Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
45s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31/03/2023, 21:34
Static task
static1
Behavioral task
behavioral1
Sample
RUT V3.exe
Resource
win7-20230220-en
7 signatures
150 seconds
General
-
Target
RUT V3.exe
-
Size
10.6MB
-
MD5
a77c3c4678f20357d92bf98a5aa8979d
-
SHA1
1c1dbc0b54b20844e0b2ed1f4877bdcd6e062081
-
SHA256
5db7e3cba3a56ea7265ac824f5b3bd64853e42c4fa9eb8a5e706bcad5acdff0e
-
SHA512
d896a03e3d3fc4f28cc07b718e289350b87fbd896bdf3fd487bfb3686afe4c35dd87cbe519cdb9b352c5426ae5c17733f106b8c1a7176a8e5cf85597b6af35f8
-
SSDEEP
196608:2tz+SDWS8v80ix2Wa88Vb6FN20vmtmeZfev0O1m1kc6knjeaOPYhCFK/WyoZ:kcv8F2Wa8ukNeZmcORc9n3rwK/BoZ
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ RUT V3.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RUT V3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RUT V3.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RUT V3.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1328 2028 WerFault.exe 27 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeSystemEnvironmentPrivilege 2028 RUT V3.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2028 wrote to memory of 1328 2028 RUT V3.exe 29 PID 2028 wrote to memory of 1328 2028 RUT V3.exe 29 PID 2028 wrote to memory of 1328 2028 RUT V3.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\RUT V3.exe"C:\Users\Admin\AppData\Local\Temp\RUT V3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2028 -s 3562⤵
- Program crash
PID:1328
-