Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    0s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 16:08

General

  • Target

    4970dee8c864320603916a13c6c46299.exe

  • Size

    564KB

  • MD5

    4970dee8c864320603916a13c6c46299

  • SHA1

    7f3b7fd826d10c424babe6b1072cdc907584b864

  • SHA256

    069651cde82a485718fdb20a49db4288de3636b078640ad3a4fb181f53357a08

  • SHA512

    645578a35a140e80efad47761c2f590a22b07f6389b98174970672d90e4dc945124300da067a864211bd02d2ca84316d6c1929e939186421ddcf4d1ef6dd5490

  • SSDEEP

    12288:LNr8AzhxTY5O3R4YalsuKni4Lu9oSO4SVomdu3lW:LNrdxTQGzuoSyymdUE

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4970dee8c864320603916a13c6c46299.exe
    "C:\Users\Admin\AppData\Local\Temp\4970dee8c864320603916a13c6c46299.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:2320
    • C:\Users\Admin\AppData\Local\Temp\n1301\s1301.exe
      "C:\Users\Admin\AppData\Local\Temp\n1301\s1301.exe" ins.exe /h b04302.api.socdn.com /u 50d1d9d5-cf90-407c-820a-35e05bc06f2f /e 12902150 /v "C:\Users\Admin\AppData\Local\Temp\4970dee8c864320603916a13c6c46299.exe"
      2⤵
        PID:748
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
          dw20.exe -x -s 1832
          3⤵
            PID:3460
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 3900
          2⤵
          • Program crash
          PID:3444
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2320 -ip 2320
        1⤵
          PID:4952

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\n1301\s1301.exe

          Filesize

          411KB

          MD5

          13b0085a03720e67fb8c73db3f14609e

          SHA1

          ddf811f21e6c066b644d03e6751e16efb0fbecce

          SHA256

          f9449897f9ca99b99837ad322c8b6737e7a47e3827b6a4c073c6ca8911d8c340

          SHA512

          39b95dce14b3eea6f191d4dbaaff87ebbc8f3b6982e7b4ee5ebeed83d3b7397441665f25dec5eb9f8a1f3b12f4ddcd604d5852b781f592488263161c0d620e82

        • memory/748-15-0x0000000001730000-0x0000000001740000-memory.dmp

          Filesize

          64KB

        • memory/748-14-0x00007FFD1F5E0000-0x00007FFD1FF81000-memory.dmp

          Filesize

          9.6MB

        • memory/748-31-0x000000001C100000-0x000000001C10E000-memory.dmp

          Filesize

          56KB

        • memory/748-35-0x000000001D0C0000-0x000000001D15C000-memory.dmp

          Filesize

          624KB

        • memory/748-34-0x000000001CB50000-0x000000001D01E000-memory.dmp

          Filesize

          4.8MB

        • memory/748-36-0x0000000001730000-0x0000000001740000-memory.dmp

          Filesize

          64KB

        • memory/748-43-0x00007FFD1F5E0000-0x00007FFD1FF81000-memory.dmp

          Filesize

          9.6MB