Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/03/2024, 16:58
Static task
static1
1 signatures
General
-
Target
Verse V4.15.exe
-
Size
30.0MB
-
MD5
15ee2efb6fe685d6d5217c58c33d98e2
-
SHA1
4a6b8fcb5c21621a81c35cd367e186985044408c
-
SHA256
336c6f0d9de3de21f971c92e2239dac504580b4259602f9d602d0c4d7a2dacce
-
SHA512
23f0b7cd6b1412bd1a97910efd0462e3078139fafe3cc857d0969fb432448d85b65273822bee6daee8903394230fa15a83fb1a1326580d02490dbf8015f43239
-
SSDEEP
786432:3zKrKrbA+pjd0AG04wFoVKjPZCgJVehG4+d:D8K/A+pB0GZomCeVS+d
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Verse V4.15.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Verse V4.15.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Verse V4.15.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Verse V4.15.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3240 Verse V4.15.exe 3240 Verse V4.15.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe 3240 Verse V4.15.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4408 wrote to memory of 4972 4408 cmd.exe 108 PID 4408 wrote to memory of 4972 4408 cmd.exe 108 PID 4408 wrote to memory of 2556 4408 cmd.exe 109 PID 4408 wrote to memory of 2556 4408 cmd.exe 109 PID 4408 wrote to memory of 3212 4408 cmd.exe 110 PID 4408 wrote to memory of 3212 4408 cmd.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\Verse V4.15.exe"C:\Users\Admin\AppData\Local\Temp\Verse V4.15.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3240 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Verse V4.15.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Verse V4.15.exe" MD53⤵PID:4972
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:2556
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:3212
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=3016,i,1323102786462900035,7687994236215859601,262144 --variations-seed-version /prefetch:81⤵PID:852