Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
164s -
max time network
290s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
05/10/2022, 03:49
Behavioral task
behavioral1
Sample
bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe
Resource
win7-20220812-en
General
-
Target
bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe
-
Size
8.2MB
-
MD5
23150d8faa66ce23299e2c032b8fd62f
-
SHA1
26c7c604d01f784931a3a95f1efeb56bfe1aec69
-
SHA256
bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b
-
SHA512
17ae25cce526a5eb11202cc779f5d62fc45b14a4d547e2eb88694dc21c83fdb853731adfd7cb47fb3499f140ddedf61175415504a0c93cb2ed3b3f25e989f5e7
-
SSDEEP
196608:JzxikPsLoM1ZPdUYcoV1alsmMzU5tReoS+P6n:JzIkP7M1ZP64alnB5t5SF
Malware Config
Extracted
systembc
89.22.225.242:4193
195.2.93.22:4193
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ migeyih quipaha xajiced banokora ririb bevirov kimatis.exe -
Executes dropped EXE 1 IoCs
pid Process 4272 migeyih quipaha xajiced banokora ririb bevirov kimatis.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion migeyih quipaha xajiced banokora ririb bevirov kimatis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion migeyih quipaha xajiced banokora ririb bevirov kimatis.exe -
resource yara_rule behavioral2/memory/2840-128-0x00000000009B0000-0x00000000011F1000-memory.dmp themida behavioral2/memory/2840-151-0x00000000009B0000-0x00000000011F1000-memory.dmp themida behavioral2/memory/2840-152-0x00000000009B0000-0x00000000011F1000-memory.dmp themida behavioral2/files/0x000b00000001abb9-206.dat themida behavioral2/memory/4272-217-0x00000000009E0000-0x0000000001221000-memory.dmp themida behavioral2/memory/2840-224-0x00000000009B0000-0x00000000011F1000-memory.dmp themida behavioral2/memory/4272-265-0x00000000009E0000-0x0000000001221000-memory.dmp themida behavioral2/memory/4272-304-0x00000000009E0000-0x0000000001221000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA migeyih quipaha xajiced banokora ririb bevirov kimatis.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4272 set thread context of 4600 4272 migeyih quipaha xajiced banokora ririb bevirov kimatis.exe 73 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4908 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2276 PING.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2840 bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe 2840 bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe 2840 bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe 2840 bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe 2840 bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe 2840 bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe 2840 bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe 2840 bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe 2840 bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe 2840 bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe 4272 migeyih quipaha xajiced banokora ririb bevirov kimatis.exe 4272 migeyih quipaha xajiced banokora ririb bevirov kimatis.exe 4272 migeyih quipaha xajiced banokora ririb bevirov kimatis.exe 4272 migeyih quipaha xajiced banokora ririb bevirov kimatis.exe 4272 migeyih quipaha xajiced banokora ririb bevirov kimatis.exe 4272 migeyih quipaha xajiced banokora ririb bevirov kimatis.exe 4272 migeyih quipaha xajiced banokora ririb bevirov kimatis.exe 4272 migeyih quipaha xajiced banokora ririb bevirov kimatis.exe 4272 migeyih quipaha xajiced banokora ririb bevirov kimatis.exe 4272 migeyih quipaha xajiced banokora ririb bevirov kimatis.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2840 wrote to memory of 4908 2840 bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe 66 PID 2840 wrote to memory of 4908 2840 bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe 66 PID 2840 wrote to memory of 4908 2840 bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe 66 PID 2840 wrote to memory of 4272 2840 bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe 68 PID 2840 wrote to memory of 4272 2840 bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe 68 PID 2840 wrote to memory of 4272 2840 bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe 68 PID 2840 wrote to memory of 704 2840 bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe 69 PID 2840 wrote to memory of 704 2840 bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe 69 PID 2840 wrote to memory of 704 2840 bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe 69 PID 704 wrote to memory of 4008 704 cmd.exe 71 PID 704 wrote to memory of 4008 704 cmd.exe 71 PID 704 wrote to memory of 4008 704 cmd.exe 71 PID 704 wrote to memory of 2276 704 cmd.exe 72 PID 704 wrote to memory of 2276 704 cmd.exe 72 PID 704 wrote to memory of 2276 704 cmd.exe 72 PID 4272 wrote to memory of 4600 4272 migeyih quipaha xajiced banokora ririb bevirov kimatis.exe 73 PID 4272 wrote to memory of 4600 4272 migeyih quipaha xajiced banokora ririb bevirov kimatis.exe 73 PID 4272 wrote to memory of 4600 4272 migeyih quipaha xajiced banokora ririb bevirov kimatis.exe 73 PID 4272 wrote to memory of 4600 4272 migeyih quipaha xajiced banokora ririb bevirov kimatis.exe 73 PID 4272 wrote to memory of 4600 4272 migeyih quipaha xajiced banokora ririb bevirov kimatis.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe"C:\Users\Admin\AppData\Local\Temp\bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Dage qui podeta xesaxapo copib pab tiqu fixolol pok xowa niweke\migeyih quipaha xajiced banokora ririb bevirov kimatis.exe"2⤵
- Creates scheduled task(s)
PID:4908
-
-
C:\Users\Admin\Dage qui podeta xesaxapo copib pab tiqu fixolol pok xowa niweke\migeyih quipaha xajiced banokora ririb bevirov kimatis.exe"C:\Users\Admin\Dage qui podeta xesaxapo copib pab tiqu fixolol pok xowa niweke\migeyih quipaha xajiced banokora ririb bevirov kimatis.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵PID:4600
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:4008
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2276
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Dage qui podeta xesaxapo copib pab tiqu fixolol pok xowa niweke\migeyih quipaha xajiced banokora ririb bevirov kimatis.exe
Filesize816.2MB
MD56091e0da6afd76a1f90594023f4226aa
SHA15050f60d446eaf23177e3996cbae40914268acf5
SHA25687e9a03aa00a3f36610eb8a49c09b0d33029542a69405e04382a0d25bea1637b
SHA512937dc14bc21e9408bd2b9d4fa65ab5e0922defa5bc88747eb4e8d79b9eabc80bb2ffb7df059ae75672bbcadd33d2dd663b7bf3d1796051f94869351042ed4372