Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
45s -
max time network
55s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/04/2024, 02:36
Behavioral task
behavioral1
Sample
aio.exe
Resource
win11-20240412-en
windows11-21h2-x64
13 signatures
150 seconds
Errors
Reason
Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-19T02:38:20Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win11-20240412-en/instance_6-dirty.qcow2\"}"
General
-
Target
aio.exe
-
Size
7.6MB
-
MD5
f087101c9fbf951e8cfac1aae1a1b43d
-
SHA1
c1647f0d4f42cc3e555695910fd4d5a5905bb9cc
-
SHA256
c26bcff0de67f90f62a8da6da37ee17df01a49c06f2e2d938878e61e9620f622
-
SHA512
702be19d5816d7aed421ca6103b6b565c7024f85126c177292daa80bfd0154ec75d514f91eb111f33f26f32369ae111c1bed7782f73615d9695e4bbf5fd29af7
-
SSDEEP
196608:zErmEGqgQnS2Yre0pL19JRQjAWraTKwBuApVWOenE6ul:zEGhQSfygBujFWLolE6y
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ aio.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions aio.exe -
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
pid Process 3284 bcdedit.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion aio.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion aio.exe -
resource yara_rule behavioral1/memory/740-0-0x00007FF75C800000-0x00007FF75DB12000-memory.dmp themida behavioral1/memory/740-2-0x00007FF75C800000-0x00007FF75DB12000-memory.dmp themida behavioral1/memory/740-3-0x00007FF75C800000-0x00007FF75DB12000-memory.dmp themida behavioral1/memory/740-4-0x00007FF75C800000-0x00007FF75DB12000-memory.dmp themida behavioral1/memory/740-5-0x00007FF75C800000-0x00007FF75DB12000-memory.dmp themida behavioral1/memory/740-6-0x00007FF75C800000-0x00007FF75DB12000-memory.dmp themida behavioral1/memory/740-7-0x00007FF75C800000-0x00007FF75DB12000-memory.dmp themida behavioral1/memory/740-8-0x00007FF75C800000-0x00007FF75DB12000-memory.dmp themida behavioral1/memory/740-9-0x00007FF75C800000-0x00007FF75DB12000-memory.dmp themida behavioral1/memory/740-12-0x00007FF75C800000-0x00007FF75DB12000-memory.dmp themida behavioral1/memory/740-15-0x00007FF75C800000-0x00007FF75DB12000-memory.dmp themida behavioral1/memory/740-24-0x00007FF75C800000-0x00007FF75DB12000-memory.dmp themida behavioral1/memory/740-26-0x00007FF75C800000-0x00007FF75DB12000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aio.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN aio.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "103" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe 740 aio.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 4572 shutdown.exe Token: SeRemoteShutdownPrivilege 4572 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1060 LogonUI.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 740 wrote to memory of 1856 740 aio.exe 83 PID 740 wrote to memory of 1856 740 aio.exe 83 PID 1856 wrote to memory of 5048 1856 cmd.exe 84 PID 1856 wrote to memory of 5048 1856 cmd.exe 84 PID 1856 wrote to memory of 2192 1856 cmd.exe 85 PID 1856 wrote to memory of 2192 1856 cmd.exe 85 PID 1856 wrote to memory of 4324 1856 cmd.exe 86 PID 1856 wrote to memory of 4324 1856 cmd.exe 86 PID 740 wrote to memory of 4760 740 aio.exe 87 PID 740 wrote to memory of 4760 740 aio.exe 87 PID 740 wrote to memory of 652 740 aio.exe 88 PID 740 wrote to memory of 652 740 aio.exe 88 PID 740 wrote to memory of 3300 740 aio.exe 89 PID 740 wrote to memory of 3300 740 aio.exe 89 PID 3300 wrote to memory of 3284 3300 cmd.exe 90 PID 3300 wrote to memory of 3284 3300 cmd.exe 90 PID 740 wrote to memory of 3760 740 aio.exe 91 PID 740 wrote to memory of 3760 740 aio.exe 91 PID 740 wrote to memory of 1928 740 aio.exe 92 PID 740 wrote to memory of 1928 740 aio.exe 92 PID 740 wrote to memory of 3908 740 aio.exe 93 PID 740 wrote to memory of 3908 740 aio.exe 93 PID 740 wrote to memory of 4288 740 aio.exe 94 PID 740 wrote to memory of 4288 740 aio.exe 94 PID 740 wrote to memory of 3756 740 aio.exe 95 PID 740 wrote to memory of 3756 740 aio.exe 95 PID 740 wrote to memory of 892 740 aio.exe 96 PID 740 wrote to memory of 892 740 aio.exe 96 PID 892 wrote to memory of 4572 892 cmd.exe 97 PID 892 wrote to memory of 4572 892 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\aio.exe"C:\Users\Admin\AppData\Local\Temp\aio.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\aio.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\aio.exe" MD53⤵PID:5048
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:2192
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:4324
-
-
-
C:\Users\Admin\AppData\Local\Temp\aio.exe"C:\Users\Admin\AppData\Local\Temp\aio.exe"2⤵PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\system32\bcdedit.exebcdedit /set hypervisorlaunchtype off3⤵
- Modifies boot configuration data using bcdedit
PID:3284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c shutdown /r /f /t 0 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\system32\shutdown.exeshutdown /r /f /t 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4572
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a1a855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1060