Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 01:46
Static task
static1
Behavioral task
behavioral1
Sample
arphaCrashReport.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
arphaCrashReport.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral3
Sample
arphadump.dll
Resource
win7-20230831-en
Behavioral task
behavioral4
Sample
arphadump.dll
Resource
win10v2004-20230915-en
General
-
Target
arphadump.dll
-
Size
10.4MB
-
MD5
057381c48055743f1826fd6ec098b464
-
SHA1
9c09a534c22863a73f0544ca6039fdf80e6ddfb8
-
SHA256
ecb680f6088157193ec5d16246d31669e7153da94fd3ee4273cdac7c9cdcac7b
-
SHA512
c1123a35155e56ace597af97e67aab3b3a8713e026801f82171e6d32b1c6b64d6b44395d069c0031e9695da557e4c44ec1dc081ed42ec17563cb7f834f944297
-
SSDEEP
196608:JLPRePJLb2hsDkLsZadle1NEoH+5TNuJKoE0+vDfqMR8xK:JFePJLKhPLsMDe1NxH+5T+e5
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Wine rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 676 rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2000 676 WerFault.exe 86 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 676 rundll32.exe 676 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4320 wrote to memory of 676 4320 rundll32.exe 86 PID 4320 wrote to memory of 676 4320 rundll32.exe 86 PID 4320 wrote to memory of 676 4320 rundll32.exe 86
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\arphadump.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\arphadump.dll,#12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:676 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 9323⤵
- Program crash
PID:2000
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 676 -ip 6761⤵PID:3240