Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 10:02
Static task
static1
Behavioral task
behavioral1
Sample
48ad7db5fb10dd9b1c6817d5a9c34865.exe
Resource
win7-20231215-en
General
-
Target
48ad7db5fb10dd9b1c6817d5a9c34865.exe
-
Size
2.2MB
-
MD5
48ad7db5fb10dd9b1c6817d5a9c34865
-
SHA1
2fd68670f13f6335a2361fbdd7ed6c36b9f4863c
-
SHA256
44cf30bb3e4623c4374ab4132bd419d3a63f119b36eaf66f1a5258e36df3b60a
-
SHA512
7782826d586098b94e2c10a801881e0104784406d9d496c98b2932a33b28f2b0724be7eb25f158223f84483795b4bb768f7e2ad15799c9cb4b2577888909c3fb
-
SSDEEP
49152:pSezyzdsk+1US6FOZyj2Zi8kwUP+9uNMYuv+ShQFZS:pSdsk+ySemg2Iw0+YChv+Shx
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/850985103400108043/qMVlcxRCEtOy4d0lLo-ckGGqIgWka8O5mwrGC7NwW7qRJs5beglorhRUk-uRy4jQ1Cbz
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 48ad7db5fb10dd9b1c6817d5a9c34865.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 48ad7db5fb10dd9b1c6817d5a9c34865.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 48ad7db5fb10dd9b1c6817d5a9c34865.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 48ad7db5fb10dd9b1c6817d5a9c34865.exe -
Executes dropped EXE 2 IoCs
pid Process 4624 Insidious — êîïèÿ.exe 2808 12312.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Wine 48ad7db5fb10dd9b1c6817d5a9c34865.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 48ad7db5fb10dd9b1c6817d5a9c34865.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 freegeoip.app 18 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4976 48ad7db5fb10dd9b1c6817d5a9c34865.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Insidious — êîïèÿ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Insidious — êîïèÿ.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4976 48ad7db5fb10dd9b1c6817d5a9c34865.exe 4976 48ad7db5fb10dd9b1c6817d5a9c34865.exe 4624 Insidious — êîïèÿ.exe 4624 Insidious — êîïèÿ.exe 4624 Insidious — êîïèÿ.exe 2808 12312.exe 2808 12312.exe 4624 Insidious — êîïèÿ.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4624 Insidious — êîïèÿ.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4976 wrote to memory of 4624 4976 48ad7db5fb10dd9b1c6817d5a9c34865.exe 82 PID 4976 wrote to memory of 4624 4976 48ad7db5fb10dd9b1c6817d5a9c34865.exe 82 PID 4976 wrote to memory of 2808 4976 48ad7db5fb10dd9b1c6817d5a9c34865.exe 81 PID 4976 wrote to memory of 2808 4976 48ad7db5fb10dd9b1c6817d5a9c34865.exe 81 PID 4976 wrote to memory of 2808 4976 48ad7db5fb10dd9b1c6817d5a9c34865.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\48ad7db5fb10dd9b1c6817d5a9c34865.exe"C:\Users\Admin\AppData\Local\Temp\48ad7db5fb10dd9b1c6817d5a9c34865.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\12312.exe"C:\Users\Admin\AppData\Local\Temp\12312.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\Insidious — êîïèÿ.exe"C:\Users\Admin\AppData\Local\Temp\Insidious — êîïèÿ.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5f18cf2c76c5e8283a9d81640b198e01b
SHA129d2b98d71a263ee319cc65109e7325604d203d0
SHA256b54d12aafa616be9524995f8df0527848776c08432556c178667e1429744e34d
SHA5129543bd395281d41c7fafc470812bb920cbd70b918c864b3b245451a2b679ab621401c4857c8da000f952ae73e3c3f084aaaf74a15dc91966caf7680b84f1da04
-
Filesize
274KB
MD5cc0f9ce3587d6a0ee7390ccf8567b764
SHA10d6b82a85b3ccf11a01482832fcb28e8f97ed68c
SHA2567ce1e233b1994f4db7ded9540bc77f86608a8fed62ed9f58a36aedb9be3723b8
SHA512b56fe5774b378c5dc6c73f9807e07062286b20077cf6a2ba4328d40ae597c0896dd97f955571893fad9e2e88eecd8fb7ffee84261caaee0171cd33e04452e160
-
Filesize
1013B
MD521f2494811ad8090d37728f655b2ac83
SHA1c0a7fb5b68e96b01057cf271e7c773335a6563b4
SHA256219275ecde00dd7361331f4ee87531cbb8bf0c7b961ad18c3bfcfc06b05ae94d
SHA512f7b604b97f9bc226b2f89541900f80872125d014707a92afb5996f591ba65631661ef46541ff4433e855466d419b0a2e5d33ad61dd021840edeb1cbf634f75d1
-
Filesize
1KB
MD5b8d5d191df018ff40db08abace90b4c8
SHA165e3ac38167a4d624c59c2f385398ebcdd73c160
SHA256c65ead65ee35edd71773c2d110a5fc2c761bbe469913e0be71ce383e6b0662f7
SHA51208850f90e8f69e9e10460054eb1f5fa5bb59f28bc0bf8805acfc73dfefd0aa9f3e4a1c12cd4b16b81746ff6672d74c37961fb6c081ab1ff45b9289ff29176d2f
-
Filesize
1KB
MD56fee405d6806fb462c7427b362695935
SHA165191f338fec4d6dabb6195524daf29f61a2d137
SHA2564ee9ab9ad765ece3fd26f92fd2be5fe50f7f0b61ad9909d830441c566193fcad
SHA512e45c02c8826b4321d081a93b654e0e33a446bada3156a1162e0f3e389e2037d0636dd91348e5a7a4fdd075e866fe7c5bbef6c1b6867560f0b7e67aae62a96233
-
Filesize
465B
MD55d1051b2c74ce3ef4abbc8e6d99fdcef
SHA1d21ccb43418123147058fda7756593553c3cf2dd
SHA256ed7b9c9493e8f75e19c5f4c3662eb11f02c8a8d0839b1b2c8bba26e85c473020
SHA5122b4ce7c15040c79798a29be883315e5e3a28d98d5d8171565987a301fd1731ae859c2b49c0fdd1bc80f0ba3a6dafb9bc4c6f98b6363de7416d61a14bbd57c88b
-
Filesize
681B
MD5d5635f034b677b820e923a72a88444fa
SHA1c204e0d72afe36cf930410d7f6842e5a9e14bfaa
SHA256b19345dcf40604c47849056860e26eecb0321c6e1a6a97e2d90ff62578cd69fe
SHA51298ea0f93a4a0b7a5e926e85faed6f980a3745abab265c33cf5dc84653bdbe2d16f7140ac555ac0f11fc75ac6f2535bf239e2942b461d8147b1d878b6a4fde6bd