Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system -
submitted
17/11/2023, 02:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Client.exe
Resource
win10-20231020-en
windows10-1703-x64
10 signatures
150 seconds
General
-
Target
Client.exe
-
Size
155KB
-
MD5
f0f9059b432a34b30443060f061c0045
-
SHA1
729e35fcdd4e591631340b0a71a06516b9c106a6
-
SHA256
9ab2087e5aa3c59077d603470cd2eab19ec3e34320333707c244808bd54acaae
-
SHA512
694d1e338c66956d031bfd35392a9bc3546d86e7c5fc956a6a0b16f3260e43d644b0f04994a35d707ef7bb11523d7cdf786f9c86de9a78a1bb9c8e36a673e161
-
SSDEEP
3072:7Brq0Wi3FSJ3JA48E3qY7AfS/P/pXDPXtrcyWe7oFUG6EeRWb13+f:7B20WIFw5A48oPRDKyW2oFeEe4b
Score
9/10
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Client.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools Client.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Client.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Client.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4900 Client.exe Token: SeDebugPrivilege 3836 taskmgr.exe Token: SeSystemProfilePrivilege 3836 taskmgr.exe Token: SeCreateGlobalPrivilege 3836 taskmgr.exe Token: 33 3836 taskmgr.exe Token: SeIncBasePriorityPrivilege 3836 taskmgr.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
pid Process 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe -
Suspicious use of SendNotifyMessage 39 IoCs
pid Process 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3836