Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
03/01/2023, 07:03
General
-
Target
3714bf1b2ccb2d589bbf9fc56b95f34f.exe
-
Size
3.8MB
-
MD5
3714bf1b2ccb2d589bbf9fc56b95f34f
-
SHA1
094ca2a456841a37d53724f9cd242af7f2a87945
-
SHA256
4063e9392a870c336313c33c498fccff27bc86a20b925e3d9d418b20613eee4b
-
SHA512
44271307b886aadc028e5874444d4241ba9790bba8fa7cf8b93371f051261b2adab065012fa84ce8674a43df07bdba63761cb614dc0c986982718a2276f241bc
-
SSDEEP
98304:TY+I/xOyEEaO5PsR9urjsFFZ9iZ1+AhMr+rCIvdvA92RxHGf:TZI/AyEEf5zrIZ9i+9rBKxlhm
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3714bf1b2ccb2d589bbf9fc56b95f34f.exe"C:\Users\Admin\AppData\Local\Temp\3714bf1b2ccb2d589bbf9fc56b95f34f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f2⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9575156F-975B-422C-A940-3FC49633F028} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeC:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
269.9MB
MD5a47d92408900cdc584c289bc62b521cd
SHA17860662a968d407a4879657ff68aedf94b3f6e83
SHA256288133b239e46891090ff2ae38af6376ac711e9ebf2ac4f2d4a96bcc9c7e918f
SHA512ba6118fcdcd2011e8771a44acf90f7b994fac3eaaaea719ff04a9c292a622f85060f74e907abdceb5e3c03086dd5feca86eb41329aebe87ed2c27ad393e56d2f
-
Filesize
267.8MB
MD54baf732e39fac484b0e3608622c306c2
SHA1b58bbffb33606d3fa7191d5197715bf4d65bb07f
SHA256a57b2737a34185140b9147d5049d731722b595bb5076eb251bcc80b46bac7147
SHA512eae73c41d6e33ef0c7d15855f0a36bb53231ec0b323bdae419c99ee85127da03766e996cd5c79d82f6be5d67aa49e93578c2cdcea45c875459852a9db1cc2f7d
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
8KB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB