Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    72s
  • max time network
    59s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28/11/2022, 04:53

General

  • Target

    ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe

  • Size

    142KB

  • MD5

    0bf1bcbe48b517b79c71232b987eed56

  • SHA1

    466f91dfdf88f48cf2b305659d2a8f7210a25d96

  • SHA256

    ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743

  • SHA512

    82fb8b8e913765d7ab8e1768f59cc8b6fbbda02b3900f0c10e2eb351a2efa6618a6aac45d14c2cee5a971384511c17e75d1919908b57ff3fa614e4c824ce305f

  • SSDEEP

    3072:LehlJa7H1orX0GliLNyVOJsD5tVXAJOQE6O7:S9X0Glifcbx

Score
9/10

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe
    "C:\Users\Admin\AppData\Local\Temp\ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Local\Temp\tmp4433.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp4433.exe" "C:\Users\Admin\AppData\Local\Temp\ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe"
      2⤵
      • Executes dropped EXE
      • Deletes itself
      PID:288
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 >> nul
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:664
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1832

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp4433.exe

    Filesize

    142KB

    MD5

    0bf1bcbe48b517b79c71232b987eed56

    SHA1

    466f91dfdf88f48cf2b305659d2a8f7210a25d96

    SHA256

    ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743

    SHA512

    82fb8b8e913765d7ab8e1768f59cc8b6fbbda02b3900f0c10e2eb351a2efa6618a6aac45d14c2cee5a971384511c17e75d1919908b57ff3fa614e4c824ce305f

  • memory/288-65-0x0000000000400000-0x0000000002970000-memory.dmp

    Filesize

    37.4MB

  • memory/2036-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

    Filesize

    8KB

  • memory/2036-56-0x0000000000250000-0x0000000000255000-memory.dmp

    Filesize

    20KB

  • memory/2036-57-0x0000000000400000-0x0000000002970000-memory.dmp

    Filesize

    37.4MB

  • memory/2036-58-0x0000000000400000-0x0000000002970000-memory.dmp

    Filesize

    37.4MB