Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

5b7e022f50...7d.exe

windows10-2004-x64

9

Resubmissions

31/05/2023, 15:39

230531-s3qrvagc31 9

31/05/2023, 11:18

230531-neex8aee66 9

27/11/2022, 11:41

221127-ntgeladh62 9

Analysis

  • max time kernel
    2700s
  • max time network
    2702s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/05/2023, 15:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe

  • Size

    2.2MB

  • MD5

    55c447191d9566c7442e25c4caf0d2fe

  • SHA1

    646762cee3a5caab9accd21efcb100cd49b8ef8a

  • SHA256

    5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d

  • SHA512

    9da8d4eb744308253f9befc238f4d1bd3122e06aa578b50ad2d27cb7a11d76fd1a95428df66ef287783139e5d3c8bf10d6fca6833867f8285cd06637843faa7e

  • SSDEEP

    49152:ZQwS6fiVzAdAqfR8K+CQmh2l2qf4LSQmCRnXhRaNQRWGNfbzQUo:+N6aVzAyqfnzQf4LptnXasW4fwU

Score
9/10
evasion

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe
    "C:\Users\Admin\AppData\Local\Temp\5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /delete /TN Microsoft\Windows\Shell\Init /F
      2⤵
        PID:4420
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /create /F /sc onstart /tn Microsoft\Windows\Shell\Init /tr "\"C:\Windows\System\jjo9yFnq\wCPAG.exe\"" /ru system
        2⤵
        • Creates scheduled task(s)
        PID:4144
      • C:\Windows\System\jjo9yFnq\wCPAG.exe
        "C:\Windows\System\jjo9yFnq\wCPAG.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Drops file in Windows directory
        PID:3712
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5B7E02~1.EXE >> NUL
        2⤵
          PID:4084

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\4D74.tmp
        Filesize

        106KB

        MD5

        d6ce4b6db8407ca80193ede96d812bb7

        SHA1

        0a181d703e3adf1b3b9f043559e1952446a0b0cd

        SHA256

        7127ea6a185af63fc77fa2a7f87605d981a15c90277eaa3e9899d333e2e108e2

        SHA512

        25a1e5f60571486c1fd23dde44ca565a3bac051542831d9a24484a9c160e5ca9322daa376ab3a5bdc397113b61227955d4d951987cc01e9b18556f3513a9ab87

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\BA0E.tmp
        Filesize

        106KB

        MD5

        d6ce4b6db8407ca80193ede96d812bb7

        SHA1

        0a181d703e3adf1b3b9f043559e1952446a0b0cd

        SHA256

        7127ea6a185af63fc77fa2a7f87605d981a15c90277eaa3e9899d333e2e108e2

        SHA512

        25a1e5f60571486c1fd23dde44ca565a3bac051542831d9a24484a9c160e5ca9322daa376ab3a5bdc397113b61227955d4d951987cc01e9b18556f3513a9ab87

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\BA0E.tmp
        Filesize

        106KB

        MD5

        d6ce4b6db8407ca80193ede96d812bb7

        SHA1

        0a181d703e3adf1b3b9f043559e1952446a0b0cd

        SHA256

        7127ea6a185af63fc77fa2a7f87605d981a15c90277eaa3e9899d333e2e108e2

        SHA512

        25a1e5f60571486c1fd23dde44ca565a3bac051542831d9a24484a9c160e5ca9322daa376ab3a5bdc397113b61227955d4d951987cc01e9b18556f3513a9ab87

        Download Submit

      • C:\Windows\System\jjo9yFnq\wCPAG.exe
        Filesize

        2.2MB

        MD5

        55c447191d9566c7442e25c4caf0d2fe

        SHA1

        646762cee3a5caab9accd21efcb100cd49b8ef8a

        SHA256

        5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d

        SHA512

        9da8d4eb744308253f9befc238f4d1bd3122e06aa578b50ad2d27cb7a11d76fd1a95428df66ef287783139e5d3c8bf10d6fca6833867f8285cd06637843faa7e

        Download Submit

      • C:\Windows\System\jjo9yFnq\wCPAG.exe
        Filesize

        2.2MB

        MD5

        55c447191d9566c7442e25c4caf0d2fe

        SHA1

        646762cee3a5caab9accd21efcb100cd49b8ef8a

        SHA256

        5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d

        SHA512

        9da8d4eb744308253f9befc238f4d1bd3122e06aa578b50ad2d27cb7a11d76fd1a95428df66ef287783139e5d3c8bf10d6fca6833867f8285cd06637843faa7e

        Download Submit

      • memory/1796-133-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/1796-135-0x0000000004A00000-0x0000000004A01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1796-134-0x00000000049F0000-0x00000000049F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1796-136-0x0000000004A10000-0x0000000004A11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1796-137-0x00000000049E0000-0x00000000049E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1796-138-0x00000000049A0000-0x00000000049A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1796-139-0x00000000049D0000-0x00000000049D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1796-140-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/1796-141-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/1796-142-0x00000000049B0000-0x00000000049B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1796-150-0x0000000004A20000-0x0000000004A21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1796-151-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/1796-153-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/1796-157-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-190-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-200-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-159-0x00000000049D0000-0x00000000049D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3712-162-0x00000000049C0000-0x00000000049C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3712-161-0x00000000049F0000-0x00000000049F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3712-163-0x0000000004980000-0x0000000004981000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3712-164-0x00000000049B0000-0x00000000049B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3712-165-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-166-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-167-0x0000000004990000-0x0000000004991000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3712-175-0x0000000004A00000-0x0000000004A01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3712-176-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-177-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-178-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-179-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-180-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-181-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-182-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-183-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-184-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-185-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-186-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-187-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-188-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-189-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-158-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-191-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-192-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-193-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-194-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-195-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-196-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-197-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-198-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-199-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-160-0x00000000049E0000-0x00000000049E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3712-201-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-202-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-203-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-204-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-205-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-206-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-207-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-208-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-209-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-210-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-211-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-212-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-213-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-214-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-215-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-216-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-217-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-218-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-219-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-220-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-221-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-222-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-223-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-224-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-225-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-226-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-227-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-228-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-229-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-230-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-231-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-232-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-233-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3712-234-0x0000000000400000-0x00000000008F8000-memory.dmp

        Filesize

        5.0MB

        Download