Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2023, 14:28

General

  • Target

    CV.exe

  • Size

    738KB

  • MD5

    8299775dc88e42710d2e8090142189f2

  • SHA1

    ed5161f8636f6c99dadcebed389a8dae7d28f2ca

  • SHA256

    6f1961dcfaced54164a7a91935ef591688c686ee9b4b6c091a02b8a3ee3778da

  • SHA512

    847937a505fcf3a7172a65270055e6ad2833b6506e7e4408c3b8b108d6c0e7fac5b18ec3bf683e5f42190a4ed5278922d26b8998637aedc943e0a5a727765d34

  • SSDEEP

    12288:itz8L6gu+xMRSR5S+bmF7YKqka8ARo7zDPQx/+KyDTl5K8IaFqG4yPa:jLzyRU5XCXa3IzzQUKyDX3IaFqG4yPa

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CV.exe
    "C:\Users\Admin\AppData\Local\Temp\CV.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5028
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CV.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2324
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XYZJuluV.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1008
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XYZJuluV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2FD.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3460
    • C:\Users\Admin\AppData\Local\Temp\CV.exe
      "C:\Users\Admin\AppData\Local\Temp\CV.exe"
      2⤵
        PID:204
      • C:\Users\Admin\AppData\Local\Temp\CV.exe
        "C:\Users\Admin\AppData\Local\Temp\CV.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:320

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      18KB

      MD5

      f5ad2a0cd1bf04198d2c963702df58c3

      SHA1

      3544df8576462adb08461586a0b1a718994c9ead

      SHA256

      750da0b856e57aff1d783ec0f8eab428920ac4dcf4fcc60aa1c5f8e803cf5bad

      SHA512

      a02f6adc530797e5bc365e5f3a8a527fb5714e61c40242b2e9c67719fd80533763ee4d331a4076472c98e157d2b5e2bdd96a5becaf6ee80bee0243ca687892c6

    • C:\Users\Admin\AppData\Local\Temp\tmp2FD.tmp

      Filesize

      1KB

      MD5

      4de73472e5301513748a594df57ade82

      SHA1

      0b4e3406d216da378ea3d633081c00fb061a984b

      SHA256

      d5f61cf1b45fd1bcde0c585b0fcb204ef8d4c49591b8a4bb6d77c4b8009cafe5

      SHA512

      5565e7a4508e42b45944d50eec7caeedb2f1d82dc0304f3fd707054bb388a248e8f48912f8e9b6a002bc9d9ec671e12baa9147129a888eaa0e978f5908043cef

    • memory/320-164-0x00000000073B0000-0x0000000007572000-memory.dmp

      Filesize

      1.8MB

    • memory/320-163-0x0000000007190000-0x00000000071E0000-memory.dmp

      Filesize

      320KB

    • memory/320-148-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/1008-156-0x00000000078F0000-0x00000000078FA000-memory.dmp

      Filesize

      40KB

    • memory/1008-159-0x0000000007BC0000-0x0000000007BDA000-memory.dmp

      Filesize

      104KB

    • memory/1008-158-0x0000000007AB0000-0x0000000007ABE000-memory.dmp

      Filesize

      56KB

    • memory/1008-157-0x0000000007B00000-0x0000000007B96000-memory.dmp

      Filesize

      600KB

    • memory/1008-154-0x0000000007EC0000-0x000000000853A000-memory.dmp

      Filesize

      6.5MB

    • memory/1008-152-0x0000000006B20000-0x0000000006B3E000-memory.dmp

      Filesize

      120KB

    • memory/1008-151-0x0000000070D60000-0x0000000070DAC000-memory.dmp

      Filesize

      304KB

    • memory/1008-149-0x0000000006580000-0x000000000659E000-memory.dmp

      Filesize

      120KB

    • memory/2324-144-0x0000000005480000-0x00000000054E6000-memory.dmp

      Filesize

      408KB

    • memory/2324-143-0x0000000004CB0000-0x0000000004CD2000-memory.dmp

      Filesize

      136KB

    • memory/2324-160-0x00000000071A0000-0x00000000071A8000-memory.dmp

      Filesize

      32KB

    • memory/2324-153-0x0000000070D60000-0x0000000070DAC000-memory.dmp

      Filesize

      304KB

    • memory/2324-139-0x0000000002290000-0x00000000022C6000-memory.dmp

      Filesize

      216KB

    • memory/2324-140-0x0000000004D50000-0x0000000005378000-memory.dmp

      Filesize

      6.2MB

    • memory/2324-150-0x0000000006090000-0x00000000060C2000-memory.dmp

      Filesize

      200KB

    • memory/2324-155-0x0000000006E80000-0x0000000006E9A000-memory.dmp

      Filesize

      104KB

    • memory/5028-132-0x00000000002A0000-0x000000000035E000-memory.dmp

      Filesize

      760KB

    • memory/5028-138-0x0000000008AF0000-0x0000000008B56000-memory.dmp

      Filesize

      408KB

    • memory/5028-136-0x0000000008730000-0x00000000087CC000-memory.dmp

      Filesize

      624KB

    • memory/5028-135-0x0000000004D10000-0x0000000004D1A000-memory.dmp

      Filesize

      40KB

    • memory/5028-134-0x0000000004D80000-0x0000000004E12000-memory.dmp

      Filesize

      584KB

    • memory/5028-133-0x0000000005290000-0x0000000005834000-memory.dmp

      Filesize

      5.6MB