Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
72s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
30/06/2023, 14:28
Behavioral task
behavioral1
Sample
5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe
Resource
win7-20230621-en
General
-
Target
5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe
-
Size
3.9MB
-
MD5
29d48c1a6adcb603baedeb81ecb746a2
-
SHA1
65a8cdb82e062ec5bb93465525e8d7b7f7e1761b
-
SHA256
5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76
-
SHA512
3aed36bd734fa90c2ff741af23deef52f17d764a66bd59319ace7193baf1fa44090179e5c907720e112c1741fcf2c25f0d088682ba37c8a93c003512a64b134f
-
SSDEEP
98304:4LrEGCBmFA+vgV4jjoNEZ2XyvgrpZsMSmI7+RAzI0:4HErBiA464jcNEAXWgrpZsMSD7+h0
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe -
resource yara_rule behavioral2/memory/2176-136-0x0000000000F00000-0x000000000188E000-memory.dmp themida behavioral2/memory/2176-137-0x0000000000F00000-0x000000000188E000-memory.dmp themida behavioral2/memory/2176-149-0x0000000000F00000-0x000000000188E000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2176 5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4020 timeout.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2176 5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe 2176 5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe 2176 5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe 2176 5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe 2176 5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2176 5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2176 wrote to memory of 224 2176 5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe 91 PID 2176 wrote to memory of 224 2176 5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe 91 PID 2176 wrote to memory of 224 2176 5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe 91 PID 224 wrote to memory of 4020 224 cmd.exe 93 PID 224 wrote to memory of 4020 224 cmd.exe 93 PID 224 wrote to memory of 4020 224 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe"C:\Users\Admin\AppData\Local\Temp\5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp96B7.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\timeout.exetimeout 53⤵
- Delays execution with timeout.exe
PID:4020
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
326B
MD55caaee05881b4e2968943c96cf929ba5
SHA111eb243c48b440b58d20d702d62e478cad36e704
SHA256eeca99cf84f6225363bcefb7e3cd4d72bc4384bbf596ce228e8b3d5e40189399
SHA512788de9b25ce535ce841ee95796b95de09743c0af441c51912b13e419e17cd2857c9be089f5953c1a7897428a3ec8fd507dd8b3548eb1dc30546a613d60fafe98