Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2024, 17:38

General

  • Target

    fe864ca1ed2d02f2ab3e42ec2dfcea0d7fb4d1aece9344612f6f66f739be10dfN.exe

  • Size

    2.8MB

  • MD5

    a58f1c1a4a6f0e58a0193e2f4ace7370

  • SHA1

    c5696172a9ddbc820ddad28ff28337b42de3efc8

  • SHA256

    fe864ca1ed2d02f2ab3e42ec2dfcea0d7fb4d1aece9344612f6f66f739be10df

  • SHA512

    7a0d6fb3d862537ad3fc44db93d4f87715f3ae593c96b89a4adb02eef5423cef1630e9ca36f6c7a8f47c0cdebcd75f8093769acd9518d7799c641a642e870663

  • SSDEEP

    49152:RVvn8Q5CHCtE4jPTTm4uBLq9gtMyMpy7nEvVWiKjUOlk0O:RF8QUitE4iLqaPWGnEvSO

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

  • Banload family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Renames multiple (507) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe864ca1ed2d02f2ab3e42ec2dfcea0d7fb4d1aece9344612f6f66f739be10dfN.exe
    "C:\Users\Admin\AppData\Local\Temp\fe864ca1ed2d02f2ab3e42ec2dfcea0d7fb4d1aece9344612f6f66f739be10dfN.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1200

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp

    Filesize

    3.0MB

    MD5

    5240c2f5355e1fc7340c5f35a620f170

    SHA1

    75fda74c9fec5f88adb4a7ed4f56c7bab8e2ebf0

    SHA256

    0d6aac75e4dccc42c5b91cbf82ba5b992b8b6d0e0ccc1b68ca3179071d7e2f36

    SHA512

    610909ce961e9b8b50901b5ba8efc6a43a6b1050ead797884d395c95ef7dadac7e285b38123a887826a89721538a773055c41ff9723e83c7f6a06d6dd80281eb

  • C:\Program Files\7-Zip\7-zip.dll.tmp

    Filesize

    3.1MB

    MD5

    3f39a7d74fdedec1bbe280b3d5ff7267

    SHA1

    a7a9c8ff346009a15807911afee7712e0f85613a

    SHA256

    70afb9be75ba190ae54e8abfa53ceae434b67cfbb2edfd746397325866011e82

    SHA512

    c309973e79995a51de4f79e207db264aa0c0de73308cff20fe8011498b978f504c9440ab8f4c2905c6243c8ec4bb677ac672076ef08c7001b0ec4c8a1e3ae1c2

  • memory/1200-0-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/1200-2-0x0000000004290000-0x000000000449C000-memory.dmp

    Filesize

    2.0MB

  • memory/1200-9-0x0000000004290000-0x000000000449C000-memory.dmp

    Filesize

    2.0MB

  • memory/1200-12-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/1200-13-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/1200-14-0x0000000004290000-0x000000000449C000-memory.dmp

    Filesize

    2.0MB

  • memory/1200-47-0x0000000004290000-0x000000000449C000-memory.dmp

    Filesize

    2.0MB

  • memory/1200-46-0x0000000004290000-0x000000000449C000-memory.dmp

    Filesize

    2.0MB

  • memory/1200-130-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/1200-148-0x0000000004290000-0x000000000449C000-memory.dmp

    Filesize

    2.0MB