Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
17/11/2023, 02:35
Behavioral task
behavioral1
Sample
NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe
-
Size
2.5MB
-
MD5
098aeeead8bcc2fc053a4a7af5db4190
-
SHA1
717d879bd4178c857c94c34f2f517193ca8460f6
-
SHA256
2e24bbb3773c2d0fab2156685298b7c4adf96c22790beab3be80226995954b51
-
SHA512
c2301e55402b6107a70018b07d398c599b86279faec0a8f484efc76162317b935e653ae3d8173e050e321ea9226e06cf426d58cfe3e124719c1e61677599d0d1
-
SSDEEP
49152:y4daOqAehx7x20RKuniOJqfU7F1tLYoNovTE3pzNx0FOnpe4v/681:cP7tRtrJq88SqgnpXiu
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ suvkbwn.exe -
Modifies AppInit DLL entries 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion suvkbwn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion suvkbwn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe -
Executes dropped EXE 1 IoCs
pid Process 2760 suvkbwn.exe -
resource yara_rule behavioral1/memory/2868-0-0x0000000000400000-0x0000000000A57000-memory.dmp themida behavioral1/memory/2868-1-0x0000000000400000-0x0000000000A57000-memory.dmp themida behavioral1/memory/2868-2-0x0000000000400000-0x0000000000A57000-memory.dmp themida behavioral1/files/0x000e000000012286-7.dat themida behavioral1/files/0x000e000000012286-8.dat themida behavioral1/memory/2760-9-0x0000000000400000-0x0000000000A57000-memory.dmp themida behavioral1/memory/2760-10-0x0000000000400000-0x0000000000A57000-memory.dmp themida behavioral1/memory/2760-11-0x0000000000400000-0x0000000000A57000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA suvkbwn.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\suvkbwn.exe NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe File created C:\PROGRA~3\Mozilla\wfwcssm.dll suvkbwn.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2868 NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe 2760 suvkbwn.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2760 2648 taskeng.exe 29 PID 2648 wrote to memory of 2760 2648 taskeng.exe 29 PID 2648 wrote to memory of 2760 2648 taskeng.exe 29 PID 2648 wrote to memory of 2760 2648 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2868
-
C:\Windows\system32\taskeng.exetaskeng.exe {FB9B440D-BAFA-4EDF-95CF-6CE43F686099} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\PROGRA~3\Mozilla\suvkbwn.exeC:\PROGRA~3\Mozilla\suvkbwn.exe -tlhykym2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD51db5089a72da7f0ddce4049fc58b1c98
SHA1b69ff9d14af215dfa22e273b002aef0295b7e222
SHA2568a1abdee2341c59ec689c334a73051ec9a25d66e8fd4e6c7b118a5ca9b5e40a8
SHA512072c13a70d3027985d6268db90dcdafde5435c31643f11eb4e051a50c75f4419a3ae874f136735097fdd0d46ea72dd661eef48419e64b5a5c600efc8fe5d8eb2
-
Filesize
2.5MB
MD51db5089a72da7f0ddce4049fc58b1c98
SHA1b69ff9d14af215dfa22e273b002aef0295b7e222
SHA2568a1abdee2341c59ec689c334a73051ec9a25d66e8fd4e6c7b118a5ca9b5e40a8
SHA512072c13a70d3027985d6268db90dcdafde5435c31643f11eb4e051a50c75f4419a3ae874f136735097fdd0d46ea72dd661eef48419e64b5a5c600efc8fe5d8eb2