Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

afa2e8be96...92.exe

windows7-x64

9

afa2e8be96...92.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    186s
  • max time network
    191s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 23:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    afa2e8be96ca86a8b12dec4f6fc12958867219abe09966cd6b39000247ede792.exe

  • Size

    274KB

  • MD5

    5d3f99c43bdc1205b59da497b27cf629

  • SHA1

    d87a58e13ce96428065b4ea65b15671a97d1ad4f

  • SHA256

    afa2e8be96ca86a8b12dec4f6fc12958867219abe09966cd6b39000247ede792

  • SHA512

    26a6d247f098a3e30995a44c786427d64466b0e6dbdb9f8875d1961a4d8f48fdb812ea838ee520ac7bcb7afc81c2a483ae2a6d7485f36e983f9a889ec9b68011

  • SSDEEP

    6144:mj2NA2rgIZseLlJfOMBfcuJwam6ZqRrOuic4pe:+b2rgIZx9OyLWkqR/4p

Score
9/10
evasionpersistence

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\afa2e8be96ca86a8b12dec4f6fc12958867219abe09966cd6b39000247ede792.exe
    "C:\Users\Admin\AppData\Local\Temp\afa2e8be96ca86a8b12dec4f6fc12958867219abe09966cd6b39000247ede792.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1116
    • C:\Users\Admin\AppData\Local\Temp\afa2e8be96ca86a8b12dec4f6fc12958867219abe09966cd6b39000247ede792.exe
      "C:\Users\Admin\AppData\Local\Temp\afa2e8be96ca86a8b12dec4f6fc12958867219abe09966cd6b39000247ede792.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Users\Admin\AppData\Roaming\BLD93115RWR\hh.exe
        C:\Users\Admin\AppData\Roaming\BLD93115RWR\hh.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:376
        • C:\Users\Admin\AppData\Roaming\BLD93115RWR\hh.exe
          C:\Users\Admin\AppData\Roaming\BLD93115RWR\hh.exe
          4⤵
          • Looks for VirtualBox Guest Additions in registry
          • Executes dropped EXE
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:1020

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\BLD93115RWR\hh.exe
    Filesize

    274KB

    MD5

    5d3f99c43bdc1205b59da497b27cf629

    SHA1

    d87a58e13ce96428065b4ea65b15671a97d1ad4f

    SHA256

    afa2e8be96ca86a8b12dec4f6fc12958867219abe09966cd6b39000247ede792

    SHA512

    26a6d247f098a3e30995a44c786427d64466b0e6dbdb9f8875d1961a4d8f48fdb812ea838ee520ac7bcb7afc81c2a483ae2a6d7485f36e983f9a889ec9b68011

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BLD93115RWR\hh.exe
    Filesize

    274KB

    MD5

    5d3f99c43bdc1205b59da497b27cf629

    SHA1

    d87a58e13ce96428065b4ea65b15671a97d1ad4f

    SHA256

    afa2e8be96ca86a8b12dec4f6fc12958867219abe09966cd6b39000247ede792

    SHA512

    26a6d247f098a3e30995a44c786427d64466b0e6dbdb9f8875d1961a4d8f48fdb812ea838ee520ac7bcb7afc81c2a483ae2a6d7485f36e983f9a889ec9b68011

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BLD93115RWR\hh.exe
    Filesize

    274KB

    MD5

    5d3f99c43bdc1205b59da497b27cf629

    SHA1

    d87a58e13ce96428065b4ea65b15671a97d1ad4f

    SHA256

    afa2e8be96ca86a8b12dec4f6fc12958867219abe09966cd6b39000247ede792

    SHA512

    26a6d247f098a3e30995a44c786427d64466b0e6dbdb9f8875d1961a4d8f48fdb812ea838ee520ac7bcb7afc81c2a483ae2a6d7485f36e983f9a889ec9b68011

    Download Submit

  • \Users\Admin\AppData\Roaming\BLD93115RWR\hh.exe
    Filesize

    274KB

    MD5

    5d3f99c43bdc1205b59da497b27cf629

    SHA1

    d87a58e13ce96428065b4ea65b15671a97d1ad4f

    SHA256

    afa2e8be96ca86a8b12dec4f6fc12958867219abe09966cd6b39000247ede792

    SHA512

    26a6d247f098a3e30995a44c786427d64466b0e6dbdb9f8875d1961a4d8f48fdb812ea838ee520ac7bcb7afc81c2a483ae2a6d7485f36e983f9a889ec9b68011

    Download Submit

  • \Users\Admin\AppData\Roaming\BLD93115RWR\hh.exe
    Filesize

    274KB

    MD5

    5d3f99c43bdc1205b59da497b27cf629

    SHA1

    d87a58e13ce96428065b4ea65b15671a97d1ad4f

    SHA256

    afa2e8be96ca86a8b12dec4f6fc12958867219abe09966cd6b39000247ede792

    SHA512

    26a6d247f098a3e30995a44c786427d64466b0e6dbdb9f8875d1961a4d8f48fdb812ea838ee520ac7bcb7afc81c2a483ae2a6d7485f36e983f9a889ec9b68011

    Download Submit

  • memory/376-84-0x0000000000250000-0x00000000002CB000-memory.dmp

    Filesize

    492KB

    Download

  • memory/376-74-0x0000000000250000-0x00000000002CB000-memory.dmp

    Filesize

    492KB

    Download

  • memory/1116-55-0x0000000000350000-0x00000000003CB000-memory.dmp

    Filesize

    492KB

    Download

  • memory/1116-54-0x0000000076381000-0x0000000076383000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1116-66-0x0000000000350000-0x00000000003CB000-memory.dmp

    Filesize

    492KB

    Download

  • memory/1316-61-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1316-67-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1316-65-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1316-72-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1316-63-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1316-62-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1316-59-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1316-57-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1316-56-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download