Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10bazaar.202...ge.exe
windows7-x64
3bazaar.202...ge.exe
windows11-21h2-x64
1bazaar.202...te.exe
windows7-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows7-x64
10bazaar.202...te.exe
windows11-21h2-x64
10bazaar.202...te.exe
windows7-x64
10bazaar.202...te.exe
windows11-21h2-x64
10Resubmissions
15/09/2024, 22:00
240915-1wpj7svapc 1015/09/2024, 21:56
240915-1tbwbsthne 1020/08/2024, 13:49
240820-q4v2vayfmp 10Analysis
-
max time kernel
1197s -
max time network
841s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15/09/2024, 21:56
Static task
static1
Behavioral task
behavioral1
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Revenge.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Revenge.exe
Resource
win11-20240802-en
Behavioral task
behavioral3
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240802-en
Behavioral task
behavioral5
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win11-20240802-en
Behavioral task
behavioral7
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win7-20240903-en
General
-
Target
bazaar.2020.02/HEUR-Backdoor.MSIL.Revenge.exe
-
Size
16KB
-
MD5
fc8f4e31d85e796c1efe9b0fabeed23a
-
SHA1
e15233a69c32761d8ad0e293ce1ed2e1162d5647
-
SHA256
c35e3bdf0d1a7275e73f3c8c9fb57cf874ffa19ffafae649025b1e90cd07c096
-
SHA512
36e40d94711c82fb1669e3143d63833a3f7ad1b0ea8dae00287cbcdfd154135a3d7042702e4900193d0dcae94b0d03f7b6a9fb545e20c709fd4fb4a1cae95351
-
SSDEEP
384:sxF6Mj9VnRq2Rj9oM+bYO+4kr9oDPlMNcLlb5sVKdyS5Ct:sxF6Mj9V5bDclMNE9o
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C2BF0611-73AD-11EF-9BC7-EEF6AC92610E} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1720 HEUR-Backdoor.MSIL.Revenge.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2036 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2036 iexplore.exe 2036 iexplore.exe 2632 IEXPLORE.EXE 2632 IEXPLORE.EXE 2632 IEXPLORE.EXE 2632 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2632 2036 iexplore.exe 34 PID 2036 wrote to memory of 2632 2036 iexplore.exe 34 PID 2036 wrote to memory of 2632 2036 iexplore.exe 34 PID 2036 wrote to memory of 2632 2036 iexplore.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Backdoor.MSIL.Revenge.exe"C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Backdoor.MSIL.Revenge.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2396
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2632
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD574b795b1738c52e7f30b3062e6bda45c
SHA17a4ac08b5cb5afd8aee21c1e2c6d4f46c752613a
SHA25694fc99f94578b144fede514f77f54c526b6fad56fcdd9acba44d23019599dc9a
SHA512613c27f73e5b4f88ab18bbd150598f39f2fa4dcc546a0c084036b1145c0680c8ffc7a864abc0a266adda04a8100d4289c2497e228acd01814fd15d8db3bf3953
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b4305880ae714b53d6f00ee2e41543c5
SHA10fa8f896ea13c70438f502a73eacdfbe43e2148a
SHA256fbb2287e1ca6598e094f3e1aa5ccd26d82dac568d946702c2a06ad6a6ee84b7c
SHA512dc71698a1cf366061d93b32839d3c22ec509d01c6e346cce3ae8ed7cbe5390e7af4f44b54f93936860afd6b217340e178217a9b6a381a83e438f2e20a30ac89b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c14f227f3ffc2871771c1f991fc3b7e0
SHA12e8465977256bccc1a0f21d7de614ed920a312d5
SHA25654e5c9f0a1e5e86fd9797df7ee816d72a246f2b22c8a6c3ae14f4727f8daa007
SHA5122ded931c168ff55c0878891f90c6cea313f9dc771be0f9a2fb1a23c3d38ed301f585a334bfa4445da92909234b911d171acf1a9836e5dbd98ec111c7bb1e9578
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dd556ccae8deef1118111649c561c06b
SHA149091c22dbaced5aadd286e03c5df2a4c71c27a3
SHA2562004c879bf16ea04b2065b2d81f081f5d8b00f3bb9c923080d2ec5ff20d634bf
SHA5129885a8d61be79bd7ad8f2c0de1ccdf77efbbd0c175e644f6375d034e4a4c8ab79564171feed5e3e6e26dd7882470595364b9f21615bff6307a31cec280e4f937
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57380655609864de4a1a98fde17dbf172
SHA1480e3d59b438c7af59d45ed8a53b7e2a2ac20df1
SHA256721dfc5d05bb76c5922279412570cb8db4c83646c1ec722b97468a7ff841ec8c
SHA512c20a38babf1631ad7408317a0081b97b82a570f93e36974731506b8a2c69c0bd19fb4bbe86190b9c101b047ffd245be15452581a1072284787d658abe5d42e77
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5769ecd4493a515e1560d369354e9884e
SHA1efbf8a666ab7226f52a882685095d5e51ba3e9f8
SHA2568413e59fea08764bde670c962aa498a05cb39266961c3831248791f9923a7b2a
SHA51202475440f64205801eb2f7cf0f05e22b09b10960b1bf10b084274e057dce974f6f31567efb185f923780022b5dc9dead02a66aed833c19008eb62ff104addd6c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e33f3eab01cda361812560906117034b
SHA1f46fcf40a2c801466cd41e01e704c9ff1f340c32
SHA256c14114aa614eb518042e6df0ecc1b7010408cf20c2ea73ea0a4b27271a242371
SHA5124b25e399599801824f165bdf9bc39b4a0eb7d0db9a3e0fea4c3a30503f82e51f03d7f8c8db389b1fe9ee5fa93865fbb57a0dcc83b53aefdc541ba1b9da792004
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59b77a770db30e32dbac7506fc2ebafc1
SHA1fbb46a8686239fb9f7983b9d0405c5cc8a965316
SHA256dadb1c7dadf4f1a0a08256a22d22924bc6f387c19f5ff03e0a90682f15aee693
SHA51221a3223d727acabed7db572f1799141d620bc12e9803c55497f9681d2128d8054de68e9504eb920671632b6db4ede5ea56ca888f38f790ee84d9b2ac001fa6d9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58ba7d03b797f110496d5f66e77a5d0e1
SHA1cf14956f18795fd8bbcc4762d0a88a62472f4c49
SHA2563de9fb32f429d7ff904d49d6a7c41e66220ebcb6adc38640b05327a51dcea7b1
SHA512dcb32b6a542f255c41b63c07f3abcc4b670857429474a30ef18c666888dae9b0742e19293a75f5563f838ef17a7102cdb27565c035feb9888c7479b6e455dfed
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
16KB
MD59041488ac23fb863e24470e89f576348
SHA1135dc2eb469ebd194c031fff749fccde46fd3bb4
SHA256be3556703af6a95cc94042019724714285d93d35d590e14dfece46bbe4c16ced
SHA5127b8d962ffeebe25959b520e30756a99346b3ecfe6da409ebcafa9697bd3c7fd30133b45b420f3e5f38e20621ab2a82ac1943825123ac3a76110b10c1469eeaa0