Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
08/07/2023, 20:15
Static task
static1
Behavioral task
behavioral1
Sample
3405a14bdc05e4bca019b1b36.exe
Resource
win7-20230703-en
General
-
Target
3405a14bdc05e4bca019b1b36.exe
-
Size
4.1MB
-
MD5
71f04aa7d5c3232c7c2b9afad6777b53
-
SHA1
617487d25e1b3c27112c918e54deb744c57e9fa9
-
SHA256
3405a14bdc05e4bca019b1b364393e0d78b94bbd1f2652cb3106631610ee7269
-
SHA512
1068c6162f07e6123c827e3f731047a7caee91dca6a1977a6236f49c6a162cadf6d7e6c0e29baa7a61c70d378ac9356029ce4330a2eab169aa15c03b2b731ffe
-
SSDEEP
98304:CmICyUcKzmy4XlAD2R3e22RMHRPnZNCVb25cfFKG88ZvvRqgx:Cm/nzslADie22mHdZNh5078Cvv
Malware Config
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3405a14bdc05e4bca019b1b36.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3405a14bdc05e4bca019b1b36.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3405a14bdc05e4bca019b1b36.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe -
Executes dropped EXE 1 IoCs
pid Process 2120 ntlhost.exe -
Loads dropped DLL 1 IoCs
pid Process 2232 3405a14bdc05e4bca019b1b36.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 3405a14bdc05e4bca019b1b36.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3405a14bdc05e4bca019b1b36.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2232 3405a14bdc05e4bca019b1b36.exe 2120 ntlhost.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 2 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2120 2232 3405a14bdc05e4bca019b1b36.exe 28 PID 2232 wrote to memory of 2120 2232 3405a14bdc05e4bca019b1b36.exe 28 PID 2232 wrote to memory of 2120 2232 3405a14bdc05e4bca019b1b36.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\3405a14bdc05e4bca019b1b36.exe"C:\Users\Admin\AppData\Local\Temp\3405a14bdc05e4bca019b1b36.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2120
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
814.2MB
MD52824a3dc15d4acbd842d1f6eaec74dcb
SHA1c32b9189ad85dcfdaca464666f3fcea6f8b79d0e
SHA256da5ab80474df5ec76e3d603c6940261fd28cdbe564cbfd435ae0882600f45ad1
SHA512bd752130427d12d69f79c209b469cf5f4613478acdf5325fccb4c7cf43dfbfb54d55416176ffb3fa23e443e38544ce7395ac68867040075fabea8fb10aed0eb3
-
Filesize
802.0MB
MD5df8c3276dbf405567cbcd4b482fc3514
SHA1a2a0c6ec33ebdcd21de88d0ecbd8fcd2bf24144d
SHA25616e5d95c06fdd0c1c36891ee50ff0766f630cbd124b2703e322cea5b729206a9
SHA5126e51bc46540eb5594af78a955f1fbe26fc4a4f5960f1a750fda413afb03805780e77da689a52d7db7df861c87285bb08cdd6e5fe25c4d3e0a226672f8a43cee5