Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02/02/2024, 16:53
Static task
static1
Behavioral task
behavioral1
Sample
8a098265737317cd7bf7bbef762b81c1.exe
Resource
win7-20231215-en
General
-
Target
8a098265737317cd7bf7bbef762b81c1.exe
-
Size
2.2MB
-
MD5
8a098265737317cd7bf7bbef762b81c1
-
SHA1
e1c206f8914af7b22b4cc0af74966723faefd1bd
-
SHA256
26ef72d7170fa0aa8ffab8695637d465040d1e51a8ba03a22855d7abfb902fbe
-
SHA512
1a66997af3559b58db357e021ccce53a5de87fa47c5fba4c175f930792b0c8b2ec43a67823df7112e9b662935bbc81b0f367912ab5d729ec076d8742df7a9d69
-
SSDEEP
24576:kJKWsWCN4jTYnUg5cb4xBNJhzuVy5rlZvUvb9CxxPkkz8V5p80kd2pkP4ij/v7IT:kJ2W/oUr4DNzzXrT4kMVfzhGN7es/K
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/850985103400108043/qMVlcxRCEtOy4d0lLo-ckGGqIgWka8O5mwrGC7NwW7qRJs5beglorhRUk-uRy4jQ1Cbz
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8a098265737317cd7bf7bbef762b81c1.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8a098265737317cd7bf7bbef762b81c1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8a098265737317cd7bf7bbef762b81c1.exe -
Executes dropped EXE 2 IoCs
pid Process 2732 Insidious.exe 2740 Spy IDChanger (2).exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine 8a098265737317cd7bf7bbef762b81c1.exe -
Loads dropped DLL 2 IoCs
pid Process 2088 8a098265737317cd7bf7bbef762b81c1.exe 2088 8a098265737317cd7bf7bbef762b81c1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8a098265737317cd7bf7bbef762b81c1.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 freegeoip.app 5 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2088 8a098265737317cd7bf7bbef762b81c1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Insidious.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Insidious.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2088 8a098265737317cd7bf7bbef762b81c1.exe 2740 Spy IDChanger (2).exe 2732 Insidious.exe 2732 Insidious.exe 2732 Insidious.exe 2732 Insidious.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2732 Insidious.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2732 2088 8a098265737317cd7bf7bbef762b81c1.exe 28 PID 2088 wrote to memory of 2732 2088 8a098265737317cd7bf7bbef762b81c1.exe 28 PID 2088 wrote to memory of 2732 2088 8a098265737317cd7bf7bbef762b81c1.exe 28 PID 2088 wrote to memory of 2732 2088 8a098265737317cd7bf7bbef762b81c1.exe 28 PID 2088 wrote to memory of 2740 2088 8a098265737317cd7bf7bbef762b81c1.exe 29 PID 2088 wrote to memory of 2740 2088 8a098265737317cd7bf7bbef762b81c1.exe 29 PID 2088 wrote to memory of 2740 2088 8a098265737317cd7bf7bbef762b81c1.exe 29 PID 2088 wrote to memory of 2740 2088 8a098265737317cd7bf7bbef762b81c1.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a098265737317cd7bf7bbef762b81c1.exe"C:\Users\Admin\AppData\Local\Temp\8a098265737317cd7bf7bbef762b81c1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Users\Admin\AppData\Local\Temp\Spy IDChanger (2).exe"C:\Users\Admin\AppData\Local\Temp\Spy IDChanger (2).exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
373B
MD5f4524a69b98e8c28be3a10f022c1ee2c
SHA182defa534be60612c77c5ec67ed867f007a86035
SHA2565b82e3146a68ad694e3f485207609a3a04c86593da740b61c6032235affbd334
SHA5121a43d9c022dca7fd503b6ee4621280a4768ef4b78c5506ae22114fd902eef5fd441057c94b32a75615b178173a184704d0605ffb738757b6a0c803fe99364e9f
-
Filesize
60KB
MD5f18cf2c76c5e8283a9d81640b198e01b
SHA129d2b98d71a263ee319cc65109e7325604d203d0
SHA256b54d12aafa616be9524995f8df0527848776c08432556c178667e1429744e34d
SHA5129543bd395281d41c7fafc470812bb920cbd70b918c864b3b245451a2b679ab621401c4857c8da000f952ae73e3c3f084aaaf74a15dc91966caf7680b84f1da04
-
Filesize
274KB
MD5cc0f9ce3587d6a0ee7390ccf8567b764
SHA10d6b82a85b3ccf11a01482832fcb28e8f97ed68c
SHA2567ce1e233b1994f4db7ded9540bc77f86608a8fed62ed9f58a36aedb9be3723b8
SHA512b56fe5774b378c5dc6c73f9807e07062286b20077cf6a2ba4328d40ae597c0896dd97f955571893fad9e2e88eecd8fb7ffee84261caaee0171cd33e04452e160