Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

27/12/2024, 19:21

241227-x258csykgr 10

27/12/2024, 19:21

241227-x2vrmaykgm 10

Analysis

  • max time kernel
    60s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/12/2024, 19:21

General

  • Target

    8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe

  • Size

    4.0MB

  • MD5

    b8f4d3e558f7069b5020f7024e6480b3

  • SHA1

    49da493a24e179fac1c0217577966c9af42954b7

  • SHA256

    8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d

  • SHA512

    21e88209d4059a3135e81d7b403806f26266548522b06123192f4df15cb72d1896d3801cd35581d2b9e92d76df61e606fca2f46a0a4fd30afc8f869f0b63223d

  • SSDEEP

    98304:RF8QUitE4iLqaPWGnEv+OKQr8MAvFrpHv/kAZIlnHyA:RFQWEPnPBnEmOKIbGpPMAZcyA

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

  • Banload family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Renames multiple (218) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe
    "C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.tmp

    Filesize

    4.1MB

    MD5

    84803270ca56e99182f8fea579d6cccd

    SHA1

    9055ba3565ba149561bed7d1b2c8b657aaf2d7b1

    SHA256

    cdeb4926689417cfffec8bb53368ee148aef1b153b8d0e106b1e25a50eb31099

    SHA512

    9eb48842c84e701b0bf8c9593ba173586f5d3fc69636f8d2776255c1967657cd47de8242945d5a5693dd7a4823bc26ebb203bd06d85c3f99b2288fb178a30f52

  • C:\Program Files\7-Zip\7-zip.dll.tmp

    Filesize

    4.2MB

    MD5

    79aea3bab1f364eb73cd5820da7dd5ce

    SHA1

    92373ec933d840cdac66262cf32c9a34f5d769d8

    SHA256

    8d270edf7a2da39c818909a86c1ab5ecaddadbca498bc533dea9aa057bdf53b7

    SHA512

    a4799afea2085b2441301f950dd89ade8b90b18cdf35dbccb13be45260970b012459f62122a92452f93b1b38b27315ecec5f0c177723c1d07bd030e0d688a76b

  • memory/3084-0-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/3084-2-0x0000000004380000-0x000000000458C000-memory.dmp

    Filesize

    2.0MB

  • memory/3084-9-0x0000000004380000-0x000000000458C000-memory.dmp

    Filesize

    2.0MB

  • memory/3084-13-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/3084-12-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/3084-14-0x0000000004380000-0x000000000458C000-memory.dmp

    Filesize

    2.0MB

  • memory/3084-38-0x0000000004380000-0x000000000458C000-memory.dmp

    Filesize

    2.0MB

  • memory/3084-102-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/3084-116-0x0000000004380000-0x000000000458C000-memory.dmp

    Filesize

    2.0MB