Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    115s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2023, 06:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    1024.0MB

  • MD5

    5e379c09784c0b093d430f5438ea881d

  • SHA1

    b73aecf39e5909bc972ca3eabc147c30dbde4caf

  • SHA256

    bfe4a7fd2312bac3c06a31985a1884be39af15aa310c5396bbb4d51a23324499

  • SHA512

    ac28d28e5ec9a5a5b0ff5621fa4213bf4c54ab3937d2efc0abf1ffd71f18ae7ef31b0e15e75168d3f7ba4e3f9aaae2bc868996b5c83e11efe42427a0a648be60

  • SSDEEP

    98304:h77a3TZRRiRRRwRRRRRRR6RURRFRRRRdRRRRRRJRRRRRRRRRRRRRRER7RRRRRRRS:h77BmnfzuL21F5oQegx+U

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Uses the VBS compiler for execution 1 TTPs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
      2⤵
        PID:3996
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
        2⤵
          PID:1932
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
          2⤵
            PID:3120
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
            2⤵
              PID:1040
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
              2⤵
                PID:2156
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
                2⤵
                  PID:4948
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
                  2⤵
                    PID:1940
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
                    2⤵
                      PID:2952
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
                      2⤵
                        PID:1372
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
                        2⤵
                          PID:3220
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
                          2⤵
                            PID:3216
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
                            2⤵
                              PID:1452
                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
                              2⤵
                                PID:692
                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
                                2⤵
                                  PID:2808
                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
                                  2⤵
                                    PID:756
                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
                                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
                                    2⤵
                                      PID:980
                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
                                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
                                      2⤵
                                        PID:396
                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
                                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
                                        2⤵
                                          PID:1136
                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
                                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
                                          2⤵
                                            PID:1120
                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
                                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
                                            2⤵
                                              PID:424
                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
                                              2⤵
                                                PID:3080
                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
                                                2⤵
                                                  PID:1140
                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
                                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
                                                  2⤵
                                                    PID:752
                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                                                    2⤵
                                                      PID:4592
                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
                                                      2⤵
                                                        PID:2116
                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
                                                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
                                                        2⤵
                                                          PID:1212
                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
                                                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
                                                          2⤵
                                                            PID:4896
                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                                                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
                                                            2⤵
                                                              PID:3240
                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                                                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
                                                              2⤵
                                                                PID:3940
                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
                                                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
                                                                2⤵
                                                                  PID:1224
                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
                                                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
                                                                  2⤵
                                                                    PID:2504

                                                                Network

                                                                MITRE ATT&CK Enterprise v6

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • memory/2288-134-0x00000000004E0000-0x000000000099C000-memory.dmp

                                                                  Filesize

                                                                  4.7MB

                                                                  Download

                                                                • memory/2288-135-0x000001CF7FF00000-0x000001CF7FF76000-memory.dmp

                                                                  Filesize

                                                                  472KB

                                                                  Download

                                                                • memory/2288-136-0x00000000004E0000-0x000000000099C000-memory.dmp

                                                                  Filesize

                                                                  4.7MB

                                                                  Download

                                                                • memory/2288-137-0x00007FFF00000000-0x00007FFF00002000-memory.dmp

                                                                  Filesize

                                                                  8KB

                                                                  Download

                                                                • memory/2288-138-0x00007FFF00030000-0x00007FFF00031000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                  Download

                                                                • memory/2288-139-0x000001CF67640000-0x000001CF6765E000-memory.dmp

                                                                  Filesize

                                                                  120KB

                                                                  Download

                                                                • memory/2288-140-0x000001CF00D60000-0x000001CF00D70000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/2288-144-0x00000000004E0000-0x000000000099C000-memory.dmp

                                                                  Filesize

                                                                  4.7MB

                                                                  Download