Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

7

WaterX/waterx.exe

windows7-x64

9

WaterX/waterx.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/05/2023, 07:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WaterX/waterx.exe

  • Size

    5.1MB

  • MD5

    6a774cdac85aef960516a02d0a6d504b

  • SHA1

    f7cd4171c42337a938fdb2d6b67191eb492885db

  • SHA256

    517d8ea847af39d0dbe01a53705edfa43a69e4ebf0aeb80bf4cf2beb8961c856

  • SHA512

    6116c93ce51167d705baa6a856b1713ef5c4e54201ce6e7b51ac422cc69b45162fd23534946bd0325881d68a4c070f21a9ad483e3697c6eb5c233458f113e2f7

  • SSDEEP

    98304:LYoQQWXDaQGUK76Iw8T2mx+V+iQgXLDLKZzyNxWIa3zYswKJ/BAw:LYoQNEr76Y6mx+VXJiIGIa3z/wdw

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WaterX\waterx.exe
    "C:\Users\Admin\AppData\Local\Temp\WaterX\waterx.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1728

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1728-133-0x0000000000D50000-0x0000000001A30000-memory.dmp

    Filesize

    12.9MB

    Download

  • memory/1728-136-0x0000000000D50000-0x0000000001A30000-memory.dmp

    Filesize

    12.9MB

    Download

  • memory/1728-137-0x0000000000D50000-0x0000000001A30000-memory.dmp

    Filesize

    12.9MB

    Download

  • memory/1728-138-0x0000000005F90000-0x0000000006534000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1728-139-0x0000000005A70000-0x0000000005A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1728-140-0x0000000005B20000-0x0000000005BB2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1728-146-0x000000000A950000-0x000000000A958000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1728-147-0x0000000005A70000-0x0000000005A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1728-148-0x0000000005A70000-0x0000000005A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1728-149-0x000000000AFB0000-0x000000000AFE8000-memory.dmp

    Filesize

    224KB

    Download

  • memory/1728-150-0x000000000AF70000-0x000000000AF7E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1728-151-0x0000000005A70000-0x0000000005A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1728-153-0x0000000000D50000-0x0000000001A30000-memory.dmp

    Filesize

    12.9MB

    Download

  • memory/1728-154-0x0000000005A70000-0x0000000005A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1728-155-0x0000000005A70000-0x0000000005A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1728-156-0x0000000005A70000-0x0000000005A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1728-157-0x0000000005A70000-0x0000000005A80000-memory.dmp

    Filesize

    64KB

    Download