Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 12:41

General

  • Target

    7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe

  • Size

    823KB

  • MD5

    937a1b4613a2109448103c318cb7ab10

  • SHA1

    1ac5bc876ec8026d57ce67fde624fab848f7b8d1

  • SHA256

    7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683

  • SHA512

    28db39b653ab91429546198a838cf4dd361f85a71a435aa825d49fab74273886b5225388d92b884ac7b6ae50eaf467b644caf76ad753e5fe114187fb6b89e2ba

  • SSDEEP

    24576:QZJ+3Rbxv7mctSdkeXofT/+brY2Qwz+Rq7ISoZ:Go5xv7mcseeXr0IsS+

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe
    "C:\Users\Admin\AppData\Local\Temp\7f8214a5ab0d111f313f594fe57f41f330a8883e69d1f596b4089e2f3937e683.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Users\Admin\AppData\Local\Temp\vifuv.exe
      "C:\Users\Admin\AppData\Local\Temp\vifuv.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks computer location settings
      • Identifies Wine through registry keys
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Users\Admin\AppData\Local\Temp\ofheu.exe
        "C:\Users\Admin\AppData\Local\Temp\ofheu.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2880
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
      2⤵
        PID:3908

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

      Filesize

      340B

      MD5

      fbf7eff8943376401b4cb00e1ee483e2

      SHA1

      6185e4e93ed5fee5250131ad5b05cea909a7cd0a

      SHA256

      d724df52b33fc1270bd939cfbd8f2c593b0261ae0a57ce77577265eb1fd8cccd

      SHA512

      d706cc5a7d4bfd6c40b7c2486f15e7b3f5b675ecdbe62e4322e1c0ba413f6b372fcd430c98588551e50e2156bc5e3e29bc472507b78299dea504e6514fc606ac

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

      Filesize

      512B

      MD5

      0f5888b0051747de120c37b15c825b7d

      SHA1

      368471a70a25749e9db7401fb34a6b0230a2cf6a

      SHA256

      acd846557da75a2b35fb2c1a1964e73aafd10e53078dd4bd8e3dd7ebf4d83921

      SHA512

      bbf2805977f6892d32ee4d7d223e8a098df6c481847bba0e98378d96f22f82b6a650eb4300cf85240c5b9d14e2c13a222e4246d11f7acf188e6ac8fc152f7eee

    • C:\Users\Admin\AppData\Local\Temp\ofheu.exe

      Filesize

      205KB

      MD5

      a2f94d052f11bb9734c6f9ce04048810

      SHA1

      56879061ed7302cf4e8e434413172901d5fd7a05

      SHA256

      0c42f80b374679c15a1d4493be7eaab60fbd9d12fab768bf5f0ec9272fe13489

      SHA512

      06edc75c8877d28cc5dfd63e14d31c1ea23f895b92a98868199cf609fac52f68fc4f6f47015a2664a3a7418129ca080290c452484925880cb5b3f951940c64a4

    • C:\Users\Admin\AppData\Local\Temp\ofheu.exe

      Filesize

      205KB

      MD5

      a2f94d052f11bb9734c6f9ce04048810

      SHA1

      56879061ed7302cf4e8e434413172901d5fd7a05

      SHA256

      0c42f80b374679c15a1d4493be7eaab60fbd9d12fab768bf5f0ec9272fe13489

      SHA512

      06edc75c8877d28cc5dfd63e14d31c1ea23f895b92a98868199cf609fac52f68fc4f6f47015a2664a3a7418129ca080290c452484925880cb5b3f951940c64a4

    • C:\Users\Admin\AppData\Local\Temp\vifuv.exe

      Filesize

      823KB

      MD5

      34d87029e58053db8e867277754bfb4d

      SHA1

      6cb518ba54f31d9db41c9a696be56574a046adfb

      SHA256

      ebfffb16ca75a22f58126ccf8d849abeb6bfaad1ec2c0ab553999104cfe3d147

      SHA512

      cbe6f0c2fe61f7fcd213858e264e88068f505048f837d5ca1a9dbdf291adbcc0ea938c89473cac8e3bc2ba3c08b1d89365315643f27774af8b38c9248d902cb6

    • C:\Users\Admin\AppData\Local\Temp\vifuv.exe

      Filesize

      823KB

      MD5

      34d87029e58053db8e867277754bfb4d

      SHA1

      6cb518ba54f31d9db41c9a696be56574a046adfb

      SHA256

      ebfffb16ca75a22f58126ccf8d849abeb6bfaad1ec2c0ab553999104cfe3d147

      SHA512

      cbe6f0c2fe61f7fcd213858e264e88068f505048f837d5ca1a9dbdf291adbcc0ea938c89473cac8e3bc2ba3c08b1d89365315643f27774af8b38c9248d902cb6

    • memory/1616-144-0x0000000000400000-0x000000000058F000-memory.dmp

      Filesize

      1.6MB

    • memory/1616-139-0x0000000000400000-0x000000000058F000-memory.dmp

      Filesize

      1.6MB

    • memory/1616-141-0x0000000000400000-0x000000000058F000-memory.dmp

      Filesize

      1.6MB

    • memory/1616-143-0x0000000000400000-0x000000000058F000-memory.dmp

      Filesize

      1.6MB

    • memory/1616-148-0x0000000000400000-0x000000000058F000-memory.dmp

      Filesize

      1.6MB

    • memory/2880-149-0x00000000008E0000-0x00000000009AC000-memory.dmp

      Filesize

      816KB

    • memory/2880-150-0x00000000008E0000-0x00000000009AC000-memory.dmp

      Filesize

      816KB

    • memory/4936-132-0x0000000000400000-0x000000000058F000-memory.dmp

      Filesize

      1.6MB

    • memory/4936-138-0x0000000000400000-0x000000000058F000-memory.dmp

      Filesize

      1.6MB

    • memory/4936-133-0x0000000000400000-0x000000000058F000-memory.dmp

      Filesize

      1.6MB