Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
05/10/2022, 16:56
General
-
Target
417683362aab331919fc633202a212615676054efa3df99cb1e311fd74ebb088.exe
-
Size
1.8MB
-
MD5
a126e4db90dcbe6f9210aaf10c920570
-
SHA1
f5bf17b1eab4c7724d439d9e4a8488ce4d01e65a
-
SHA256
417683362aab331919fc633202a212615676054efa3df99cb1e311fd74ebb088
-
SHA512
44d425d906a01e148e8bfabc9065664670a8f899170130e990d67ae698cae57a85a3f1b803991112811ed493c8241c3d0852bdd79533798fe5e45607a87a7f1a
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\417683362aab331919fc633202a212615676054efa3df99cb1e311fd74ebb088.exe"C:\Users\Admin\AppData\Local\Temp\417683362aab331919fc633202a212615676054efa3df99cb1e311fd74ebb088.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5a126e4db90dcbe6f9210aaf10c920570
SHA1f5bf17b1eab4c7724d439d9e4a8488ce4d01e65a
SHA256417683362aab331919fc633202a212615676054efa3df99cb1e311fd74ebb088
SHA51244d425d906a01e148e8bfabc9065664670a8f899170130e990d67ae698cae57a85a3f1b803991112811ed493c8241c3d0852bdd79533798fe5e45607a87a7f1a
-
Filesize
1.8MB
MD5a126e4db90dcbe6f9210aaf10c920570
SHA1f5bf17b1eab4c7724d439d9e4a8488ce4d01e65a
SHA256417683362aab331919fc633202a212615676054efa3df99cb1e311fd74ebb088
SHA51244d425d906a01e148e8bfabc9065664670a8f899170130e990d67ae698cae57a85a3f1b803991112811ed493c8241c3d0852bdd79533798fe5e45607a87a7f1a
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
1.6MB
-
Filesize
272KB
-
Filesize
3.1MB
-
Filesize
8KB
-
Filesize
1.6MB
-
Filesize
272KB
-
Filesize
3.1MB
-
Filesize
1.6MB
-
Filesize
272KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
8KB
-
Filesize
272KB
-
Filesize
3.1MB
-
Filesize
8KB