Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2024, 00:16

General

  • Target

    8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe

  • Size

    8.3MB

  • MD5

    11cfa26bba79670eea316ba55f0b1043

  • SHA1

    8c513befaa66ee2aa762a7b26dac39cacbe1aeac

  • SHA256

    8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69

  • SHA512

    52f351552912e64188891725f515433630016f2275c553cbba5c98f7b1968d2aca0aaf1d5feb3e154b820cfb5159cf7d8c4052c0e7172beb1ade0217243cc605

  • SSDEEP

    98304:RF8QUitE4iLqaPWGnEvK7RkOEEo+A7mOk3oaCVA7m2St29Ejzh9oEg1:RFQWEPnPBnEXPEL

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

  • Banload family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Renames multiple (200) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe
    "C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

    Filesize

    8.4MB

    MD5

    a4056149a6949e7651f04132fd3b82b7

    SHA1

    f21637cfa95c0053c35885b0eb67cb68da07c433

    SHA256

    0d2b272b1950b3921fe6cbb73cd898155b97fb34e0f6826499dfb46b561ffa3a

    SHA512

    30bdd25149eecd576c96cb62c0264d805ce5a96fe0cbe95a979ed4836e37d1a1779d063ac1dd71f62dba020e80e27e212ed344ec70f1c5f95d49bd5d48e71d7a

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

    Filesize

    8.4MB

    MD5

    0138bbae4655d92c2515686868c1f901

    SHA1

    8dfb965c1609e20683fa819319ae959e929ce128

    SHA256

    bb30e5f01a08142f07cafdf382c5138af756816eeea19f837aaf09cd27602a92

    SHA512

    8bd9b0931faee8f09fdcd4d97d6464476d96117e170418ca0def108688b09035833d03d281232a15113d697181612dd089eda78704df305381b825ab84c1199e

  • memory/2264-0-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/2264-1-0x0000000003430000-0x000000000363C000-memory.dmp

    Filesize

    2.0MB

  • memory/2264-8-0x0000000003430000-0x000000000363C000-memory.dmp

    Filesize

    2.0MB

  • memory/2264-12-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/2264-11-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/2264-13-0x0000000003430000-0x000000000363C000-memory.dmp

    Filesize

    2.0MB

  • memory/2264-25-0x0000000003430000-0x000000000363C000-memory.dmp

    Filesize

    2.0MB

  • memory/2264-35-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/2264-41-0x0000000003430000-0x000000000363C000-memory.dmp

    Filesize

    2.0MB