Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2024, 15:51
Behavioral task
behavioral1
Sample
cheeto.exe
Resource
win7-20231129-en
5 signatures
150 seconds
General
-
Target
cheeto.exe
-
Size
3.9MB
-
MD5
ec4784eb214b390523ce00434c723e1f
-
SHA1
2d6b5be71ce1547dfbcd209136d38925f4b4762f
-
SHA256
b52ca43121ef221e8de12a924e13239844d879c78d149a1085ca417b41487f9c
-
SHA512
c46ccd44a68fc1b424dfe5df889e896ae2741b764a58d333793dc5f247f4c6ec8d2867761bdd6ccfe258dcff982703e222402712d0de5b8e74317ff40873c973
-
SSDEEP
98304:DTAMLsl1C6SnTepFEKtAflzVU8fc4nf0jsfHld98NsaePZ:DTAde6eifEKtAfpVUqc4fAwd98CaeR
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cheeto.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cheeto.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cheeto.exe -
resource yara_rule behavioral2/memory/4684-0-0x00007FF6EBB10000-0x00007FF6EC569000-memory.dmp themida behavioral2/memory/4684-1-0x00007FF6EBB10000-0x00007FF6EC569000-memory.dmp themida behavioral2/memory/4684-2-0x00007FF6EBB10000-0x00007FF6EC569000-memory.dmp themida behavioral2/memory/4684-3-0x00007FF6EBB10000-0x00007FF6EC569000-memory.dmp themida behavioral2/memory/4684-4-0x00007FF6EBB10000-0x00007FF6EC569000-memory.dmp themida behavioral2/memory/4684-5-0x00007FF6EBB10000-0x00007FF6EC569000-memory.dmp themida behavioral2/memory/4684-6-0x00007FF6EBB10000-0x00007FF6EC569000-memory.dmp themida behavioral2/memory/4684-7-0x00007FF6EBB10000-0x00007FF6EC569000-memory.dmp themida behavioral2/memory/4684-13-0x00007FF6EBB10000-0x00007FF6EC569000-memory.dmp themida behavioral2/memory/4684-14-0x00007FF6EBB10000-0x00007FF6EC569000-memory.dmp themida behavioral2/memory/4684-15-0x00007FF6EBB10000-0x00007FF6EC569000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cheeto.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4684 wrote to memory of 3396 4684 cheeto.exe 88 PID 4684 wrote to memory of 3396 4684 cheeto.exe 88 PID 3396 wrote to memory of 3356 3396 cmd.exe 90 PID 3396 wrote to memory of 3356 3396 cmd.exe 90 PID 3396 wrote to memory of 4492 3396 cmd.exe 91 PID 3396 wrote to memory of 4492 3396 cmd.exe 91 PID 3396 wrote to memory of 2100 3396 cmd.exe 92 PID 3396 wrote to memory of 2100 3396 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\cheeto.exe"C:\Users\Admin\AppData\Local\Temp\cheeto.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\cheeto.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\cheeto.exe" MD53⤵PID:3356
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:4492
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:2100
-
-