Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 13:49
Static task
static1
Behavioral task
behavioral1
Sample
vape v4 legacy.exe
Resource
win7-20240221-en
General
-
Target
vape v4 legacy.exe
-
Size
10.3MB
-
MD5
dcabccc273edfee0e0b1ce0bdf9c4ac1
-
SHA1
9eb68d706e55cd77a3006bedb3cba788d90e4a07
-
SHA256
354aafdbc9a8adcbe4606bb69e423390990fcbabcc0aa5871b64a1f425719146
-
SHA512
e76bc52e8ee9b6b4a987641a530bcf66485a724b5b1ff95659f57508e609a98243f3a3276894ffc1d67db1899fa43d4129281b3f1e2d06e299ac9055b8da013e
-
SSDEEP
196608:vgynrxTZ/xV6Kh0p6TKjdyR80llgwEgYEECfMdEH:vg4r5Z/xmrYgwEgYEEWMC
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6HkT3NUhDH.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6HkT3NUhDH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6HkT3NUhDH.exe -
Executes dropped EXE 2 IoCs
pid Process 3032 insBCD8.tmp 5032 6HkT3NUhDH.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6HkT3NUhDH.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 5032 6HkT3NUhDH.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5032 6HkT3NUhDH.exe Token: SeDebugPrivilege 5032 6HkT3NUhDH.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3880 wrote to memory of 3032 3880 vape v4 legacy.exe 94 PID 3880 wrote to memory of 3032 3880 vape v4 legacy.exe 94 PID 3880 wrote to memory of 5032 3880 vape v4 legacy.exe 95 PID 3880 wrote to memory of 5032 3880 vape v4 legacy.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\vape v4 legacy.exe"C:\Users\Admin\AppData\Local\Temp\vape v4 legacy.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Users\Admin\AppData\Local\Temp\insBCD8.tmpC:\Users\Admin\AppData\Local\Temp\insBCD8.tmp2⤵
- Executes dropped EXE
PID:3032
-
-
C:\Users\Admin\AppData\Local\Temp\6HkT3NUhDH.exeC:\Users\Admin\AppData\Local\Temp\6HkT3NUhDH.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2268,i,4334050275411101233,11484630688883830558,262144 --variations-seed-version /prefetch:81⤵PID:4616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.4MB
MD5e4fe17d8d94e8fd75f16c8639cdea5cd
SHA100ee04d12ada449d125589c8f31ddde1db0b0df2
SHA256b187b41239815a20fef1959e810206826d0579110e06e1440d4b04841085e1c0
SHA5121560d674ec0a2abc64c823799ca43ae0a34979236d8f05d0fa927e5e61bbcfe7515f7dffafbc4eb9e4847fac3c9abae1b93efa848a0cbb9c0b354e02ed38ad32
-
Filesize
5.0MB
MD515828be790dab54e4d3b74737e5ab136
SHA1451b8bdb1ec84503f4ba449f5487e455e3bdf5ea
SHA256f4fd81d6ede50eeb2e81bd0ede56e624e138bf3f501204c17c8f0779d50663b0
SHA512efd1a3b4753756bf9c2726dbebb8006baf9276732ec0e1fc4371585de7f720dd223838f53e23a5906d2f829570094b918aa017c9f76006aa01745733c2a3a0e8
-
Filesize
2.3MB
MD5ea9a5703925a9e9a5b099e643d3d1037
SHA106d0315228fb032c5bc8bf2ef6fc9b867bb598d7
SHA256b08831dd2eb273d05a93ebe2945aa2cdd5abf96af8be5278963e8991aa38ec35
SHA512ee42daf13b7455d8b41b4bbdcc95802c0fccbaed69b927038afcb497fab4b2b775649345d58984e1759bc67ee4ea6bc57885c85cd7d3ad1b92d8729f4d7eeac6