Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2023, 14:28
Static task
static1
Behavioral task
behavioral1
Sample
CV.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
CV.exe
Resource
win10v2004-20220812-en
General
-
Target
CV.exe
-
Size
738KB
-
MD5
8299775dc88e42710d2e8090142189f2
-
SHA1
ed5161f8636f6c99dadcebed389a8dae7d28f2ca
-
SHA256
6f1961dcfaced54164a7a91935ef591688c686ee9b4b6c091a02b8a3ee3778da
-
SHA512
847937a505fcf3a7172a65270055e6ad2833b6506e7e4408c3b8b108d6c0e7fac5b18ec3bf683e5f42190a4ed5278922d26b8998637aedc943e0a5a727765d34
-
SSDEEP
12288:itz8L6gu+xMRSR5S+bmF7YKqka8ARo7zDPQx/+KyDTl5K8IaFqG4yPa:jLzyRU5XCXa3IzzQUKyDX3IaFqG4yPa
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions CV.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools CV.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CV.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CV.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation CV.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CV.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CV.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CV.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 44 api.ipify.org 45 api.ipify.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum CV.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 CV.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5028 set thread context of 320 5028 CV.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3460 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2324 powershell.exe 1008 powershell.exe 5028 CV.exe 5028 CV.exe 1008 powershell.exe 2324 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2324 powershell.exe Token: SeDebugPrivilege 1008 powershell.exe Token: SeDebugPrivilege 5028 CV.exe Token: SeDebugPrivilege 320 CV.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 5028 wrote to memory of 2324 5028 CV.exe 82 PID 5028 wrote to memory of 2324 5028 CV.exe 82 PID 5028 wrote to memory of 2324 5028 CV.exe 82 PID 5028 wrote to memory of 1008 5028 CV.exe 85 PID 5028 wrote to memory of 1008 5028 CV.exe 85 PID 5028 wrote to memory of 1008 5028 CV.exe 85 PID 5028 wrote to memory of 3460 5028 CV.exe 86 PID 5028 wrote to memory of 3460 5028 CV.exe 86 PID 5028 wrote to memory of 3460 5028 CV.exe 86 PID 5028 wrote to memory of 204 5028 CV.exe 88 PID 5028 wrote to memory of 204 5028 CV.exe 88 PID 5028 wrote to memory of 204 5028 CV.exe 88 PID 5028 wrote to memory of 320 5028 CV.exe 89 PID 5028 wrote to memory of 320 5028 CV.exe 89 PID 5028 wrote to memory of 320 5028 CV.exe 89 PID 5028 wrote to memory of 320 5028 CV.exe 89 PID 5028 wrote to memory of 320 5028 CV.exe 89 PID 5028 wrote to memory of 320 5028 CV.exe 89 PID 5028 wrote to memory of 320 5028 CV.exe 89 PID 5028 wrote to memory of 320 5028 CV.exe 89 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CV.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CV.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CV.exe"C:\Users\Admin\AppData\Local\Temp\CV.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CV.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XYZJuluV.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XYZJuluV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2FD.tmp"2⤵
- Creates scheduled task(s)
PID:3460
-
-
C:\Users\Admin\AppData\Local\Temp\CV.exe"C:\Users\Admin\AppData\Local\Temp\CV.exe"2⤵PID:204
-
-
C:\Users\Admin\AppData\Local\Temp\CV.exe"C:\Users\Admin\AppData\Local\Temp\CV.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:320
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5f5ad2a0cd1bf04198d2c963702df58c3
SHA13544df8576462adb08461586a0b1a718994c9ead
SHA256750da0b856e57aff1d783ec0f8eab428920ac4dcf4fcc60aa1c5f8e803cf5bad
SHA512a02f6adc530797e5bc365e5f3a8a527fb5714e61c40242b2e9c67719fd80533763ee4d331a4076472c98e157d2b5e2bdd96a5becaf6ee80bee0243ca687892c6
-
Filesize
1KB
MD54de73472e5301513748a594df57ade82
SHA10b4e3406d216da378ea3d633081c00fb061a984b
SHA256d5f61cf1b45fd1bcde0c585b0fcb204ef8d4c49591b8a4bb6d77c4b8009cafe5
SHA5125565e7a4508e42b45944d50eec7caeedb2f1d82dc0304f3fd707054bb388a248e8f48912f8e9b6a002bc9d9ec671e12baa9147129a888eaa0e978f5908043cef