Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
186s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 01:46
Static task
static1
Behavioral task
behavioral1
Sample
arphaCrashReport.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
arphaCrashReport.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral3
Sample
arphadump.dll
Resource
win7-20230831-en
Behavioral task
behavioral4
Sample
arphadump.dll
Resource
win10v2004-20230915-en
General
-
Target
arphaCrashReport.exe
-
Size
206KB
-
MD5
8521949e487368f1708d68ffcc581665
-
SHA1
a2c753371ba79eb673ff4987d9044af9c7a1b89b
-
SHA256
b2ee510d0b5012487dee143b459e4e2fcfb758960d3fe7ec4743552bc91be9e2
-
SHA512
7722abb534f11dc71ac0797d881eb5c2dee524e19d99c219697efa1037164d92a23a5f098f76e5471f1bcfbcb05b44c497ba85f724267cb70591a448af4358ba
-
SSDEEP
6144:UJgVV8K6VGrE8y3CtcKn6yv8zRkDVn5iJg:SGQ8y3CtcoRv6i
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ arphaCrashReport.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ arphaCrashReport.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion arphaCrashReport.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion arphaCrashReport.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion arphaCrashReport.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion arphaCrashReport.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Wine arphaCrashReport.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Wine arphaCrashReport.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation arphaCrashReport.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2664 arphaCrashReport.exe 4948 arphaCrashReport.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2664 arphaCrashReport.exe 2664 arphaCrashReport.exe 4948 arphaCrashReport.exe 4948 arphaCrashReport.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2664 wrote to memory of 4948 2664 arphaCrashReport.exe 88 PID 2664 wrote to memory of 4948 2664 arphaCrashReport.exe 88 PID 2664 wrote to memory of 4948 2664 arphaCrashReport.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\arphaCrashReport.exe"C:\Users\Admin\AppData\Local\Temp\arphaCrashReport.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\arphaCrashReport.exe"C:\Users\Admin\AppData\Local\Temp\arphaCrashReport.exe" 99992⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4948
-