Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03/01/2023, 07:03
Static task
static1
Behavioral task
behavioral1
Sample
3714bf1b2ccb2d589bbf9fc56b95f34f.exe
Resource
win7-20220901-en
General
-
Target
3714bf1b2ccb2d589bbf9fc56b95f34f.exe
-
Size
3.8MB
-
MD5
3714bf1b2ccb2d589bbf9fc56b95f34f
-
SHA1
094ca2a456841a37d53724f9cd242af7f2a87945
-
SHA256
4063e9392a870c336313c33c498fccff27bc86a20b925e3d9d418b20613eee4b
-
SHA512
44271307b886aadc028e5874444d4241ba9790bba8fa7cf8b93371f051261b2adab065012fa84ce8674a43df07bdba63761cb614dc0c986982718a2276f241bc
-
SSDEEP
98304:TY+I/xOyEEaO5PsR9urjsFFZ9iZ1+AhMr+rCIvdvA92RxHGf:TZI/AyEEf5zrIZ9i+9rBKxlhm
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3714bf1b2ccb2d589bbf9fc56b95f34f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svcupdater.exe -
Executes dropped EXE 1 IoCs
pid Process 520 svcupdater.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3714bf1b2ccb2d589bbf9fc56b95f34f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svcupdater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svcupdater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3714bf1b2ccb2d589bbf9fc56b95f34f.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3714bf1b2ccb2d589bbf9fc56b95f34f.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svcupdater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1960 schtasks.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 828 wrote to memory of 1960 828 3714bf1b2ccb2d589bbf9fc56b95f34f.exe 27 PID 828 wrote to memory of 1960 828 3714bf1b2ccb2d589bbf9fc56b95f34f.exe 27 PID 828 wrote to memory of 1960 828 3714bf1b2ccb2d589bbf9fc56b95f34f.exe 27 PID 828 wrote to memory of 1960 828 3714bf1b2ccb2d589bbf9fc56b95f34f.exe 27 PID 460 wrote to memory of 520 460 taskeng.exe 30 PID 460 wrote to memory of 520 460 taskeng.exe 30 PID 460 wrote to memory of 520 460 taskeng.exe 30 PID 460 wrote to memory of 520 460 taskeng.exe 30 PID 460 wrote to memory of 520 460 taskeng.exe 30 PID 460 wrote to memory of 520 460 taskeng.exe 30 PID 460 wrote to memory of 520 460 taskeng.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\3714bf1b2ccb2d589bbf9fc56b95f34f.exe"C:\Users\Admin\AppData\Local\Temp\3714bf1b2ccb2d589bbf9fc56b95f34f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f2⤵
- Creates scheduled task(s)
PID:1960
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9575156F-975B-422C-A940-3FC49633F028} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeC:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:520
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
269.9MB
MD5a47d92408900cdc584c289bc62b521cd
SHA17860662a968d407a4879657ff68aedf94b3f6e83
SHA256288133b239e46891090ff2ae38af6376ac711e9ebf2ac4f2d4a96bcc9c7e918f
SHA512ba6118fcdcd2011e8771a44acf90f7b994fac3eaaaea719ff04a9c292a622f85060f74e907abdceb5e3c03086dd5feca86eb41329aebe87ed2c27ad393e56d2f
-
Filesize
267.8MB
MD54baf732e39fac484b0e3608622c306c2
SHA1b58bbffb33606d3fa7191d5197715bf4d65bb07f
SHA256a57b2737a34185140b9147d5049d731722b595bb5076eb251bcc80b46bac7147
SHA512eae73c41d6e33ef0c7d15855f0a36bb53231ec0b323bdae419c99ee85127da03766e996cd5c79d82f6be5d67aa49e93578c2cdcea45c875459852a9db1cc2f7d