Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

7

ah2NVN512h...02.exe

windows7-x64

9

ah2NVN512h...02.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    9s
  • max time network
    25s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/02/2024, 11:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ah2NVN512h59PrXPv4xYOy02.exe

  • Size

    12.8MB

  • MD5

    3363424d564a15bcaeca459b49e144b0

  • SHA1

    2fc1750ccc4580c61835a109327bfe677d5aa902

  • SHA256

    ab7b22e489c6b1f69d6341822f9ebdb52e9b093ae1fccafa70209c6b5050fabe

  • SHA512

    0de22ea48a738a4ed72c7b503f51493929e25fef62ac3955d991985990931c75bda451b36801cea476355fb801826d30d25f6414fb79acf16a252449d19472f9

  • SSDEEP

    393216:QdI/0NmUh9fSzLjXKyKolMF80r814ashA3Kuq:Qw0NPbUj1KSN0r8CaCAE

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 9 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ah2NVN512h59PrXPv4xYOy02.exe
    "C:\Users\Admin\AppData\Local\Temp\ah2NVN512h59PrXPv4xYOy02.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ah2NVN512h59PrXPv4xYOy02.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
        PID:4948
        • C:\Windows\system32\certutil.exe
          certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ah2NVN512h59PrXPv4xYOy02.exe" MD5
          3⤵
            PID:4296
          • C:\Windows\system32\find.exe
            find /i /v "md5"
            3⤵
              PID:3404
            • C:\Windows\system32\find.exe
              find /i /v "certutil"
              3⤵
                PID:5028
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://maldevhax.com/
              2⤵
                PID:1516
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa829246f8,0x7ffa82924708,0x7ffa82924718
                  3⤵
                    PID:4552
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,2033162683438606421,17413252544681327014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
                    3⤵
                      PID:2144
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,2033162683438606421,17413252544681327014,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
                      3⤵
                        PID:1664
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,2033162683438606421,17413252544681327014,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
                        3⤵
                          PID:4472
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2033162683438606421,17413252544681327014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
                          3⤵
                            PID:2564
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2033162683438606421,17413252544681327014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
                            3⤵
                              PID:1216
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:2036
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4608

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              efc9c7501d0a6db520763baad1e05ce8

                              SHA1

                              60b5e190124b54ff7234bb2e36071d9c8db8545f

                              SHA256

                              7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

                              SHA512

                              bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              5KB

                              MD5

                              495c193ada646a56760d62f7c5f4a042

                              SHA1

                              a684d084ca64cac4a703b5d9864d2f4a5b203e47

                              SHA256

                              c23559a5271974660945d5e6fca45e2854d657876239e351097df115c2eeb004

                              SHA512

                              fc00165e4012a459487efd309a50425f20a9112054e553fbf8bde608593620e7690b43aa395590fa4b25e717bf30de215d26fc5f1bb732fde6759b0e074c4661

                              Download Submit

                            • memory/2512-14-0x00007FF793370000-0x00007FF795104000-memory.dmp

                              Filesize

                              29.6MB

                              Download

                            • memory/2512-16-0x00007FF793370000-0x00007FF795104000-memory.dmp

                              Filesize

                              29.6MB

                              Download

                            • memory/2512-11-0x00007FF793370000-0x00007FF795104000-memory.dmp

                              Filesize

                              29.6MB

                              Download

                            • memory/2512-12-0x00007FF793370000-0x00007FF795104000-memory.dmp

                              Filesize

                              29.6MB

                              Download

                            • memory/2512-13-0x00007FF793370000-0x00007FF795104000-memory.dmp

                              Filesize

                              29.6MB

                              Download

                            • memory/2512-0-0x00007FF793370000-0x00007FF795104000-memory.dmp

                              Filesize

                              29.6MB

                              Download

                            • memory/2512-15-0x00007FF793370000-0x00007FF795104000-memory.dmp

                              Filesize

                              29.6MB

                              Download

                            • memory/2512-9-0x00007FFA91510000-0x00007FFA91705000-memory.dmp

                              Filesize

                              2.0MB

                              Download

                            • memory/2512-17-0x00007FF793370000-0x00007FF795104000-memory.dmp

                              Filesize

                              29.6MB

                              Download

                            • memory/2512-18-0x00007FFA91510000-0x00007FFA91705000-memory.dmp

                              Filesize

                              2.0MB

                              Download

                            • memory/2512-20-0x00007FF793370000-0x00007FF795104000-memory.dmp

                              Filesize

                              29.6MB

                              Download

                            • memory/2512-10-0x00007FFA80030000-0x00007FFA80031000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2512-3-0x0000000180000000-0x0000000180063000-memory.dmp

                              Filesize

                              396KB

                              Download

                            • memory/2512-1-0x00007FFA80000000-0x00007FFA80002000-memory.dmp

                              Filesize

                              8KB

                              Download