Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3714bf1b2c...4f.exe

windows7-x64

9

3714bf1b2c...4f.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    107s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/01/2023, 07:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3714bf1b2ccb2d589bbf9fc56b95f34f.exe

  • Size

    3.8MB

  • MD5

    3714bf1b2ccb2d589bbf9fc56b95f34f

  • SHA1

    094ca2a456841a37d53724f9cd242af7f2a87945

  • SHA256

    4063e9392a870c336313c33c498fccff27bc86a20b925e3d9d418b20613eee4b

  • SHA512

    44271307b886aadc028e5874444d4241ba9790bba8fa7cf8b93371f051261b2adab065012fa84ce8674a43df07bdba63761cb614dc0c986982718a2276f241bc

  • SSDEEP

    98304:TY+I/xOyEEaO5PsR9urjsFFZ9iZ1+AhMr+rCIvdvA92RxHGf:TZI/AyEEf5zrIZ9i+9rBKxlhm

Score
9/10
evasiontrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3714bf1b2ccb2d589bbf9fc56b95f34f.exe
    "C:\Users\Admin\AppData\Local\Temp\3714bf1b2ccb2d589bbf9fc56b95f34f.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
      2⤵
      • Creates scheduled task(s)
      PID:2656
  • C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
    C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Executes dropped EXE
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    PID:4952

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
    Filesize

    274.8MB

    MD5

    0706c5df98c839b049a41c1d119225e7

    SHA1

    581eb4be37324862802a2900cbf2db5ea940f564

    SHA256

    9c48442514a7fe9aa08351247fa543444c0beb52392d8d2fa44dbad0064e3760

    SHA512

    c4363ff9c4d530e13cfd30c9897bb8cf946b39818a99e883bae2d75c6e9924455c1217b33d0edd3d3e3f0c8af4ddafa8978535b1fe907ed4e460423a19b91dfe

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
    Filesize

    272.3MB

    MD5

    1d232e9a5aef4979d62acd23229a421d

    SHA1

    fe9761736fda2e1152e5ec99f3165702b021dbb0

    SHA256

    fd24a7fb3fd74998accf0e2408319812bf0aa5b94130df83a2aa26d53331a88c

    SHA512

    3c37df6c71379fda2a74b87f917941bc027283db547d3724f8b85066a6a6fb67d2edb0787a78c6f85bf89ec02a1ef953ff7962f8f56f3d2dc1d0afb7332b444a

    Download Submit

  • memory/3008-132-0x00000000006A0000-0x0000000000A6F000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/3008-133-0x00000000006A0000-0x0000000000A6F000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/3008-135-0x00000000006A0000-0x0000000000A6F000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4952-138-0x0000000000580000-0x000000000094F000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4952-139-0x0000000000580000-0x000000000094F000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4952-140-0x0000000000580000-0x000000000094F000-memory.dmp

    Filesize

    3.8MB

    Download