Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03/05/2023, 07:34
Behavioral task
behavioral1
Sample
WaterX/waterx.exe
Resource
win7-20230220-en
10 signatures
150 seconds
General
-
Target
WaterX/waterx.exe
-
Size
5.1MB
-
MD5
6a774cdac85aef960516a02d0a6d504b
-
SHA1
f7cd4171c42337a938fdb2d6b67191eb492885db
-
SHA256
517d8ea847af39d0dbe01a53705edfa43a69e4ebf0aeb80bf4cf2beb8961c856
-
SHA512
6116c93ce51167d705baa6a856b1713ef5c4e54201ce6e7b51ac422cc69b45162fd23534946bd0325881d68a4c070f21a9ad483e3697c6eb5c233458f113e2f7
-
SSDEEP
98304:LYoQQWXDaQGUK76Iw8T2mx+V+iQgXLDLKZzyNxWIa3zYswKJ/BAw:LYoQNEr76Y6mx+VXJiIGIa3z/wdw
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ waterx.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion waterx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion waterx.exe -
resource yara_rule behavioral2/memory/1728-136-0x0000000000D50000-0x0000000001A30000-memory.dmp themida behavioral2/memory/1728-137-0x0000000000D50000-0x0000000001A30000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA waterx.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1728 waterx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WaterX\waterx.exe"C:\Users\Admin\AppData\Local\Temp\WaterX\waterx.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1728