Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
10/07/2023, 06:33
Static task
static1
Behavioral task
behavioral1
Sample
f2e100f576b44fdb37d874db2e48085c.exe
Resource
win7-20230703-en
General
-
Target
f2e100f576b44fdb37d874db2e48085c.exe
-
Size
4.4MB
-
MD5
f2e100f576b44fdb37d874db2e48085c
-
SHA1
23091a0b5231d69d85866fede573b25577e20414
-
SHA256
77530f67cff4fc2456c0b27abf28d1ab1f4f10fd9be039783adfa25ed1f7f196
-
SHA512
14bd861a48f201a195d322e4c00f758996d2be8b6d78a1c927af53a00e029e9be7db4002c48a80f88d2869e9ba412724ec7a47c8da09faf79133df2edc608f85
-
SSDEEP
98304:fqemq9DObUSOLZ27MJuUfg7Jb/0RCh2fc/xVzVALUx:PzD3SFEuUfcLwCh2Q/RAY
Malware Config
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f2e100f576b44fdb37d874db2e48085c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f2e100f576b44fdb37d874db2e48085c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f2e100f576b44fdb37d874db2e48085c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe -
Executes dropped EXE 1 IoCs
pid Process 2256 ntlhost.exe -
Loads dropped DLL 1 IoCs
pid Process 3064 f2e100f576b44fdb37d874db2e48085c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" f2e100f576b44fdb37d874db2e48085c.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f2e100f576b44fdb37d874db2e48085c.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3064 f2e100f576b44fdb37d874db2e48085c.exe 2256 ntlhost.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 2 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2256 3064 f2e100f576b44fdb37d874db2e48085c.exe 29 PID 3064 wrote to memory of 2256 3064 f2e100f576b44fdb37d874db2e48085c.exe 29 PID 3064 wrote to memory of 2256 3064 f2e100f576b44fdb37d874db2e48085c.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2e100f576b44fdb37d874db2e48085c.exe"C:\Users\Admin\AppData\Local\Temp\f2e100f576b44fdb37d874db2e48085c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2256
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
743.4MB
MD53fbf49633fa76fe203f55b1cd98fe6ba
SHA13f8a742b348cbf8e09e2d12889ac81bcbc09b244
SHA2563c50b55a724ee55cf876dc7f5feb3db45e568816e6fc4de799817d260b428e25
SHA512a56b50ab9df26204cf1b78f19725351526bc93ba3b9286c473545c684e44c8341f0290ba4ce23a94f843ed2675a73e107ced8beb48e098698e0e2624ed5dcd48
-
Filesize
743.4MB
MD53fbf49633fa76fe203f55b1cd98fe6ba
SHA13f8a742b348cbf8e09e2d12889ac81bcbc09b244
SHA2563c50b55a724ee55cf876dc7f5feb3db45e568816e6fc4de799817d260b428e25
SHA512a56b50ab9df26204cf1b78f19725351526bc93ba3b9286c473545c684e44c8341f0290ba4ce23a94f843ed2675a73e107ced8beb48e098698e0e2624ed5dcd48