Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 12:41 UTC

General

  • Target

    7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe

  • Size

    823KB

  • MD5

    937a1b4613a2109448103c318cb7ab10

  • SHA1

    1ac5bc876ec8026d57ce67fde624fab848f7b8d1

  • SHA256

    7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683

  • SHA512

    28db39b653ab91429546198a838cf4dd361f85a71a435aa825d49fab74273886b5225388d92b884ac7b6ae50eaf467b644caf76ad753e5fe114187fb6b89e2ba

  • SSDEEP

    24576:QZJ+3Rbxv7mctSdkeXofT/+brY2Qwz+Rq7ISoZ:Go5xv7mcseeXr0IsS+

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe
    "C:\Users\Admin\AppData\Local\Temp\7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Users\Admin\AppData\Local\Temp\vifuv.exe
      "C:\Users\Admin\AppData\Local\Temp\vifuv.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks computer location settings
      • Identifies Wine through registry keys
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Users\Admin\AppData\Local\Temp\ofheu.exe
        "C:\Users\Admin\AppData\Local\Temp\ofheu.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2880
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
      2⤵
        PID:3908

    Network

    • flag-us
      DNS
      164.2.77.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      164.2.77.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      14.110.152.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.110.152.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
      IN PTR
      Response
    • 121.88.5.183:11110
      vifuv.exe
      260 B
      5
    • 121.88.5.184:11170
      vifuv.exe
      260 B
      5
    • 104.80.225.205:443
      322 B
      7
    • 52.182.143.208:443
      322 B
      7
    • 121.88.5.181:11110
      vifuv.exe
      260 B
      5
    • 8.248.5.254:80
      322 B
      7
    • 8.248.5.254:80
      322 B
      7
    • 8.248.5.254:80
      322 B
      7
    • 8.248.5.254:80
      260 B
      5
    • 8.248.5.254:80
      260 B
      5
    • 8.8.8.8:53
      164.2.77.40.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      164.2.77.40.in-addr.arpa

    • 8.8.8.8:53
      14.110.152.52.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      14.110.152.52.in-addr.arpa

    • 8.8.8.8:53
      0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
      dns
      118 B
      204 B
      1
      1

      DNS Request

      0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

      Filesize

      340B

      MD5

      fbf7eff8943376401b4cb00e1ee483e2

      SHA1

      6185e4e93ed5fee5250131ad5b05cea909a7cd0a

      SHA256

      d724df52b33fc1270bd939cfbd8f2c593b0261ae0a57ce77577265eb1fd8cccd

      SHA512

      d706cc5a7d4bfd6c40b7c2486f15e7b3f5b675ecdbe62e4322e1c0ba413f6b372fcd430c98588551e50e2156bc5e3e29bc472507b78299dea504e6514fc606ac

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

      Filesize

      512B

      MD5

      0f5888b0051747de120c37b15c825b7d

      SHA1

      368471a70a25749e9db7401fb34a6b0230a2cf6a

      SHA256

      acd846557da75a2b35fb2c1a1964e73aafd10e53078dd4bd8e3dd7ebf4d83921

      SHA512

      bbf2805977f6892d32ee4d7d223e8a098df6c481847bba0e98378d96f22f82b6a650eb4300cf85240c5b9d14e2c13a222e4246d11f7acf188e6ac8fc152f7eee

    • C:\Users\Admin\AppData\Local\Temp\ofheu.exe

      Filesize

      205KB

      MD5

      a2f94d052f11bb9734c6f9ce04048810

      SHA1

      56879061ed7302cf4e8e434413172901d5fd7a05

      SHA256

      0c42f80b374679c15a1d4493be7eaab60fbd9d12fab768bf5f0ec9272fe13489

      SHA512

      06edc75c8877d28cc5dfd63e14d31c1ea23f895b92a98868199cf609fac52f68fc4f6f47015a2664a3a7418129ca080290c452484925880cb5b3f951940c64a4

    • C:\Users\Admin\AppData\Local\Temp\ofheu.exe

      Filesize

      205KB

      MD5

      a2f94d052f11bb9734c6f9ce04048810

      SHA1

      56879061ed7302cf4e8e434413172901d5fd7a05

      SHA256

      0c42f80b374679c15a1d4493be7eaab60fbd9d12fab768bf5f0ec9272fe13489

      SHA512

      06edc75c8877d28cc5dfd63e14d31c1ea23f895b92a98868199cf609fac52f68fc4f6f47015a2664a3a7418129ca080290c452484925880cb5b3f951940c64a4

    • C:\Users\Admin\AppData\Local\Temp\vifuv.exe

      Filesize

      823KB

      MD5

      34d87029e58053db8e867277754bfb4d

      SHA1

      6cb518ba54f31d9db41c9a696be56574a046adfb

      SHA256

      ebfffb16ca75a22f58126ccf8d849abeb6bfaad1ec2c0ab553999104cfe3d147

      SHA512

      cbe6f0c2fe61f7fcd213858e264e88068f505048f837d5ca1a9dbdf291adbcc0ea938c89473cac8e3bc2ba3c08b1d89365315643f27774af8b38c9248d902cb6

    • C:\Users\Admin\AppData\Local\Temp\vifuv.exe

      Filesize

      823KB

      MD5

      34d87029e58053db8e867277754bfb4d

      SHA1

      6cb518ba54f31d9db41c9a696be56574a046adfb

      SHA256

      ebfffb16ca75a22f58126ccf8d849abeb6bfaad1ec2c0ab553999104cfe3d147

      SHA512

      cbe6f0c2fe61f7fcd213858e264e88068f505048f837d5ca1a9dbdf291adbcc0ea938c89473cac8e3bc2ba3c08b1d89365315643f27774af8b38c9248d902cb6

    • memory/1616-144-0x0000000000400000-0x000000000058F000-memory.dmp

      Filesize

      1.6MB

    • memory/1616-139-0x0000000000400000-0x000000000058F000-memory.dmp

      Filesize

      1.6MB

    • memory/1616-141-0x0000000000400000-0x000000000058F000-memory.dmp

      Filesize

      1.6MB

    • memory/1616-143-0x0000000000400000-0x000000000058F000-memory.dmp

      Filesize

      1.6MB

    • memory/1616-148-0x0000000000400000-0x000000000058F000-memory.dmp

      Filesize

      1.6MB

    • memory/2880-149-0x00000000008E0000-0x00000000009AC000-memory.dmp

      Filesize

      816KB

    • memory/2880-150-0x00000000008E0000-0x00000000009AC000-memory.dmp

      Filesize

      816KB

    • memory/4936-132-0x0000000000400000-0x000000000058F000-memory.dmp

      Filesize

      1.6MB

    • memory/4936-138-0x0000000000400000-0x000000000058F000-memory.dmp

      Filesize

      1.6MB

    • memory/4936-133-0x0000000000400000-0x000000000058F000-memory.dmp

      Filesize

      1.6MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.