Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
175s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 23:28
Behavioral task
behavioral1
Sample
Alien_Wooferr.exe
Resource
win7-20230831-en
14 signatures
150 seconds
General
-
Target
Alien_Wooferr.exe
-
Size
3.8MB
-
MD5
07df8b71759fd825a418a7075d4d0552
-
SHA1
61e116200e4c2119795ffb14ee3221b6022f8141
-
SHA256
b5c05c9af1f689f1967fb86b3bea8e6b0a72194c60ec7e7603ff0bfb772ddfc7
-
SHA512
fdfa5133eb4df7f6b358556d0f223cba8152ec9dab3efa6fe7c057fa3cf12ef582d4eed8056cd9c3eddd01bb7df1565aeabd200fe608401cc6fa0a32e867268f
-
SSDEEP
98304:HIm+0/3Os0J+4kgN37+RjDck6XQ1z0LLlxdBmPab:Hq0/+sM6gNAfcDaomP8
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Alien_Wooferr.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Alien_Wooferr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Alien_Wooferr.exe -
resource yara_rule behavioral2/memory/2616-0-0x00007FF6B5850000-0x00007FF6B6253000-memory.dmp themida behavioral2/memory/2616-1-0x00007FF6B5850000-0x00007FF6B6253000-memory.dmp themida behavioral2/memory/2616-2-0x00007FF6B5850000-0x00007FF6B6253000-memory.dmp themida behavioral2/memory/2616-3-0x00007FF6B5850000-0x00007FF6B6253000-memory.dmp themida behavioral2/memory/2616-5-0x00007FF6B5850000-0x00007FF6B6253000-memory.dmp themida behavioral2/memory/2616-6-0x00007FF6B5850000-0x00007FF6B6253000-memory.dmp themida behavioral2/memory/2616-7-0x00007FF6B5850000-0x00007FF6B6253000-memory.dmp themida behavioral2/memory/2616-8-0x00007FF6B5850000-0x00007FF6B6253000-memory.dmp themida behavioral2/memory/2616-9-0x00007FF6B5850000-0x00007FF6B6253000-memory.dmp themida behavioral2/memory/2616-10-0x00007FF6B5850000-0x00007FF6B6253000-memory.dmp themida behavioral2/memory/2616-11-0x00007FF6B5850000-0x00007FF6B6253000-memory.dmp themida behavioral2/memory/2616-12-0x00007FF6B5850000-0x00007FF6B6253000-memory.dmp themida behavioral2/memory/2616-32-0x00007FF6B5850000-0x00007FF6B6253000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Alien_Wooferr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3004 sc.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Kills process with taskkill 5 IoCs
pid Process 780 taskkill.exe 5012 taskkill.exe 2704 taskkill.exe 4044 taskkill.exe 3452 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 4632 taskmgr.exe 4632 taskmgr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 2616 Alien_Wooferr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 780 taskkill.exe Token: SeDebugPrivilege 4632 taskmgr.exe Token: SeSystemProfilePrivilege 4632 taskmgr.exe Token: SeCreateGlobalPrivilege 4632 taskmgr.exe Token: SeDebugPrivilege 5012 taskkill.exe Token: SeDebugPrivilege 2704 taskkill.exe Token: SeDebugPrivilege 4044 taskkill.exe Token: SeDebugPrivilege 3452 taskkill.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe 4632 taskmgr.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2616 wrote to memory of 1212 2616 Alien_Wooferr.exe 89 PID 2616 wrote to memory of 1212 2616 Alien_Wooferr.exe 89 PID 1212 wrote to memory of 1064 1212 cmd.exe 91 PID 1212 wrote to memory of 1064 1212 cmd.exe 91 PID 1212 wrote to memory of 4884 1212 cmd.exe 92 PID 1212 wrote to memory of 4884 1212 cmd.exe 92 PID 1212 wrote to memory of 772 1212 cmd.exe 93 PID 1212 wrote to memory of 772 1212 cmd.exe 93 PID 2616 wrote to memory of 4848 2616 Alien_Wooferr.exe 95 PID 2616 wrote to memory of 4848 2616 Alien_Wooferr.exe 95 PID 4848 wrote to memory of 780 4848 cmd.exe 96 PID 4848 wrote to memory of 780 4848 cmd.exe 96 PID 2616 wrote to memory of 3372 2616 Alien_Wooferr.exe 99 PID 2616 wrote to memory of 3372 2616 Alien_Wooferr.exe 99 PID 3372 wrote to memory of 5012 3372 cmd.exe 100 PID 3372 wrote to memory of 5012 3372 cmd.exe 100 PID 2616 wrote to memory of 4628 2616 Alien_Wooferr.exe 101 PID 2616 wrote to memory of 4628 2616 Alien_Wooferr.exe 101 PID 4628 wrote to memory of 3004 4628 cmd.exe 102 PID 4628 wrote to memory of 3004 4628 cmd.exe 102 PID 2616 wrote to memory of 500 2616 Alien_Wooferr.exe 103 PID 2616 wrote to memory of 500 2616 Alien_Wooferr.exe 103 PID 500 wrote to memory of 2704 500 cmd.exe 104 PID 500 wrote to memory of 2704 500 cmd.exe 104 PID 2616 wrote to memory of 5032 2616 Alien_Wooferr.exe 105 PID 2616 wrote to memory of 5032 2616 Alien_Wooferr.exe 105 PID 5032 wrote to memory of 4044 5032 cmd.exe 106 PID 5032 wrote to memory of 4044 5032 cmd.exe 106 PID 2616 wrote to memory of 3180 2616 Alien_Wooferr.exe 107 PID 2616 wrote to memory of 3180 2616 Alien_Wooferr.exe 107 PID 3180 wrote to memory of 3452 3180 cmd.exe 108 PID 3180 wrote to memory of 3452 3180 cmd.exe 108 PID 2616 wrote to memory of 2132 2616 Alien_Wooferr.exe 109 PID 2616 wrote to memory of 2132 2616 Alien_Wooferr.exe 109 PID 2616 wrote to memory of 1956 2616 Alien_Wooferr.exe 110 PID 2616 wrote to memory of 1956 2616 Alien_Wooferr.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\Alien_Wooferr.exe"C:\Users\Admin\AppData\Local\Temp\Alien_Wooferr.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Alien_Wooferr.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Alien_Wooferr.exe" MD53⤵PID:1064
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:4884
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:3004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1956
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4632