Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
12/02/2024, 20:19
Behavioral task
behavioral1
Sample
hahahahahahahahahahahahah/cheeto.exe
Resource
win10-20231215-en
windows10-1703-x64
14 signatures
150 seconds
General
-
Target
hahahahahahahahahahahahah/login.exe
-
Size
429KB
-
MD5
b88444cf2c03ce4efe2a1608a379ee53
-
SHA1
68d9285ee72288656c258cf9db9c564226a48ddb
-
SHA256
d70e292a21ebc5ca1675ca585bcae52a51aad4bcee9bbbaf44b0a2cc635b64c7
-
SHA512
7c9e116a417f2a15d2ca3f70b61697c9e34b6131b12221032cde9d64c41993f6f8cfa34196ed99122aa34d59159955d6362827f0d4eee1688bce465539e8d633
-
SSDEEP
12288:Zt5NpMGK6Ia5Jr4IQAvq3eSKXvVZhuwxHvh:Zt5NGGzIo3QSqOS+VZhT
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ loader.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion loader.exe -
Executes dropped EXE 1 IoCs
pid Process 300 loader.exe -
resource yara_rule behavioral2/files/0x000700000001abe6-2.dat themida behavioral2/memory/300-4-0x00007FF7FDAF0000-0x00007FF7FE58F000-memory.dmp themida behavioral2/memory/300-6-0x00007FF7FDAF0000-0x00007FF7FE58F000-memory.dmp themida behavioral2/memory/300-7-0x00007FF7FDAF0000-0x00007FF7FE58F000-memory.dmp themida behavioral2/memory/300-8-0x00007FF7FDAF0000-0x00007FF7FE58F000-memory.dmp themida behavioral2/memory/300-9-0x00007FF7FDAF0000-0x00007FF7FE58F000-memory.dmp themida behavioral2/memory/300-10-0x00007FF7FDAF0000-0x00007FF7FE58F000-memory.dmp themida behavioral2/memory/300-11-0x00007FF7FDAF0000-0x00007FF7FE58F000-memory.dmp themida behavioral2/memory/300-12-0x00007FF7FDAF0000-0x00007FF7FE58F000-memory.dmp themida behavioral2/memory/300-13-0x00007FF7FDAF0000-0x00007FF7FE58F000-memory.dmp themida behavioral2/memory/300-24-0x00007FF7FDAF0000-0x00007FF7FE58F000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA loader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 300 loader.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 300 loader.exe 636 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 636 taskmgr.exe Token: SeSystemProfilePrivilege 636 taskmgr.exe Token: SeCreateGlobalPrivilege 636 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe 636 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 300 loader.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 740 wrote to memory of 212 740 login.exe 75 PID 740 wrote to memory of 212 740 login.exe 75 PID 212 wrote to memory of 300 212 cmd.exe 76 PID 212 wrote to memory of 300 212 cmd.exe 76 PID 300 wrote to memory of 4388 300 loader.exe 77 PID 300 wrote to memory of 4388 300 loader.exe 77 PID 4388 wrote to memory of 5048 4388 cmd.exe 79 PID 4388 wrote to memory of 5048 4388 cmd.exe 79 PID 4388 wrote to memory of 1356 4388 cmd.exe 80 PID 4388 wrote to memory of 1356 4388 cmd.exe 80 PID 4388 wrote to memory of 3208 4388 cmd.exe 81 PID 4388 wrote to memory of 3208 4388 cmd.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\hahahahahahahahahahahahah\login.exe"C:\Users\Admin\AppData\Local\Temp\hahahahahahahahahahahahah\login.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe2⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Users\Admin\AppData\Roaming\celex-v2\loader.exeC:\Users\Admin\AppData\Roaming\celex-v2\loader.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"4⤵
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD55⤵PID:5048
-
-
C:\Windows\system32\find.exefind /i /v "md5"5⤵PID:1356
-
-
C:\Windows\system32\find.exefind /i /v "certutil"5⤵PID:3208
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:636
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD59ecdc9ed1bea6c226f92d740d43400b9
SHA1b5b5066cd4284733d8c3f3d7de3ca6653091ae10
SHA25660c57f14c2e0e0df0bda16646b21dddceaee0159dafbbb8daba310d4e1b5be6c
SHA51230bc705a2438288e3647d5adfc6119d751823970972b9c6b39a60384a2b7ac261986026b8d1c0b0ca7ee3d7e95363c97b873fdc5fad4096c903cb4e15bf57e43