfed0090dac339a85ccf1c93eadec52e69de919626c67d33eff1d6c2e6de285e8dd82ab

  • \Users\Admin\AppData\Local\Temp\nsd8122.tmp\System.dll

    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

  • \Users\Admin\AppData\Local\Temp\nsd8122.tmp\UAC.dll

    Filesize

    14KB

    MD5

    b7d7324f2128531c9777d837516b65a6

    SHA1

    e15e44fc7c907329e1cd3985e8666b4332f4fa48

    SHA256

    530dc2b26366fc86072487438317a5723a10ff8b38522f9e813df19146a31033

    SHA512

    829fc241cd377de094faf80bb38828c3d877170ca4a3fd85810bc911d2ce38941f8067ef681c21d8bbc04be8a99a3d32b3aec51ae7b32d3a89e5a9d9597ed8d5

  • \Users\Admin\AppData\Local\Temp\nsd8122.tmp\nsDialogs.dll

    Filesize

    9KB

    MD5

    c10e04dd4ad4277d5adc951bb331c777

    SHA1

    b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

    SHA256

    e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

    SHA512

    853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

  • memory/1352-33-0x0000000000490000-0x00000000004A0000-memory.dmp

    Filesize

    64KB

  • memory/2596-52-0x0000000000400000-0x0000000000E2E000-memory.dmp

    Filesize

    10.2MB

  • memory/2596-58-0x0000000000400000-0x0000000000E2E000-memory.dmp

    Filesize

    10.2MB