Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2024, 13:49

General

  • Target

    vape v4 legacy.exe

  • Size

    10.3MB

  • MD5

    dcabccc273edfee0e0b1ce0bdf9c4ac1

  • SHA1

    9eb68d706e55cd77a3006bedb3cba788d90e4a07

  • SHA256

    354aafdbc9a8adcbe4606bb69e423390990fcbabcc0aa5871b64a1f425719146

  • SHA512

    e76bc52e8ee9b6b4a987641a530bcf66485a724b5b1ff95659f57508e609a98243f3a3276894ffc1d67db1899fa43d4129281b3f1e2d06e299ac9055b8da013e

  • SSDEEP

    196608:vgynrxTZ/xV6Kh0p6TKjdyR80llgwEgYEECfMdEH:vg4r5Z/xmrYgwEgYEEWMC

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\vape v4 legacy.exe
    "C:\Users\Admin\AppData\Local\Temp\vape v4 legacy.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3880
    • C:\Users\Admin\AppData\Local\Temp\insBCD8.tmp
      C:\Users\Admin\AppData\Local\Temp\insBCD8.tmp
      2⤵
      • Executes dropped EXE
      PID:3032
    • C:\Users\Admin\AppData\Local\Temp\6HkT3NUhDH.exe
      C:\Users\Admin\AppData\Local\Temp\6HkT3NUhDH.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      PID:5032
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2268,i,4334050275411101233,11484630688883830558,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4616

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\6HkT3NUhDH.exe

      Filesize

      5.4MB

      MD5

      e4fe17d8d94e8fd75f16c8639cdea5cd

      SHA1

      00ee04d12ada449d125589c8f31ddde1db0b0df2

      SHA256

      b187b41239815a20fef1959e810206826d0579110e06e1440d4b04841085e1c0

      SHA512

      1560d674ec0a2abc64c823799ca43ae0a34979236d8f05d0fa927e5e61bbcfe7515f7dffafbc4eb9e4847fac3c9abae1b93efa848a0cbb9c0b354e02ed38ad32

    • C:\Users\Admin\AppData\Local\Temp\6HkT3NUhDH.exe

      Filesize

      5.0MB

      MD5

      15828be790dab54e4d3b74737e5ab136

      SHA1

      451b8bdb1ec84503f4ba449f5487e455e3bdf5ea

      SHA256

      f4fd81d6ede50eeb2e81bd0ede56e624e138bf3f501204c17c8f0779d50663b0

      SHA512

      efd1a3b4753756bf9c2726dbebb8006baf9276732ec0e1fc4371585de7f720dd223838f53e23a5906d2f829570094b918aa017c9f76006aa01745733c2a3a0e8

    • C:\Users\Admin\AppData\Local\Temp\insBCD8.tmp

      Filesize

      2.3MB

      MD5

      ea9a5703925a9e9a5b099e643d3d1037

      SHA1

      06d0315228fb032c5bc8bf2ef6fc9b867bb598d7

      SHA256

      b08831dd2eb273d05a93ebe2945aa2cdd5abf96af8be5278963e8991aa38ec35

      SHA512

      ee42daf13b7455d8b41b4bbdcc95802c0fccbaed69b927038afcb497fab4b2b775649345d58984e1759bc67ee4ea6bc57885c85cd7d3ad1b92d8729f4d7eeac6

    • memory/5032-9-0x00007FFE22050000-0x00007FFE22245000-memory.dmp

      Filesize

      2.0MB

    • memory/5032-10-0x00007FF782B00000-0x00007FF783E76000-memory.dmp

      Filesize

      19.5MB

    • memory/5032-11-0x00007FF782B00000-0x00007FF783E76000-memory.dmp

      Filesize

      19.5MB

    • memory/5032-12-0x00007FF782B00000-0x00007FF783E76000-memory.dmp

      Filesize

      19.5MB

    • memory/5032-13-0x00007FF782B00000-0x00007FF783E76000-memory.dmp

      Filesize

      19.5MB

    • memory/5032-14-0x00007FF782B00000-0x00007FF783E76000-memory.dmp

      Filesize

      19.5MB

    • memory/5032-16-0x00007FFE22050000-0x00007FFE22245000-memory.dmp

      Filesize

      2.0MB