Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 03:47
Behavioral task
behavioral1
Sample
26de7dce5b03de18618ccffacb5e80b3.dll
Resource
win7-20231215-en
6 signatures
150 seconds
General
-
Target
26de7dce5b03de18618ccffacb5e80b3.dll
-
Size
2.2MB
-
MD5
26de7dce5b03de18618ccffacb5e80b3
-
SHA1
d60913ea70a875abff085c14be1a8297c1308941
-
SHA256
f4bcf6c24b99666c523f2364ff26e23931e8e594af5b4527a0cdc98dbfe72b0f
-
SHA512
1f78395a169e4d8f27aad962d386fd55b1d4c453ebd33fc3221b95afac5a7d44e54fa52e0f5719c561ab318dd72cad588017a8f3518db9c0f089da2b482b54db
-
SSDEEP
49152:HReqHgVbX92fshlPs/T/ZKiWCwsLD06xQn+/F3Q1sBp1b9Mos1KM6J:HRRAdgkfs/A+pLPxQ+93QSBr9DJ
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
resource yara_rule behavioral1/memory/1892-0-0x0000000010000000-0x00000000105F3000-memory.dmp themida behavioral1/memory/1892-1-0x0000000010000000-0x00000000105F3000-memory.dmp themida behavioral1/memory/1892-2-0x0000000010000000-0x00000000105F3000-memory.dmp themida behavioral1/memory/1892-3-0x0000000010000000-0x00000000105F3000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1892 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1680 wrote to memory of 1892 1680 rundll32.exe 14 PID 1680 wrote to memory of 1892 1680 rundll32.exe 14 PID 1680 wrote to memory of 1892 1680 rundll32.exe 14 PID 1680 wrote to memory of 1892 1680 rundll32.exe 14 PID 1680 wrote to memory of 1892 1680 rundll32.exe 14 PID 1680 wrote to memory of 1892 1680 rundll32.exe 14 PID 1680 wrote to memory of 1892 1680 rundll32.exe 14
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\26de7dce5b03de18618ccffacb5e80b3.dll,#11⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1892
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\26de7dce5b03de18618ccffacb5e80b3.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1680