Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    110s
  • max time network
    115s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03/01/2023, 07:03

General

  • Target

    3714bf1b2ccb2d589bbf9fc56b95f34f.exe

  • Size

    3.8MB

  • MD5

    3714bf1b2ccb2d589bbf9fc56b95f34f

  • SHA1

    094ca2a456841a37d53724f9cd242af7f2a87945

  • SHA256

    4063e9392a870c336313c33c498fccff27bc86a20b925e3d9d418b20613eee4b

  • SHA512

    44271307b886aadc028e5874444d4241ba9790bba8fa7cf8b93371f051261b2adab065012fa84ce8674a43df07bdba63761cb614dc0c986982718a2276f241bc

  • SSDEEP

    98304:TY+I/xOyEEaO5PsR9urjsFFZ9iZ1+AhMr+rCIvdvA92RxHGf:TZI/AyEEf5zrIZ9i+9rBKxlhm

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3714bf1b2ccb2d589bbf9fc56b95f34f.exe
    "C:\Users\Admin\AppData\Local\Temp\3714bf1b2ccb2d589bbf9fc56b95f34f.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
      2⤵
      • Creates scheduled task(s)
      PID:1960
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {9575156F-975B-422C-A940-3FC49633F028} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:460
    • C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
      C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      PID:520

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe

    Filesize

    269.9MB

    MD5

    a47d92408900cdc584c289bc62b521cd

    SHA1

    7860662a968d407a4879657ff68aedf94b3f6e83

    SHA256

    288133b239e46891090ff2ae38af6376ac711e9ebf2ac4f2d4a96bcc9c7e918f

    SHA512

    ba6118fcdcd2011e8771a44acf90f7b994fac3eaaaea719ff04a9c292a622f85060f74e907abdceb5e3c03086dd5feca86eb41329aebe87ed2c27ad393e56d2f

  • C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe

    Filesize

    267.8MB

    MD5

    4baf732e39fac484b0e3608622c306c2

    SHA1

    b58bbffb33606d3fa7191d5197715bf4d65bb07f

    SHA256

    a57b2737a34185140b9147d5049d731722b595bb5076eb251bcc80b46bac7147

    SHA512

    eae73c41d6e33ef0c7d15855f0a36bb53231ec0b323bdae419c99ee85127da03766e996cd5c79d82f6be5d67aa49e93578c2cdcea45c875459852a9db1cc2f7d

  • memory/520-63-0x0000000000FA0000-0x000000000136F000-memory.dmp

    Filesize

    3.8MB

  • memory/520-64-0x0000000000FA0000-0x000000000136F000-memory.dmp

    Filesize

    3.8MB

  • memory/520-65-0x0000000000FA0000-0x000000000136F000-memory.dmp

    Filesize

    3.8MB

  • memory/828-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

    Filesize

    8KB

  • memory/828-55-0x0000000000EB0000-0x000000000127F000-memory.dmp

    Filesize

    3.8MB

  • memory/828-56-0x0000000000EB0000-0x000000000127F000-memory.dmp

    Filesize

    3.8MB

  • memory/828-58-0x0000000000EB0000-0x000000000127F000-memory.dmp

    Filesize

    3.8MB