Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
13/09/2022, 08:07
General
-
Target
ab5d945f0df0849eb41dbde76e3bc7e87f7fed10b0a5bbfa39f6973e6340a79d.exe
-
Size
1.8MB
-
MD5
16c48b6dc49a4e8d275c549df911b520
-
SHA1
1a56cec1493a8e20c497d04d7e406a8fe8cab9f1
-
SHA256
ab5d945f0df0849eb41dbde76e3bc7e87f7fed10b0a5bbfa39f6973e6340a79d
-
SHA512
04c3c8a28725dbf747dd9ece995201cbc102b705e78edeecafb7d017c889de2d1f383f3bde1a8f8ccda72a2e19fcb13e8ddb50189ca50b2aec64337611ee3650
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab5d945f0df0849eb41dbde76e3bc7e87f7fed10b0a5bbfa39f6973e6340a79d.exe"C:\Users\Admin\AppData\Local\Temp\ab5d945f0df0849eb41dbde76e3bc7e87f7fed10b0a5bbfa39f6973e6340a79d.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD516c48b6dc49a4e8d275c549df911b520
SHA11a56cec1493a8e20c497d04d7e406a8fe8cab9f1
SHA256ab5d945f0df0849eb41dbde76e3bc7e87f7fed10b0a5bbfa39f6973e6340a79d
SHA51204c3c8a28725dbf747dd9ece995201cbc102b705e78edeecafb7d017c889de2d1f383f3bde1a8f8ccda72a2e19fcb13e8ddb50189ca50b2aec64337611ee3650
-
Filesize
1.8MB
MD516c48b6dc49a4e8d275c549df911b520
SHA11a56cec1493a8e20c497d04d7e406a8fe8cab9f1
SHA256ab5d945f0df0849eb41dbde76e3bc7e87f7fed10b0a5bbfa39f6973e6340a79d
SHA51204c3c8a28725dbf747dd9ece995201cbc102b705e78edeecafb7d017c889de2d1f383f3bde1a8f8ccda72a2e19fcb13e8ddb50189ca50b2aec64337611ee3650
-
Filesize
3.1MB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
272KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
1.6MB
-
Filesize
272KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
272KB
-
Filesize
1.6MB
-
Filesize
272KB
-
Filesize
8KB
-
Filesize
8KB