Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1737s -
max time network
1585s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
16/06/2023, 11:59
General
-
Target
D8x3dO.exe
-
Size
5.8MB
-
MD5
5aec1e1e8da9cef6dd15fb1c89ce7024
-
SHA1
ab94bfd4590d645132bc12c00cae180aad964209
-
SHA256
e90e66c522960f6ab1d73c7d49fa415e4f69835d290dbb547384f1aa127b15a0
-
SHA512
c1ddc25d00efefb2d8477c33aeb816d6808e5357e225af369e170d98e8e84ea1dc96ec5239e4055cfc4a031a7a097351627df6471f58fcc78c777130e041184e
-
SSDEEP
98304:MNyndhBjfRDH7PWQbHhF5vftT/ZeZeA5rb2re/FaJXU5Y3KPejnKMV:MUfBRDH7X7X5vlTZNGTQ9l3xO6
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ D8x3dO.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion D8x3dO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion D8x3dO.exe -
resource yara_rule behavioral1/memory/3016-133-0x00007FF613C70000-0x00007FF614B66000-memory.dmp themida behavioral1/memory/3016-134-0x00007FF613C70000-0x00007FF614B66000-memory.dmp themida behavioral1/memory/3016-135-0x00007FF613C70000-0x00007FF614B66000-memory.dmp themida behavioral1/memory/3016-136-0x00007FF613C70000-0x00007FF614B66000-memory.dmp themida behavioral1/memory/3016-137-0x00007FF613C70000-0x00007FF614B66000-memory.dmp themida behavioral1/memory/3016-138-0x00007FF613C70000-0x00007FF614B66000-memory.dmp themida behavioral1/memory/3016-139-0x00007FF613C70000-0x00007FF614B66000-memory.dmp themida behavioral1/memory/3016-140-0x00007FF613C70000-0x00007FF614B66000-memory.dmp themida behavioral1/memory/3016-141-0x00007FF613C70000-0x00007FF614B66000-memory.dmp themida behavioral1/memory/3016-142-0x00007FF613C70000-0x00007FF614B66000-memory.dmp themida behavioral1/memory/3016-143-0x00007FF613C70000-0x00007FF614B66000-memory.dmp themida behavioral1/memory/3016-144-0x00007FF613C70000-0x00007FF614B66000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA D8x3dO.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3016 D8x3dO.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2268 taskmgr.exe Token: SeSystemProfilePrivilege 2268 taskmgr.exe Token: SeCreateGlobalPrivilege 2268 taskmgr.exe Token: 33 2268 taskmgr.exe Token: SeIncBasePriorityPrivilege 2268 taskmgr.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe -
Suspicious use of SendNotifyMessage 38 IoCs
pid Process 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe 2268 taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3016 wrote to memory of 3828 3016 D8x3dO.exe 87 PID 3016 wrote to memory of 3828 3016 D8x3dO.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\D8x3dO.exe"C:\Users\Admin\AppData\Local\Temp\D8x3dO.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3828
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2268