Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

Origin.zip

windows7-x64

1

Origin.zip

windows10-2004-x64

1

Origin/Origin.exe

windows7-x64

6

Origin/Origin.exe

windows10-2004-x64

6

Origin/autoexec.lnk

windows7-x64

3

Origin/autoexec.lnk

windows10-2004-x64

3

Origin/aworkspace.lnk

windows7-x64

3

Origin/aworkspace.lnk

windows10-2004-x64

3

Origin/bin...LL.dll

windows7-x64

9

Origin/bin...LL.dll

windows10-2004-x64

9

Origin/bin/theme.json

windows7-x64

3

Origin/bin/theme.json

windows10-2004-x64

3

Origin/bin/ver.txt

windows7-x64

1

Origin/bin/ver.txt

windows10-2004-x64

1

Resubmissions

20/09/2023, 02:12

230920-cnbflsff36 9

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2023, 02:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Origin/bin/OriginDLL.dll

  • Size

    9.6MB

  • MD5

    77a1baf6f2f536ddd861bc7b8840e6e3

  • SHA1

    df4af5e36c2ff61238cdf691c8e62d2af5f460c4

  • SHA256

    afbff748a176dff968ced4bee463e429c8f21fbdbd859af6c35b2a16cc91282a

  • SHA512

    d23bd95359389e08c945f7408901413107f5733dbb02a66f10af3207cc7fc8ecb5a813be53cb5f6163a8e50c0e38e9b4693993738312eee49bd39d91d76a2d5d

  • SSDEEP

    196608:MJQR+brmA5Vs7IryoBVrdaOdPQl5Q5o79fXdFJNBWmQOrCZSgr1NIRKLFru6335:Vgfm8VQcyo/jQl5QEPdTDQO+ZLrH/E65

Score
9/10
evasiontrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Origin\bin\OriginDLL.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\Origin\bin\OriginDLL.dll,#1
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3040-0-0x0000000010000000-0x0000000011722000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/3040-1-0x0000000010000000-0x0000000011722000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/3040-2-0x0000000010000000-0x0000000011722000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/3040-3-0x0000000010000000-0x0000000011722000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/3040-4-0x00000000773C0000-0x00000000773C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3040-5-0x0000000010000000-0x0000000011722000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/3040-6-0x0000000010000000-0x0000000011722000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/3040-7-0x0000000010000000-0x0000000011722000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/3040-8-0x0000000010000000-0x0000000011722000-memory.dmp

    Filesize

    23.1MB

    Download