Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

7

Alien_Wooferr.exe

windows7-x64

9

Alien_Wooferr.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    152s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2023, 23:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Alien_Wooferr.exe

  • Size

    3.8MB

  • MD5

    07df8b71759fd825a418a7075d4d0552

  • SHA1

    61e116200e4c2119795ffb14ee3221b6022f8141

  • SHA256

    b5c05c9af1f689f1967fb86b3bea8e6b0a72194c60ec7e7603ff0bfb772ddfc7

  • SHA512

    fdfa5133eb4df7f6b358556d0f223cba8152ec9dab3efa6fe7c057fa3cf12ef582d4eed8056cd9c3eddd01bb7df1565aeabd200fe608401cc6fa0a32e867268f

  • SSDEEP

    98304:HIm+0/3Os0J+4kgN37+RjDck6XQ1z0LLlxdBmPab:Hq0/+sM6gNAfcDaomP8

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Stops running service(s) 3 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 5 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Alien_Wooferr.exe
    "C:\Users\Admin\AppData\Local\Temp\Alien_Wooferr.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Alien_Wooferr.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Alien_Wooferr.exe" MD5
        3⤵
          PID:2344
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:2096
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:1364
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2640
            • C:\Windows\system32\taskkill.exe
              taskkill /f /im HTTPDebuggerUI.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2796
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2576
            • C:\Windows\system32\taskkill.exe
              taskkill /f /im HTTPDebuggerSvc.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1792
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1612
            • C:\Windows\system32\sc.exe
              sc stop HTTPDebuggerPro
              3⤵
              • Launches sc.exe
              PID:2564
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2596
            • C:\Windows\system32\taskkill.exe
              taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2644
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2580
            • C:\Windows\system32\taskkill.exe
              taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2356
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1984
            • C:\Windows\system32\taskkill.exe
              taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1704
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cls
            2⤵
              PID:1964
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              2⤵
                PID:2000
            • C:\Windows\system32\taskmgr.exe
              "C:\Windows\system32\taskmgr.exe" /4
              1⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:2924

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1204-16-0x000000013F2C0000-0x000000013FCC3000-memory.dmp

              Filesize

              10.0MB

              Download

            • memory/1204-1-0x0000000077450000-0x00000000775F9000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/1204-2-0x000000013F2C0000-0x000000013FCC3000-memory.dmp

              Filesize

              10.0MB

              Download

            • memory/1204-3-0x000000013F2C0000-0x000000013FCC3000-memory.dmp

              Filesize

              10.0MB

              Download

            • memory/1204-4-0x000000013F2C0000-0x000000013FCC3000-memory.dmp

              Filesize

              10.0MB

              Download

            • memory/1204-5-0x000000013F2C0000-0x000000013FCC3000-memory.dmp

              Filesize

              10.0MB

              Download

            • memory/1204-6-0x000000013F2C0000-0x000000013FCC3000-memory.dmp

              Filesize

              10.0MB

              Download

            • memory/1204-7-0x000000013F2C0000-0x000000013FCC3000-memory.dmp

              Filesize

              10.0MB

              Download

            • memory/1204-9-0x0000000077450000-0x00000000775F9000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/1204-8-0x000000013F2C0000-0x000000013FCC3000-memory.dmp

              Filesize

              10.0MB

              Download

            • memory/1204-22-0x000000013F2C0000-0x000000013FCC3000-memory.dmp

              Filesize

              10.0MB

              Download

            • memory/1204-0-0x000000013F2C0000-0x000000013FCC3000-memory.dmp

              Filesize

              10.0MB

              Download

            • memory/2924-11-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2924-14-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2924-15-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2924-12-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2924-18-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2924-20-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2924-13-0x000000013F2C0000-0x000000013FCC3000-memory.dmp

              Filesize

              10.0MB

              Download

            • memory/2924-25-0x000000013F2C0000-0x000000013FCC3000-memory.dmp

              Filesize

              10.0MB

              Download