Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
06/10/2022, 01:58
General
-
Target
1de329957decf1447b33e2d744c36f88fa3a96598c6bf91a711be220cbcfc7a8.exe
-
Size
1.8MB
-
MD5
45f99b16f79514e3b4484f0e3f07ba68
-
SHA1
5c195d967f173194c8e323ce9c1e0f2e05ba120b
-
SHA256
1de329957decf1447b33e2d744c36f88fa3a96598c6bf91a711be220cbcfc7a8
-
SHA512
05a7117bf8d5fb08decb27c37d0014bc678e4979a866bf1f2c06780b4f6ec667e08a7b98151f204bc9545f4183251757a7c6fc6b6f01ad81f890ea8a162d4d69
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1de329957decf1447b33e2d744c36f88fa3a96598c6bf91a711be220cbcfc7a8.exe"C:\Users\Admin\AppData\Local\Temp\1de329957decf1447b33e2d744c36f88fa3a96598c6bf91a711be220cbcfc7a8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD545f99b16f79514e3b4484f0e3f07ba68
SHA15c195d967f173194c8e323ce9c1e0f2e05ba120b
SHA2561de329957decf1447b33e2d744c36f88fa3a96598c6bf91a711be220cbcfc7a8
SHA51205a7117bf8d5fb08decb27c37d0014bc678e4979a866bf1f2c06780b4f6ec667e08a7b98151f204bc9545f4183251757a7c6fc6b6f01ad81f890ea8a162d4d69
-
Filesize
1.8MB
MD545f99b16f79514e3b4484f0e3f07ba68
SHA15c195d967f173194c8e323ce9c1e0f2e05ba120b
SHA2561de329957decf1447b33e2d744c36f88fa3a96598c6bf91a711be220cbcfc7a8
SHA51205a7117bf8d5fb08decb27c37d0014bc678e4979a866bf1f2c06780b4f6ec667e08a7b98151f204bc9545f4183251757a7c6fc6b6f01ad81f890ea8a162d4d69
-
Filesize
3.1MB
-
Filesize
272KB
-
Filesize
3.1MB
-
Filesize
1.6MB
-
Filesize
3.1MB
-
Filesize
272KB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
8KB
-
Filesize
1.6MB
-
Filesize
272KB
-
Filesize
3.1MB
-
Filesize
1.6MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
272KB