Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
15/12/2021, 07:49
Static task
static1
Behavioral task
behavioral1
Sample
tmp/xp.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
tmp/xp.exe
Resource
win10-en-20211208
General
-
Target
tmp/xp.exe
-
Size
1.3MB
-
MD5
80526cfb4316313ed339ca64368f5fae
-
SHA1
96507bec2754a51dca329bb73e2b2c56ce73e269
-
SHA256
9aa1748979696921b27868393bbb69add33c1dbc89624ea3085119aaf76cc2e7
-
SHA512
38155a4b8713e78c737108a1c6ff119b06832121d789bec0ced3f7fa140c07d6478c320a4f5fa97834a1ec67b7bb1d7ec8c890fd0934b7bc5c5fbc3f27e037d3
Malware Config
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Chinese Botnet Payload 1 IoCs
resource yara_rule behavioral2/memory/3840-116-0x0000000000400000-0x00000000007BD000-memory.dmp unk_chinese_botnet -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion xp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion xp.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Wine xp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jthrllf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp\\xp.exe" xp.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3840 xp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3840 xp.exe 3840 xp.exe 3840 xp.exe 3840 xp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp\xp.exe"C:\Users\Admin\AppData\Local\Temp\tmp\xp.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3840