Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
57s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21/03/2023, 14:38
Behavioral task
behavioral1
Sample
d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
Resource
win10v2004-20230220-en
General
-
Target
d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
-
Size
3.4MB
-
MD5
780e2eb727a2a278795471059f4d6b33
-
SHA1
2911c5de51eaf1ae82e96fc26c1505cbfa7f0641
-
SHA256
d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824
-
SHA512
bf1748e47377290b9356d6ac5f42cfdc974117cc21e901d5443f71348930af37d6eaf3d8363464297454560396ea1d87cc5804b415d1fb8db01a5859ff3026ed
-
SSDEEP
98304:OWYHz9DAMmWXxVkYIs0xQIk5Zq7IvQEJ/lnvf0xSOS:KHz9MP1s0LkTqUvbhNvfdp
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe -
resource yara_rule behavioral2/memory/1388-133-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-134-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-135-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-136-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-137-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-138-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-139-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-140-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-141-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-142-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-144-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-147-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-148-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-149-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-150-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-151-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-152-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-153-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-154-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-155-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-156-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-157-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-158-0x00000000002A0000-0x0000000000A89000-memory.dmp themida behavioral2/memory/1388-159-0x00000000002A0000-0x0000000000A89000-memory.dmp themida -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GOLVTL = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\taskmgr.exe\"" d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe -
AutoIT Executable 22 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1388-135-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-136-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-137-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-138-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-139-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-140-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-141-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-142-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-144-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-147-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-148-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-149-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-150-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-151-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-152-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-153-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-154-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-155-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-156-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-157-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-158-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe behavioral2/memory/1388-159-0x00000000002A0000-0x0000000000A89000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1388 wrote to memory of 4732 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 84 PID 1388 wrote to memory of 4732 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 84 PID 1388 wrote to memory of 4732 1388 d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe"C:\Users\Admin\AppData\Local\Temp\d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\WSCript.exeWSCript C:\Users\Admin\AppData\Local\Temp\GOLVTL.vbs2⤵PID:4732
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
948B
MD5a8979a46bea01e4f49ae88e0d729dcf1
SHA10979caed1b16b7bc10715edada511b8bfb95ec4d
SHA2568af86d6e622edfc16d1aa189ba5792cfe1d9f62b7e8420be6d423a72774e5499
SHA51282c6f66cfec913995dddde7b81d2b065e02f5c8a1d7bfa947d38949c0efd6a74a149b0f31e4899821332c7e6c4ea23fa78caacae17b765202b946f86cf1d5c8b