Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/03/2024, 12:23
Behavioral task
behavioral1
Sample
bb4007fd7671a35e69586808ff7b07cd.exe
Resource
win7-20240221-en
8 signatures
150 seconds
General
-
Target
bb4007fd7671a35e69586808ff7b07cd.exe
-
Size
3.5MB
-
MD5
bb4007fd7671a35e69586808ff7b07cd
-
SHA1
6396fbb7fd55fb672aa797b6f81fb6fe0a7d4820
-
SHA256
5cecd403c79f8877b85ffb3453404eab0d8a3e185df67e635d14f797c25eccf6
-
SHA512
b6bb02584dc604e377b3a308b8816f689f6814c81d2dcce58648e5e82b8a6921e76b81273f930e557cc3c2030b70a140b7e77a3a02622cc613240046e976e94e
-
SSDEEP
98304:Rfag0nC6uYNe1TGAwiP1M08kslNwG7oz2N:RfuN2es2XkiNwtz2N
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bb4007fd7671a35e69586808ff7b07cd.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bb4007fd7671a35e69586808ff7b07cd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bb4007fd7671a35e69586808ff7b07cd.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/772-27-0x0000000000850000-0x0000000001178000-memory.dmp agile_net behavioral1/memory/772-28-0x0000000000850000-0x0000000001178000-memory.dmp agile_net -
resource yara_rule behavioral1/memory/772-27-0x0000000000850000-0x0000000001178000-memory.dmp themida behavioral1/memory/772-28-0x0000000000850000-0x0000000001178000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bb4007fd7671a35e69586808ff7b07cd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 772 bb4007fd7671a35e69586808ff7b07cd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3056 772 WerFault.exe 27 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 772 wrote to memory of 3056 772 bb4007fd7671a35e69586808ff7b07cd.exe 28 PID 772 wrote to memory of 3056 772 bb4007fd7671a35e69586808ff7b07cd.exe 28 PID 772 wrote to memory of 3056 772 bb4007fd7671a35e69586808ff7b07cd.exe 28 PID 772 wrote to memory of 3056 772 bb4007fd7671a35e69586808ff7b07cd.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb4007fd7671a35e69586808ff7b07cd.exe"C:\Users\Admin\AppData\Local\Temp\bb4007fd7671a35e69586808ff7b07cd.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 5682⤵
- Program crash
PID:3056
-