Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2022, 12:41 UTC
Static task
static1
Behavioral task
behavioral1
Sample
7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe
Resource
win10v2004-20220812-en
General
-
Target
7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe
-
Size
823KB
-
MD5
937a1b4613a2109448103c318cb7ab10
-
SHA1
1ac5bc876ec8026d57ce67fde624fab848f7b8d1
-
SHA256
7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683
-
SHA512
28db39b653ab91429546198a838cf4dd361f85a71a435aa825d49fab74273886b5225388d92b884ac7b6ae50eaf467b644caf76ad753e5fe114187fb6b89e2ba
-
SSDEEP
24576:QZJ+3Rbxv7mctSdkeXofT/+brY2Qwz+Rq7ISoZ:Go5xv7mcseeXr0IsS+
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ vifuv.exe -
Executes dropped EXE 2 IoCs
pid Process 1616 vifuv.exe 2880 ofheu.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vifuv.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation vifuv.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine 7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine vifuv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe 2880 ofheu.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4936 wrote to memory of 1616 4936 7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe 83 PID 4936 wrote to memory of 1616 4936 7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe 83 PID 4936 wrote to memory of 1616 4936 7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe 83 PID 4936 wrote to memory of 3908 4936 7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe 84 PID 4936 wrote to memory of 3908 4936 7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe 84 PID 4936 wrote to memory of 3908 4936 7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe 84 PID 1616 wrote to memory of 2880 1616 vifuv.exe 93 PID 1616 wrote to memory of 2880 1616 vifuv.exe 93 PID 1616 wrote to memory of 2880 1616 vifuv.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe"C:\Users\Admin\AppData\Local\Temp\7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\vifuv.exe"C:\Users\Admin\AppData\Local\Temp\vifuv.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\ofheu.exe"C:\Users\Admin\AppData\Local\Temp\ofheu.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "2⤵PID:3908
-
Network
-
Remote address:8.8.8.8:53Request164.2.77.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.110.152.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
322 B 7
-
322 B 7
-
260 B 5
-
322 B 7
-
322 B 7
-
322 B 7
-
260 B 5
-
260 B 5
-
70 B 144 B 1 1
DNS Request
164.2.77.40.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
14.110.152.52.in-addr.arpa
-
118 B 204 B 1 1
DNS Request
0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5fbf7eff8943376401b4cb00e1ee483e2
SHA16185e4e93ed5fee5250131ad5b05cea909a7cd0a
SHA256d724df52b33fc1270bd939cfbd8f2c593b0261ae0a57ce77577265eb1fd8cccd
SHA512d706cc5a7d4bfd6c40b7c2486f15e7b3f5b675ecdbe62e4322e1c0ba413f6b372fcd430c98588551e50e2156bc5e3e29bc472507b78299dea504e6514fc606ac
-
Filesize
512B
MD50f5888b0051747de120c37b15c825b7d
SHA1368471a70a25749e9db7401fb34a6b0230a2cf6a
SHA256acd846557da75a2b35fb2c1a1964e73aafd10e53078dd4bd8e3dd7ebf4d83921
SHA512bbf2805977f6892d32ee4d7d223e8a098df6c481847bba0e98378d96f22f82b6a650eb4300cf85240c5b9d14e2c13a222e4246d11f7acf188e6ac8fc152f7eee
-
Filesize
205KB
MD5a2f94d052f11bb9734c6f9ce04048810
SHA156879061ed7302cf4e8e434413172901d5fd7a05
SHA2560c42f80b374679c15a1d4493be7eaab60fbd9d12fab768bf5f0ec9272fe13489
SHA51206edc75c8877d28cc5dfd63e14d31c1ea23f895b92a98868199cf609fac52f68fc4f6f47015a2664a3a7418129ca080290c452484925880cb5b3f951940c64a4
-
Filesize
205KB
MD5a2f94d052f11bb9734c6f9ce04048810
SHA156879061ed7302cf4e8e434413172901d5fd7a05
SHA2560c42f80b374679c15a1d4493be7eaab60fbd9d12fab768bf5f0ec9272fe13489
SHA51206edc75c8877d28cc5dfd63e14d31c1ea23f895b92a98868199cf609fac52f68fc4f6f47015a2664a3a7418129ca080290c452484925880cb5b3f951940c64a4
-
Filesize
823KB
MD534d87029e58053db8e867277754bfb4d
SHA16cb518ba54f31d9db41c9a696be56574a046adfb
SHA256ebfffb16ca75a22f58126ccf8d849abeb6bfaad1ec2c0ab553999104cfe3d147
SHA512cbe6f0c2fe61f7fcd213858e264e88068f505048f837d5ca1a9dbdf291adbcc0ea938c89473cac8e3bc2ba3c08b1d89365315643f27774af8b38c9248d902cb6
-
Filesize
823KB
MD534d87029e58053db8e867277754bfb4d
SHA16cb518ba54f31d9db41c9a696be56574a046adfb
SHA256ebfffb16ca75a22f58126ccf8d849abeb6bfaad1ec2c0ab553999104cfe3d147
SHA512cbe6f0c2fe61f7fcd213858e264e88068f505048f837d5ca1a9dbdf291adbcc0ea938c89473cac8e3bc2ba3c08b1d89365315643f27774af8b38c9248d902cb6