Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2024, 17:30
Static task
static1
Behavioral task
behavioral1
Sample
0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe
Resource
win10v2004-20240226-en
General
-
Target
0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe
-
Size
538KB
-
MD5
9cc7e43b48932058a36bd0e355c4cef5
-
SHA1
2a6b4a44c2d205e21ba6cf99a9796509af9ddeda
-
SHA256
0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82
-
SHA512
a17b3e8e754bc762d9ae76720d849bd628b3125082e23690895f53718a2f6ef3f34f126c428c710c77e1159b080a63fcadf6c10a76db5ec3801bba37f8bf8d77
-
SSDEEP
12288:yw5GtYhUAXlTu2cTRu7oMe3cfL8YdtntpFUrhV2X8NI:V5Gt8lTQTgMn0LLdtmrs8K
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation 0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe -
Executes dropped EXE 1 IoCs
pid Process 952 s9538.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini s9538.exe File opened for modification C:\Windows\assembly\Desktop.ini s9538.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly s9538.exe File created C:\Windows\assembly\Desktop.ini s9538.exe File opened for modification C:\Windows\assembly\Desktop.ini s9538.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4292 3336 WerFault.exe 86 -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer 0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3336 0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe 3336 0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe 952 s9538.exe 952 s9538.exe 952 s9538.exe 952 s9538.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 952 s9538.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 952 s9538.exe 952 s9538.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3336 wrote to memory of 952 3336 0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe 87 PID 3336 wrote to memory of 952 3336 0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe"C:\Users\Admin\AppData\Local\Temp\0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Users\Admin\AppData\Local\Temp\n9538\s9538.exe"C:\Users\Admin\AppData\Local\Temp\n9538\s9538.exe" ins.exe /e 12848797 /u 5280fdf5-b928-4cc4-9510-17bb0a000013 /h 05e0fa.api.socdn.com /v "C:\Users\Admin\AppData\Local\Temp\0477b8e0f36c86b2f8b3b001b9bd16213c60a1bc74918666937a314911311f82.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 38442⤵
- Program crash
PID:4292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3336 -ip 33361⤵PID:5072
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
343KB
MD5de5c4ed5ba45abadbcc0861912fe89a1
SHA180bd4759952944735e0c82bcc00aa15516e95a90
SHA256e143ac3ab06b1ffdaaca5f025564a7a7a57ac10ca5cb83fdfcc4527dfdf396a2
SHA51290f886f9f533d00a4f7c7547bc554dd6b274bccf3ba93eeba9b3351f9bceb0c9c55ebf4af72cc59d422b0e803152986643fa2366691117d48bcc667ce84218a2