Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
25/02/2025, 17:10
Static task
static1
Behavioral task
behavioral1
Sample
cfbc20edba3186d9cae93af638ed9335714d41970439a9ec057352cc7706f684.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cfbc20edba3186d9cae93af638ed9335714d41970439a9ec057352cc7706f684.exe
Resource
win10v2004-20250217-en
General
-
Target
cfbc20edba3186d9cae93af638ed9335714d41970439a9ec057352cc7706f684.exe
-
Size
3.0MB
-
MD5
8953cef89d8a1a9d7e73038f66abe05c
-
SHA1
9de9231f117ed4d5bbc89765442c9328b9fe7963
-
SHA256
cfbc20edba3186d9cae93af638ed9335714d41970439a9ec057352cc7706f684
-
SHA512
fda49fa9e35d0f5fbebe05c8e609982ae8dc02eb331fbea1ec63ff84874331390cfcd104feb0f3d66382d905eddc7393ade29ec4156017b438c8270e667cdf20
-
SSDEEP
49152:qpbRm4GPK/Mj2XWsTUJWAgN29ATvoVDn99c1/0VXHv2wm4txzZ15tU:q1GS/vWQA7AjuDnu0VXHvDm0xltU
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Banload family
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cfbc20edba3186d9cae93af638ed9335714d41970439a9ec057352cc7706f684.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate cfbc20edba3186d9cae93af638ed9335714d41970439a9ec057352cc7706f684.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{541EFA71-DA7B-AD33-A254-144AF5C89BCC}\Containers cfbc20edba3186d9cae93af638ed9335714d41970439a9ec057352cc7706f684.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{541EFA71-DA7B-AD33-A254-144AF5C89BCC}\InProcServer32 cfbc20edba3186d9cae93af638ed9335714d41970439a9ec057352cc7706f684.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{541EFA71-DA7B-AD33-A254-144AF5C89BCC}\InProcServer32\ = "%SystemRoot%\\system32\\windowscodecs.dll" cfbc20edba3186d9cae93af638ed9335714d41970439a9ec057352cc7706f684.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{541EFA71-DA7B-AD33-A254-144AF5C89BCC}\InProcServer32\ThreadingModel = "Both" cfbc20edba3186d9cae93af638ed9335714d41970439a9ec057352cc7706f684.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{541EFA71-DA7B-AD33-A254-144AF5C89BCC} cfbc20edba3186d9cae93af638ed9335714d41970439a9ec057352cc7706f684.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2564 cfbc20edba3186d9cae93af638ed9335714d41970439a9ec057352cc7706f684.exe Token: SeIncBasePriorityPrivilege 2564 cfbc20edba3186d9cae93af638ed9335714d41970439a9ec057352cc7706f684.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfbc20edba3186d9cae93af638ed9335714d41970439a9ec057352cc7706f684.exe"C:\Users\Admin\AppData\Local\Temp\cfbc20edba3186d9cae93af638ed9335714d41970439a9ec057352cc7706f684.exe"1⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2564