Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

BRUH WTF/b...gs.xml

windows11-21h2-x64

4

Resubmissions

24/12/2024, 19:02 UTC

241224-xp5fastrdy 10

16/07/2024, 19:00 UTC

240716-xn2b9avhmm 10

29/04/2024, 18:50 UTC

240429-xhbjmsac4x 10

29/04/2024, 18:47 UTC

240429-xffetahh23 10

Analysis

  • max time kernel
    90s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24/12/2024, 19:02 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BRUH WTF/bin/settings.xml

  • Size

    688B

  • MD5

    5769c0618b9fe4873c9256b5cbbf2b95

  • SHA1

    e123705e308feb804baf0f23949f966e78162dd5

  • SHA256

    a5828dc580978f8e1f37459d33e8158416b6c8a0c2881e9eabced034ecfbd15c

  • SHA512

    15f80ce7cb33125c856dd7b6ed032dedc0ea30c40eb72d44e0c4f7cecefe33e54449c51f70efe88154dc35f52bdaa78b6fa6079cc55425aefcd7088d3f25acae

Score
4/10
discovery

Malware Config

Signatures

  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
    "C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BRUH WTF\bin\settings.xml"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3096
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\BRUH WTF\bin\settings.xml
      2⤵
      • Modifies Internet Explorer settings
      PID:5016
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:4196
    • C:\Windows\System32\oobe\UserOOBEBroker.exe
      C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      PID:4424
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
      C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      PID:1576
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
      1⤵
      • Modifies registry class
      PID:5032
    • C:\Windows\system32\control.exe
      "C:\Windows\system32\control.exe" netconnections
      1⤵
      • Modifies registry class
      PID:1272
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\System32\rundll32.exe
        "C:\Windows\System32\rundll32.exe" devmgr.dll,DeviceProperties_RunDLL /DeviceId "PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18"
        2⤵
          PID:4924
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
        1⤵
        • Modifies data under HKEY_USERS
        PID:1652

      Network

        No results found
      • 2.18.66.67:443
        www.bing.com
        tls
        5.6kB
         87.4kB
         82
        77
      • 20.189.173.9:443
        browser.pipe.aria.microsoft.com
        tls
        3.2kB
         7.6kB
         20
        14
      • 95.101.143.193:443
        r.bing.com
        tls
        1.1kB
         5.2kB
         15
        13
      • 95.101.143.193:443
        r.bing.com
        tls
        74.4kB
         1.9MB
         1422
        1385
      • 95.101.143.193:443
        r.bing.com
        tls
        1.1kB
         5.2kB
         15
        13
      • 95.101.143.193:443
        r.bing.com
        tls
        1.1kB
         5.2kB
         15
        13
      • 95.101.143.193:443
        r.bing.com
        tls
        1.1kB
         5.2kB
         15
        13
      • 95.101.143.193:443
        r.bing.com
        tls
        1.1kB
         5.2kB
         15
        13
      • 95.101.143.202:443
        www.bing.com
        tls
        BackgroundTransferHost.exe
        21.1kB
         593.0kB
         438
        434
      • 95.101.143.202:443
        www.bing.com
        tls
        2.9kB
         7.4kB
         23
        16
      • 23.62.195.195:443
        cxcs.microsoft.net
        tls
        1.8kB
         8.0kB
         25
        21
      No results found

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\0c0f3547-3700-4061-a8ab-378fc715816c.down_data
        Filesize

        555KB

        MD5

        5683c0028832cae4ef93ca39c8ac5029

        SHA1

        248755e4e1db552e0b6f8651b04ca6d1b31a86fb

        SHA256

        855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

        SHA512

        aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

        Download Submit

      • memory/3096-4-0x00007FF81AED0000-0x00007FF81AEE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3096-11-0x00007FF85AE40000-0x00007FF85B049000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3096-3-0x00007FF85AE40000-0x00007FF85B049000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3096-0-0x00007FF85AEE3000-0x00007FF85AEE4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3096-7-0x00007FF81AED0000-0x00007FF81AEE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3096-6-0x00007FF81AED0000-0x00007FF81AEE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3096-10-0x00007FF85AE40000-0x00007FF85B049000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3096-9-0x00007FF85AE40000-0x00007FF85B049000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3096-2-0x00007FF85AE40000-0x00007FF85B049000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3096-8-0x00007FF85AE40000-0x00007FF85B049000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3096-5-0x00007FF81AED0000-0x00007FF81AEE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3096-12-0x00007FF85AE40000-0x00007FF85B049000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3096-13-0x00007FF85AE40000-0x00007FF85B049000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3096-17-0x00007FF81AED0000-0x00007FF81AEE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3096-15-0x00007FF81AED0000-0x00007FF81AEE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3096-14-0x00007FF81AED0000-0x00007FF81AEE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3096-16-0x00007FF81AED0000-0x00007FF81AEE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3096-18-0x00007FF85AE40000-0x00007FF85B049000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3096-1-0x00007FF81AED0000-0x00007FF81AEE0000-memory.dmp

        Filesize

        64KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.