Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
290s -
max time network
36s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
14/03/2023, 22:20
Static task
static1
Behavioral task
behavioral1
Sample
6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe
Resource
win7-20230220-en
General
-
Target
6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe
-
Size
3.4MB
-
MD5
ec236b147253c8c3cf42b7fc2ccfb7cf
-
SHA1
115655d5c4170d66a3fbf32b54eede5e25b95299
-
SHA256
6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb
-
SHA512
c9f731e80661bb95d0976c313964816297091f8612b64e3bd80630a0e2a2d311f18c0205d4a2e932c122fb12e53fc8c2fca89420fd0015e5128eaf356fc35fcd
-
SSDEEP
49152:VnPTOKMFrJmsf6/HAv4fVCnoYcNmCCyQaxfrLkWUhsZz2RNRenjqc4i3PHkVgXI/:ZaEU6/HWQ4noYOCtapQX9ejqcT3/SgY/
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TemplatesTemplates-type2.6.0.1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TemplatesTemplates-type2.6.0.1.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TemplatesTemplates-type2.6.0.1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TemplatesTemplates-type2.6.0.1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TemplatesTemplates-type2.6.0.1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TemplatesTemplates-type2.6.0.1.exe -
Executes dropped EXE 2 IoCs
pid Process 1444 TemplatesTemplates-type2.6.0.1.exe 1096 TemplatesTemplates-type2.6.0.1.exe -
Loads dropped DLL 4 IoCs
pid Process 888 AppLaunch.exe 888 AppLaunch.exe 1660 taskeng.exe 1660 taskeng.exe -
Modifies file permissions 1 TTPs 3 IoCs
pid Process 1476 icacls.exe 588 icacls.exe 596 icacls.exe -
resource yara_rule behavioral1/files/0x00090000000122f4-68.dat upx behavioral1/files/0x00090000000122f4-73.dat upx behavioral1/files/0x00090000000122f4-72.dat upx behavioral1/files/0x00090000000122f4-69.dat upx behavioral1/memory/1444-77-0x000000013FA80000-0x000000013FF9F000-memory.dmp upx behavioral1/files/0x00090000000122f4-76.dat upx behavioral1/memory/1444-79-0x000000013FA80000-0x000000013FF9F000-memory.dmp upx behavioral1/memory/1444-78-0x000000013FA80000-0x000000013FF9F000-memory.dmp upx behavioral1/memory/1444-80-0x000000013FA80000-0x000000013FF9F000-memory.dmp upx behavioral1/files/0x00090000000122f4-81.dat upx behavioral1/files/0x00090000000122f4-83.dat upx behavioral1/files/0x00090000000122f4-82.dat upx behavioral1/memory/1096-84-0x000000013FDE0000-0x00000001402FF000-memory.dmp upx behavioral1/memory/1096-85-0x000000013FDE0000-0x00000001402FF000-memory.dmp upx behavioral1/memory/1096-87-0x000000013FDE0000-0x00000001402FF000-memory.dmp upx behavioral1/memory/1096-88-0x000000013FDE0000-0x00000001402FF000-memory.dmp upx -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TemplatesTemplates-type2.6.0.1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TemplatesTemplates-type2.6.0.1.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 932 set thread context of 888 932 6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe 29 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1700 schtasks.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 932 wrote to memory of 888 932 6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe 29 PID 932 wrote to memory of 888 932 6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe 29 PID 932 wrote to memory of 888 932 6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe 29 PID 932 wrote to memory of 888 932 6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe 29 PID 932 wrote to memory of 888 932 6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe 29 PID 932 wrote to memory of 888 932 6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe 29 PID 932 wrote to memory of 888 932 6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe 29 PID 932 wrote to memory of 888 932 6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe 29 PID 932 wrote to memory of 888 932 6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe 29 PID 888 wrote to memory of 1476 888 AppLaunch.exe 30 PID 888 wrote to memory of 1476 888 AppLaunch.exe 30 PID 888 wrote to memory of 1476 888 AppLaunch.exe 30 PID 888 wrote to memory of 1476 888 AppLaunch.exe 30 PID 888 wrote to memory of 1476 888 AppLaunch.exe 30 PID 888 wrote to memory of 1476 888 AppLaunch.exe 30 PID 888 wrote to memory of 1476 888 AppLaunch.exe 30 PID 888 wrote to memory of 588 888 AppLaunch.exe 31 PID 888 wrote to memory of 588 888 AppLaunch.exe 31 PID 888 wrote to memory of 588 888 AppLaunch.exe 31 PID 888 wrote to memory of 588 888 AppLaunch.exe 31 PID 888 wrote to memory of 588 888 AppLaunch.exe 31 PID 888 wrote to memory of 588 888 AppLaunch.exe 31 PID 888 wrote to memory of 588 888 AppLaunch.exe 31 PID 888 wrote to memory of 596 888 AppLaunch.exe 33 PID 888 wrote to memory of 596 888 AppLaunch.exe 33 PID 888 wrote to memory of 596 888 AppLaunch.exe 33 PID 888 wrote to memory of 596 888 AppLaunch.exe 33 PID 888 wrote to memory of 596 888 AppLaunch.exe 33 PID 888 wrote to memory of 596 888 AppLaunch.exe 33 PID 888 wrote to memory of 596 888 AppLaunch.exe 33 PID 888 wrote to memory of 1700 888 AppLaunch.exe 35 PID 888 wrote to memory of 1700 888 AppLaunch.exe 35 PID 888 wrote to memory of 1700 888 AppLaunch.exe 35 PID 888 wrote to memory of 1700 888 AppLaunch.exe 35 PID 888 wrote to memory of 1700 888 AppLaunch.exe 35 PID 888 wrote to memory of 1700 888 AppLaunch.exe 35 PID 888 wrote to memory of 1700 888 AppLaunch.exe 35 PID 888 wrote to memory of 1444 888 AppLaunch.exe 38 PID 888 wrote to memory of 1444 888 AppLaunch.exe 38 PID 888 wrote to memory of 1444 888 AppLaunch.exe 38 PID 888 wrote to memory of 1444 888 AppLaunch.exe 38 PID 1660 wrote to memory of 1096 1660 taskeng.exe 40 PID 1660 wrote to memory of 1096 1660 taskeng.exe 40 PID 1660 wrote to memory of 1096 1660 taskeng.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe"C:\Users\Admin\AppData\Local\Temp\6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesTemplates-type2.6.0.1" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"3⤵
- Modifies file permissions
PID:1476
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesTemplates-type2.6.0.1" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"3⤵
- Modifies file permissions
PID:588
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesTemplates-type2.6.0.1" /inheritance:e /deny "admin:(R,REA,RA,RD)"3⤵
- Modifies file permissions
PID:596
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /TN "TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1" /TR "C:\ProgramData\TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1.exe" /SC MINUTE3⤵
- Creates scheduled task(s)
PID:1700
-
-
C:\ProgramData\TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1.exe"C:\ProgramData\TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1444
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {DA9940C5-6995-405D-8D3F-C897BB253276} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\ProgramData\TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1.exeC:\ProgramData\TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1096
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
528.1MB
MD56281dbb2e69ecb1af43b3c43626c304e
SHA1498d3c8fb2fc4e83f4262b7172a50564a5e0437a
SHA25631f2da88fcfa6be496351fde4d1134f8de834052a12b621eec3377260b66c4e0
SHA512c694ca8263634a108bed41c2b90ad7f6830fca128e5baf236b71f0484936e79ac8e7062f6fccbef6739b61821647c3ed86b3438f23ff6c895e0f7ef0a868a210
-
Filesize
602.1MB
MD5ffcbba3e5b095a6de4cf58ddd6d2782e
SHA11625406fcae8657879f7ca24a10a8486a59b3ff6
SHA2569b39f5bce7741af168f2c77c98b9a3f5a8916c943b6853f68be25c721cd8352c
SHA51275436e33c3b80593f231e7cb90af6eca9186c6e9e75ebb2c4466fd284fc949b733a600d16db9752090f15c092c6a1d5262df4dbc6cbb02784cb7eecebfa6a2b1
-
Filesize
568.6MB
MD5e4107502eff5fb38511ca79efb5768b9
SHA116a574f5ea4478f3698927a238c441ac3680f450
SHA2569db2d58a3bc5c98544b9eaf405cde486631d66f476f469f3f690f80077cdc0ad
SHA512040f0e1dbf2fc20df4e9d6d6c4b5bdedcf494bc5d4a75e0519e0942b5dbf0acff46f7ac228204fc85f32a63a5323c72fb8e308aafa166dce903e40cbc26a06ca
-
Filesize
480.1MB
MD5a21ae52f6314a6a191c0aa960e5f5364
SHA1308201584cabe2266a1b297421f95c159bb02930
SHA256444dd25c578a657cd06e57388d7d204f3a3653ab9acd341888442bee491c69bb
SHA512213fa7d47b8a1415fd46756ce2ab166d5c13183b4048a79eb7fb448c7f920d273def1bbffda56cbb3bffcf1393077a0e79ce826f506a0a24de79a2d8ecd5e829
-
Filesize
617.6MB
MD569509688b7a8d22337b0dae1a761be21
SHA1a62c83926fee04ffc8a9b0b9559ea7f96e7d1892
SHA2568e0c2a59897e477d11874e41ef0b24da644dbab2165ba0db20fbc01e1a86782b
SHA512a0f4d6cdfceb13bbc1dae48edd6e1d83855df3bbd6ba34f56899f1387cb6d4053ccf14012ca1b171aec41e5e6bc9e4c41096140d92e526ff1610aee6322e1c73
-
Filesize
561.5MB
MD52f241985562816d74b6dcbd9eccfdddb
SHA18bc0cebf127f9c0e638de7a1c35d7c713aa8df89
SHA256d3d5928f75206043baf177a38f87946f1b74040bee6dd93119f42e58d8f2b994
SHA512724c9e701fad57b4093e1e4364147d6af6bd4fcf3df0e556ae140be6fede0688c091eed75751a4349c7aab385938a5a6c16b43f611235c03ee17f496d788973f
-
Filesize
478.1MB
MD551398f81f8d5fc2fc17a826797d70b1a
SHA1f483b4aad7402907e33ecbf40fa6393681f11798
SHA256778032f0730e0596d918de144f4b78042356c4cb5f776c1af3d260c2f602a2a7
SHA5129f7a63b11c70918a79930e8e146ec402ed30540e41e8ee778b0f1836cc6cff79945d88523d61f2424e90bf9889a88f462bf2f20d866d7836cedff7b8a5e80347
-
Filesize
483.5MB
MD5ead5ad2195bb34f9d3f7bd0c95fc1ada
SHA1d6ed9382b379dfd57c238625e343775ffa4079e7
SHA2565782daf54b3465e41762f7070d518a4b80e84c26f890005a05d519d0dace0eaa
SHA512f80bffd925ec9f7d4eec2d02b9c1233bce93eb7078d27652d56081a78f2bf8c83ca9dec9fb5c8826d5e20508b4fa960c18414b5c45bf1c019bda697cd8e2e557