Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2024, 14:18
Static task
static1
Behavioral task
behavioral1
Sample
bed2493a79f1e46e5f731cd772bf867c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bed2493a79f1e46e5f731cd772bf867c.exe
Resource
win10v2004-20231215-en
General
-
Target
bed2493a79f1e46e5f731cd772bf867c.exe
-
Size
139KB
-
MD5
bed2493a79f1e46e5f731cd772bf867c
-
SHA1
1fb58ff6891307e8e5aad74c39eb45bc901717fe
-
SHA256
06e6c04c85e71e75778451ab5a665b6c55e40a0bb5a7cbff000beddd3e362810
-
SHA512
9c1ce0a48770d82ff9e316c4fd44443f94d453b44b598520d9b52824980c34f9e3ad89e7a08cf28baea84a62491e7083829df9fbaca2cea391a0ede90cd58753
-
SSDEEP
3072:CLtryv9mgi8pd7EVftRmpZqPcNm0fZBx2qhb:CLovMu7qftRiQUNXfZ3
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bed2493a79f1e46e5f731cd772bf867c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1720 set thread context of 3628 1720 bed2493a79f1e46e5f731cd772bf867c.exe 84 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1720 bed2493a79f1e46e5f731cd772bf867c.exe 1720 bed2493a79f1e46e5f731cd772bf867c.exe 3628 svchost.exe 3628 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1720 bed2493a79f1e46e5f731cd772bf867c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1720 wrote to memory of 3628 1720 bed2493a79f1e46e5f731cd772bf867c.exe 84 PID 1720 wrote to memory of 3628 1720 bed2493a79f1e46e5f731cd772bf867c.exe 84 PID 1720 wrote to memory of 3628 1720 bed2493a79f1e46e5f731cd772bf867c.exe 84 PID 1720 wrote to memory of 3628 1720 bed2493a79f1e46e5f731cd772bf867c.exe 84 PID 1720 wrote to memory of 3628 1720 bed2493a79f1e46e5f731cd772bf867c.exe 84 PID 3628 wrote to memory of 1420 3628 svchost.exe 85 PID 3628 wrote to memory of 1420 3628 svchost.exe 85 PID 3628 wrote to memory of 1420 3628 svchost.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\bed2493a79f1e46e5f731cd772bf867c.exe"C:\Users\Admin\AppData\Local\Temp\bed2493a79f1e46e5f731cd772bf867c.exe"1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c for /l %i in (1, 1, 4000000000) do if not exist "C:\Users\Admin\AppData\Local\Temp\bed2493a79f1e46e5f731cd772bf867c.exe" (exit) else (del /f "C:\Users\Admin\AppData\Local\Temp\bed2493a79f1e46e5f731cd772bf867c.exe")3⤵PID:1420
-
-