Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
72s -
max time network
59s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28/11/2022, 04:53
Static task
static1
Behavioral task
behavioral1
Sample
ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe
Resource
win10v2004-20220812-en
General
-
Target
ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe
-
Size
142KB
-
MD5
0bf1bcbe48b517b79c71232b987eed56
-
SHA1
466f91dfdf88f48cf2b305659d2a8f7210a25d96
-
SHA256
ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743
-
SHA512
82fb8b8e913765d7ab8e1768f59cc8b6fbbda02b3900f0c10e2eb351a2efa6618a6aac45d14c2cee5a971384511c17e75d1919908b57ff3fa614e4c824ce305f
-
SSDEEP
3072:LehlJa7H1orX0GliLNyVOJsD5tVXAJOQE6O7:S9X0Glifcbx
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe -
Executes dropped EXE 1 IoCs
pid Process 288 tmp4433.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe -
Deletes itself 1 IoCs
pid Process 288 tmp4433.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1832 PING.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2036 ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe 2036 ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe 2036 ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe 2036 ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe 2036 ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe 2036 ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe 2036 ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe 2036 ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe 2036 ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe 2036 ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2036 wrote to memory of 288 2036 ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe 29 PID 2036 wrote to memory of 288 2036 ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe 29 PID 2036 wrote to memory of 288 2036 ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe 29 PID 2036 wrote to memory of 288 2036 ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe 29 PID 2036 wrote to memory of 664 2036 ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe 30 PID 2036 wrote to memory of 664 2036 ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe 30 PID 2036 wrote to memory of 664 2036 ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe 30 PID 2036 wrote to memory of 664 2036 ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe 30 PID 664 wrote to memory of 1832 664 cmd.exe 32 PID 664 wrote to memory of 1832 664 cmd.exe 32 PID 664 wrote to memory of 1832 664 cmd.exe 32 PID 664 wrote to memory of 1832 664 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe"C:\Users\Admin\AppData\Local\Temp\ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\tmp4433.exe"C:\Users\Admin\AppData\Local\Temp\tmp4433.exe" "C:\Users\Admin\AppData\Local\Temp\ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743.exe"2⤵
- Executes dropped EXE
- Deletes itself
PID:288
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 >> nul2⤵
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1832
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142KB
MD50bf1bcbe48b517b79c71232b987eed56
SHA1466f91dfdf88f48cf2b305659d2a8f7210a25d96
SHA256ad2db44c66b5a514dbd6507d37d14666437794f26d80e7b56496eb85e50b1743
SHA51282fb8b8e913765d7ab8e1768f59cc8b6fbbda02b3900f0c10e2eb351a2efa6618a6aac45d14c2cee5a971384511c17e75d1919908b57ff3fa614e4c824ce305f