Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
VirtualBox...us.dll
windows7-x64
1VirtualBox...us.dll
windows10-2004-x64
1VirtualBox...in.exe
windows7-x64
8VirtualBox...in.exe
windows10-2004-x64
10VirtualBox...on.dll
windows7-x64
1VirtualBox...on.dll
windows10-2004-x64
1VirtualBox...CE.dll
windows7-x64
1VirtualBox...CE.dll
windows10-2004-x64
1VirtualBox...GM.dll
windows7-x64
1VirtualBox...GM.dll
windows10-2004-x64
1VirtualBox...DE.dll
windows7-x64
3VirtualBox...DE.dll
windows10-2004-x64
3VirtualBox...at.exe
windows7-x64
1VirtualBox...at.exe
windows10-2004-x64
1VirtualBox...OL.dll
windows7-x64
1VirtualBox...OL.dll
windows10-2004-x64
1VirtualBox...es.xml
windows7-x64
1VirtualBox...es.xml
windows10-2004-x64
1VirtualBox...32.dll
windows7-x64
3VirtualBox...32.dll
windows10-2004-x64
3VirtualBox...MP.dll
windows7-x64
1VirtualBox...MP.dll
windows10-2004-x64
3VirtualBox...IB.dll
windows7-x64
1VirtualBox...IB.dll
windows10-2004-x64
1VirtualBox...ls.dll
windows7-x64
1VirtualBox...ls.dll
windows10-2004-x64
1VirtualBox...pe.dll
windows7-x64
3VirtualBox...pe.dll
windows10-2004-x64
3VirtualBox...ib.dll
windows7-x64
1VirtualBox...ib.dll
windows10-2004-x64
1Analysis
-
max time kernel
172s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15/12/2022, 17:16
Static task
static1
Behavioral task
behavioral1
Sample
VirtualBox-7.0.2-154219-Win/Focus.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
VirtualBox-7.0.2-154219-Win/Focus.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
VirtualBox-7.0.2-154219-Win/VirtualBox-7.0.2-154219-Win.exe
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
VirtualBox-7.0.2-154219-Win/VirtualBox-7.0.2-154219-Win.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
VirtualBox-7.0.2-154219-Win/cbutton.dll
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
VirtualBox-7.0.2-154219-Win/cbutton.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral7
Sample
VirtualBox-7.0.2-154219-Win/x86/ACE.dll
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
VirtualBox-7.0.2-154219-Win/x86/ACE.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral9
Sample
VirtualBox-7.0.2-154219-Win/x86/AGM.dll
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
VirtualBox-7.0.2-154219-Win/x86/AGM.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral11
Sample
VirtualBox-7.0.2-154219-Win/x86/AIDE.dll
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
VirtualBox-7.0.2-154219-Win/x86/AIDE.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral13
Sample
VirtualBox-7.0.2-154219-Win/x86/Acrobat/Acrobat.exe
Resource
win7-20220901-en
Behavioral task
behavioral14
Sample
VirtualBox-7.0.2-154219-Win/x86/Acrobat/Acrobat.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral15
Sample
VirtualBox-7.0.2-154219-Win/x86/Acrobat/Acrobat32OL.dll
Resource
win7-20221111-en
Behavioral task
behavioral16
Sample
VirtualBox-7.0.2-154219-Win/x86/Acrobat/Acrobat32OL.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral17
Sample
VirtualBox-7.0.2-154219-Win/x86/Acrobat/Adobe.Acrobat.Dependencies.xml
Resource
win7-20220812-en
Behavioral task
behavioral18
Sample
VirtualBox-7.0.2-154219-Win/x86/Acrobat/Adobe.Acrobat.Dependencies.xml
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
VirtualBox-7.0.2-154219-Win/x86/Acrobat/Onix32.dll
Resource
win7-20220812-en
Behavioral task
behavioral20
Sample
VirtualBox-7.0.2-154219-Win/x86/Acrobat/Onix32.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral21
Sample
VirtualBox-7.0.2-154219-Win/x86/AdobeXMP.dll
Resource
win7-20221111-en
Behavioral task
behavioral22
Sample
VirtualBox-7.0.2-154219-Win/x86/AdobeXMP.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral23
Sample
VirtualBox-7.0.2-154219-Win/x86/BIB.dll
Resource
win7-20220812-en
Behavioral task
behavioral24
Sample
VirtualBox-7.0.2-154219-Win/x86/BIB.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
VirtualBox-7.0.2-154219-Win/x86/BIBUtils.dll
Resource
win7-20221111-en
Behavioral task
behavioral26
Sample
VirtualBox-7.0.2-154219-Win/x86/BIBUtils.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral27
Sample
VirtualBox-7.0.2-154219-Win/x86/CoolType.dll
Resource
win7-20220812-en
Behavioral task
behavioral28
Sample
VirtualBox-7.0.2-154219-Win/x86/CoolType.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral29
Sample
VirtualBox-7.0.2-154219-Win/x86/JP2KLib.dll
Resource
win7-20220812-en
Behavioral task
behavioral30
Sample
VirtualBox-7.0.2-154219-Win/x86/JP2KLib.dll
Resource
win10v2004-20220812-en
General
-
Target
VirtualBox-7.0.2-154219-Win/VirtualBox-7.0.2-154219-Win.exe
-
Size
677.9MB
-
MD5
670e50d1d17dce3d446919680dd657f0
-
SHA1
fdbba6ab2df85337f8fefec7da04323ba6e42107
-
SHA256
7f43dee28fdf815aca5367694540bcd514c2ad9c1a4c4bc645286403fffb4123
-
SHA512
ed31879ce1867b31b9f0868ff797ec92dfb5284381bada666636ff07eb9b4221f60a9fb549984d0b3272e619674031431c7498451ded735ad98de4db5a53e2ba
-
SSDEEP
3072:eahKyd2n31yS5LvfiP1yaX3KmC5wBCgBCwfjL1c1pcSsP1XBRWf9z:eahOcnHn9BF//1cUJU
Malware Config
Extracted
aurora
79.137.206.138:8081
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3596 BUSINE~3.EXE 4588 BUSINE~3.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation BUSINE~3.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox-7.0.2-154219-Win.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" VirtualBox-7.0.2-154219-Win.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3596 set thread context of 4588 3596 BUSINE~3.EXE 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 644 powershell.exe 644 powershell.exe 4656 powershell.exe 4656 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3596 BUSINE~3.EXE Token: SeDebugPrivilege 644 powershell.exe Token: SeDebugPrivilege 4656 powershell.exe Token: SeIncreaseQuotaPrivilege 3396 wmic.exe Token: SeSecurityPrivilege 3396 wmic.exe Token: SeTakeOwnershipPrivilege 3396 wmic.exe Token: SeLoadDriverPrivilege 3396 wmic.exe Token: SeSystemProfilePrivilege 3396 wmic.exe Token: SeSystemtimePrivilege 3396 wmic.exe Token: SeProfSingleProcessPrivilege 3396 wmic.exe Token: SeIncBasePriorityPrivilege 3396 wmic.exe Token: SeCreatePagefilePrivilege 3396 wmic.exe Token: SeBackupPrivilege 3396 wmic.exe Token: SeRestorePrivilege 3396 wmic.exe Token: SeShutdownPrivilege 3396 wmic.exe Token: SeDebugPrivilege 3396 wmic.exe Token: SeSystemEnvironmentPrivilege 3396 wmic.exe Token: SeRemoteShutdownPrivilege 3396 wmic.exe Token: SeUndockPrivilege 3396 wmic.exe Token: SeManageVolumePrivilege 3396 wmic.exe Token: 33 3396 wmic.exe Token: 34 3396 wmic.exe Token: 35 3396 wmic.exe Token: 36 3396 wmic.exe Token: SeIncreaseQuotaPrivilege 3396 wmic.exe Token: SeSecurityPrivilege 3396 wmic.exe Token: SeTakeOwnershipPrivilege 3396 wmic.exe Token: SeLoadDriverPrivilege 3396 wmic.exe Token: SeSystemProfilePrivilege 3396 wmic.exe Token: SeSystemtimePrivilege 3396 wmic.exe Token: SeProfSingleProcessPrivilege 3396 wmic.exe Token: SeIncBasePriorityPrivilege 3396 wmic.exe Token: SeCreatePagefilePrivilege 3396 wmic.exe Token: SeBackupPrivilege 3396 wmic.exe Token: SeRestorePrivilege 3396 wmic.exe Token: SeShutdownPrivilege 3396 wmic.exe Token: SeDebugPrivilege 3396 wmic.exe Token: SeSystemEnvironmentPrivilege 3396 wmic.exe Token: SeRemoteShutdownPrivilege 3396 wmic.exe Token: SeUndockPrivilege 3396 wmic.exe Token: SeManageVolumePrivilege 3396 wmic.exe Token: 33 3396 wmic.exe Token: 34 3396 wmic.exe Token: 35 3396 wmic.exe Token: 36 3396 wmic.exe Token: SeIncreaseQuotaPrivilege 4304 WMIC.exe Token: SeSecurityPrivilege 4304 WMIC.exe Token: SeTakeOwnershipPrivilege 4304 WMIC.exe Token: SeLoadDriverPrivilege 4304 WMIC.exe Token: SeSystemProfilePrivilege 4304 WMIC.exe Token: SeSystemtimePrivilege 4304 WMIC.exe Token: SeProfSingleProcessPrivilege 4304 WMIC.exe Token: SeIncBasePriorityPrivilege 4304 WMIC.exe Token: SeCreatePagefilePrivilege 4304 WMIC.exe Token: SeBackupPrivilege 4304 WMIC.exe Token: SeRestorePrivilege 4304 WMIC.exe Token: SeShutdownPrivilege 4304 WMIC.exe Token: SeDebugPrivilege 4304 WMIC.exe Token: SeSystemEnvironmentPrivilege 4304 WMIC.exe Token: SeRemoteShutdownPrivilege 4304 WMIC.exe Token: SeUndockPrivilege 4304 WMIC.exe Token: SeManageVolumePrivilege 4304 WMIC.exe Token: 33 4304 WMIC.exe Token: 34 4304 WMIC.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2032 wrote to memory of 3596 2032 VirtualBox-7.0.2-154219-Win.exe 79 PID 2032 wrote to memory of 3596 2032 VirtualBox-7.0.2-154219-Win.exe 79 PID 2032 wrote to memory of 3596 2032 VirtualBox-7.0.2-154219-Win.exe 79 PID 3596 wrote to memory of 644 3596 BUSINE~3.EXE 82 PID 3596 wrote to memory of 644 3596 BUSINE~3.EXE 82 PID 3596 wrote to memory of 644 3596 BUSINE~3.EXE 82 PID 3596 wrote to memory of 4740 3596 BUSINE~3.EXE 90 PID 3596 wrote to memory of 4740 3596 BUSINE~3.EXE 90 PID 3596 wrote to memory of 4740 3596 BUSINE~3.EXE 90 PID 4740 wrote to memory of 4656 4740 cmd.exe 92 PID 4740 wrote to memory of 4656 4740 cmd.exe 92 PID 4740 wrote to memory of 4656 4740 cmd.exe 92 PID 3596 wrote to memory of 4588 3596 BUSINE~3.EXE 93 PID 3596 wrote to memory of 4588 3596 BUSINE~3.EXE 93 PID 3596 wrote to memory of 4588 3596 BUSINE~3.EXE 93 PID 3596 wrote to memory of 4588 3596 BUSINE~3.EXE 93 PID 3596 wrote to memory of 4588 3596 BUSINE~3.EXE 93 PID 3596 wrote to memory of 4588 3596 BUSINE~3.EXE 93 PID 3596 wrote to memory of 4588 3596 BUSINE~3.EXE 93 PID 3596 wrote to memory of 4588 3596 BUSINE~3.EXE 93 PID 3596 wrote to memory of 4588 3596 BUSINE~3.EXE 93 PID 3596 wrote to memory of 4588 3596 BUSINE~3.EXE 93 PID 3596 wrote to memory of 4588 3596 BUSINE~3.EXE 93 PID 4588 wrote to memory of 3396 4588 BUSINE~3.EXE 94 PID 4588 wrote to memory of 3396 4588 BUSINE~3.EXE 94 PID 4588 wrote to memory of 3396 4588 BUSINE~3.EXE 94 PID 4588 wrote to memory of 3528 4588 BUSINE~3.EXE 96 PID 4588 wrote to memory of 3528 4588 BUSINE~3.EXE 96 PID 4588 wrote to memory of 3528 4588 BUSINE~3.EXE 96 PID 3528 wrote to memory of 4304 3528 cmd.exe 98 PID 3528 wrote to memory of 4304 3528 cmd.exe 98 PID 3528 wrote to memory of 4304 3528 cmd.exe 98 PID 4588 wrote to memory of 1812 4588 BUSINE~3.EXE 99 PID 4588 wrote to memory of 1812 4588 BUSINE~3.EXE 99 PID 4588 wrote to memory of 1812 4588 BUSINE~3.EXE 99 PID 1812 wrote to memory of 3676 1812 cmd.exe 101 PID 1812 wrote to memory of 3676 1812 cmd.exe 101 PID 1812 wrote to memory of 3676 1812 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.2-154219-Win\VirtualBox-7.0.2-154219-Win.exe"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.2-154219-Win\VirtualBox-7.0.2-154219-Win.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUSINE~3.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUSINE~3.EXE2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==3⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUSINE~3.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUSINE~3.EXE3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3396
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"4⤵
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"4⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name5⤵PID:3676
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56195a91754effb4df74dbc72cdf4f7a6
SHA1aba262f5726c6d77659fe0d3195e36a85046b427
SHA2563254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
16KB
MD54bb93f9fe7158d24597b3a06abbe2994
SHA15f2cb8edd8f2714059f13d24b7bf84c45d1681aa
SHA256427f3eb6d3c11be4c6d4fe96196c972488d53cc84753580223132f8e7ef09d00
SHA512163fb53001b3677fc57f8877eb241cab73e09cb17c6964fa1560639f7f98cfb6d3e78ae7233f892ba443325678b3e2242179ae1d168ce0e7504f91d9f94ca129
-
Filesize
362.6MB
MD5b57fd565047f69ed9031fe35607bc4de
SHA1a34dcacc6f1915d500d8643a5e9e9b23f6c2eec1
SHA256e7297f5162728d2282bd88f80583bd88d3075f0fbabd7568014a40e856aaa81a
SHA512d9917bf7b8b396324cd0f77335b2fc8b5022376d646c06846e0a6c9f0908e5d4030443188913d6a9e0b1f6f763d8c9330c74d33edb55ee59690a2b5eabb64cd4
-
Filesize
362.6MB
MD5b57fd565047f69ed9031fe35607bc4de
SHA1a34dcacc6f1915d500d8643a5e9e9b23f6c2eec1
SHA256e7297f5162728d2282bd88f80583bd88d3075f0fbabd7568014a40e856aaa81a
SHA512d9917bf7b8b396324cd0f77335b2fc8b5022376d646c06846e0a6c9f0908e5d4030443188913d6a9e0b1f6f763d8c9330c74d33edb55ee59690a2b5eabb64cd4
-
Filesize
362.6MB
MD5b57fd565047f69ed9031fe35607bc4de
SHA1a34dcacc6f1915d500d8643a5e9e9b23f6c2eec1
SHA256e7297f5162728d2282bd88f80583bd88d3075f0fbabd7568014a40e856aaa81a
SHA512d9917bf7b8b396324cd0f77335b2fc8b5022376d646c06846e0a6c9f0908e5d4030443188913d6a9e0b1f6f763d8c9330c74d33edb55ee59690a2b5eabb64cd4