Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 16:08
Static task
static1
Behavioral task
behavioral1
Sample
4970dee8c864320603916a13c6c46299.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4970dee8c864320603916a13c6c46299.exe
Resource
win10v2004-20231222-en
General
-
Target
4970dee8c864320603916a13c6c46299.exe
-
Size
564KB
-
MD5
4970dee8c864320603916a13c6c46299
-
SHA1
7f3b7fd826d10c424babe6b1072cdc907584b864
-
SHA256
069651cde82a485718fdb20a49db4288de3636b078640ad3a4fb181f53357a08
-
SHA512
645578a35a140e80efad47761c2f590a22b07f6389b98174970672d90e4dc945124300da067a864211bd02d2ca84316d6c1929e939186421ddcf4d1ef6dd5490
-
SSDEEP
12288:LNr8AzhxTY5O3R4YalsuKni4Lu9oSO4SVomdu3lW:LNrdxTQGzuoSyymdUE
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4970dee8c864320603916a13c6c46299.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3444 2320 WerFault.exe 14 -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 4970dee8c864320603916a13c6c46299.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer 4970dee8c864320603916a13c6c46299.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2320 4970dee8c864320603916a13c6c46299.exe 2320 4970dee8c864320603916a13c6c46299.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4970dee8c864320603916a13c6c46299.exe"C:\Users\Admin\AppData\Local\Temp\4970dee8c864320603916a13c6c46299.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\n1301\s1301.exe"C:\Users\Admin\AppData\Local\Temp\n1301\s1301.exe" ins.exe /h b04302.api.socdn.com /u 50d1d9d5-cf90-407c-820a-35e05bc06f2f /e 12902150 /v "C:\Users\Admin\AppData\Local\Temp\4970dee8c864320603916a13c6c46299.exe"2⤵PID:748
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 18323⤵PID:3460
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 39002⤵
- Program crash
PID:3444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2320 -ip 23201⤵PID:4952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
411KB
MD513b0085a03720e67fb8c73db3f14609e
SHA1ddf811f21e6c066b644d03e6751e16efb0fbecce
SHA256f9449897f9ca99b99837ad322c8b6737e7a47e3827b6a4c073c6ca8911d8c340
SHA51239b95dce14b3eea6f191d4dbaaff87ebbc8f3b6982e7b4ee5ebeed83d3b7397441665f25dec5eb9f8a1f3b12f4ddcd604d5852b781f592488263161c0d620e82