Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
24/10/2023, 08:53
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231023-en
General
-
Target
file.exe
-
Size
3.9MB
-
MD5
6c13146feeabc071309b41335514bf99
-
SHA1
127ba6047bdbc24d66a2be4d975bfc8d8bbf3808
-
SHA256
c630fc1a9602a939621027c5c7c6be78e598b66d86fec0ed103ebae22fc99577
-
SHA512
f617e7168a9b4848d2278bdc5dd0cd8986f47300d58644121adc43c7236333ba8474309ce25be96709103e5ee1a4f3e62471b1fc2e876c347505920965144a0e
-
SSDEEP
49152:9Zt7mOXOJ79zFO/xx25/g0wDHIhQXjoLBaBhIT2iL54oU6Hhs2WtuHr1j7jEuPYM:9/hOJYrVjIhQXEiil7H6pSJpY3ZU0zK
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe -
Loads dropped DLL 1 IoCs
pid Process 1196 file.exe -
resource yara_rule behavioral2/memory/1196-11-0x0000000000F60000-0x000000000177C000-memory.dmp themida behavioral2/memory/1196-37-0x0000000000F60000-0x000000000177C000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1196 file.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1196 set thread context of 3116 1196 file.exe 89 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1196 file.exe 1196 file.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe 3116 AppLaunch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1196 wrote to memory of 3116 1196 file.exe 89 PID 1196 wrote to memory of 3116 1196 file.exe 89 PID 1196 wrote to memory of 3116 1196 file.exe 89 PID 1196 wrote to memory of 3116 1196 file.exe 89 PID 1196 wrote to memory of 3116 1196 file.exe 89 PID 1196 wrote to memory of 3116 1196 file.exe 89 PID 1196 wrote to memory of 3116 1196 file.exe 89 PID 1196 wrote to memory of 3116 1196 file.exe 89 PID 1196 wrote to memory of 3116 1196 file.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3116
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719