Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
-
submitted
06/11/2023, 00:40
General
-
Target
51f54d87b6c9908b5ed532af24531dd049f2148ce7436904136ca1bd74cbc597.exe
-
Size
7.0MB
-
MD5
4dcc665d1ca0449ca8f3848c6dd4b0d6
-
SHA1
97c601f5d8ce771dcd7c16fae565b24b51bff92f
-
SHA256
51f54d87b6c9908b5ed532af24531dd049f2148ce7436904136ca1bd74cbc597
-
SHA512
1e37df75348e3af9730c9d48ed0974e4207a5dd46e8c58ccfde126fef8bb7e4bc83ff7b09dd25b93009d60a091bb18023835b730c973e8252f77373da016cce4
-
SSDEEP
196608:dHVvwWB528rX22T3IjJx+2UTiADupsf+287nQR7L:/BB72sOADuB7nC
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 25 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\51f54d87b6c9908b5ed532af24531dd049f2148ce7436904136ca1bd74cbc597.exe"C:\Users\Admin\AppData\Local\Temp\51f54d87b6c9908b5ed532af24531dd049f2148ce7436904136ca1bd74cbc597.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c explorer/select,C:\Users\Admin\HELanguage.hel2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer /select,C:\Users\Admin\HELanguage.hel3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start notepad C:\Users\Admin\HELanguage.hel2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad C:\Users\Admin\HELanguage.hel3⤵
- Opens file in notepad (likely ransom note)
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD53823c29c8fe18e23a5fae0e3d6b532ed
SHA1d6a6bb56a26f3a7b7a8f894237318b62d5fae432
SHA256a6226bfc3c5765048346a2ca643495269ff8b737a9ccd0b54f3d7e16920a3906
SHA5120fcf14683ecc0d485124f77bb431d1b8344bd3f0d1691ee747964bf3d5c97e48aa146d485d7384c72c776d41aa358835d44381dfe1f00dbbe24405fb0d1aae6d
-
Filesize
71B
MD52f0f98115f17f2869c1f59ba804af077
SHA1ae9c81906afe9cc485d6808c62a7e2fd227ac6c6
SHA2560805dcdc42ca47abdc3d8fe11f8e0c7a108602022f71ab349648cfdd30a75aa6
SHA512e1403027c2f55d2dc4972b35b16e9401d0a9b5e055839e650b242fb12051051f72ef760214bf436ba9dd2b0d67daa2d55a783e782717d53966465b8c291acbfc
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
17.0MB
-
Filesize
17.0MB
-
Filesize
17.0MB
-
Filesize
17.0MB
-
Filesize
17.0MB
-
Filesize
17.0MB
-
Filesize
17.0MB
-
Filesize
17.0MB
-
Filesize
1.7MB
-
Filesize
17.0MB
-
Filesize
17.0MB
-
Filesize
17.0MB
-
Filesize
17.0MB
-
Filesize
1.7MB
-
Filesize
17.0MB