Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

7

Slap - Cop...ia.zip

windows10-2004-x64

9

Analysis

  • max time kernel
    128s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/04/2024, 01:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Slap - Copia - Copia.zip

  • Size

    17.5MB

  • MD5

    e9c72f6f2083ca0935e418cd6f3d97ae

  • SHA1

    0c24eb62a79847f439d854b4abf5124e08288148

  • SHA256

    3a30a8a5dbe77d31b890b995f99051fa2b1add4a4edc0969754b9acd35ec9309

  • SHA512

    bc76a12082b01cf938329582b2c6a0a899501ac27f4c3b068a1d2e3fcf40fac5b2f04add4af2a3c4b79ddb5f1e3f775e4eb20c611b74bc248b621db1a85ae3df

  • SSDEEP

    393216:ZoddfnVT528ZIeoAG0e2bodlZtFYb8vi5qbBnaPdfCzA5:ZaddT0KIeZvbbalzFYb8vJnatCk

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Themida packer 19 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Slap - Copia - Copia.zip"
    1⤵
      PID:4488
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3704
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Slap - Copia - Copia\" -ad -an -ai#7zMap15765:98:7zEvent27923
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3232
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Slap - Copia - Copia\slap v1.28 (works)\how to use.txt
        1⤵
          PID:2300
        • C:\Users\Admin\Desktop\Slap - Copia - Copia\slap v1.28 (works)\slap.exe
          "C:\Users\Admin\Desktop\Slap - Copia - Copia\slap v1.28 (works)\slap.exe"
          1⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          PID:4692
        • C:\Users\Admin\Desktop\Slap - Copia - Copia\slap v1.28 (works)\slap.exe
          "C:\Users\Admin\Desktop\Slap - Copia - Copia\slap v1.28 (works)\slap.exe"
          1⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          PID:3120

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\Slap - Copia - Copia\slap v1.28 (works)\how to use.txt
          Filesize

          216B

          MD5

          8a36c27f073777f563d46293b4408524

          SHA1

          e48afbbbfd6554aa878ddc9a0db62a773f5ce2cb

          SHA256

          927352136d546321fe3638c86a647b53154ae49f7e81e133dbbfa95ce3f7148f

          SHA512

          80e0bcf348f20438c5aff036449774d13c4dc75a8ac876a5f5980320ad146cd7abd04f0e371ce765b5868c70af89eab818702c21c3b6997a2f7d3eade4d1d80a

          Download Submit

        • C:\Users\Admin\Desktop\Slap - Copia - Copia\slap v1.28 (works)\slap.exe
          Filesize

          7.3MB

          MD5

          cde2a1b5aa17584d9dcd5eb8e6239124

          SHA1

          065bc349cc88f86c6a8cd94921bca8f39b658883

          SHA256

          876c4492ec205277298130817cbdf2c8428823ea38b7bf741ac9aa3c0f7e84ce

          SHA512

          680f12afdaec31307a27b6ad3b7fad22d107982842b8b57180361ce8a7b0adbd9af179ca94fdad21dee7a9568a4248aea4230403abeedc92ca00967e422e1435

          Download Submit

        • memory/3120-50-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp

          Filesize

          16.8MB

          Download

        • memory/3120-41-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp

          Filesize

          16.8MB

          Download

        • memory/3120-49-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp

          Filesize

          16.8MB

          Download

        • memory/3120-48-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp

          Filesize

          16.8MB

          Download

        • memory/3120-51-0x00007FFB59990000-0x00007FFB59B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3120-47-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp

          Filesize

          16.8MB

          Download

        • memory/3120-46-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp

          Filesize

          16.8MB

          Download

        • memory/3120-45-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp

          Filesize

          16.8MB

          Download

        • memory/3120-44-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp

          Filesize

          16.8MB

          Download

        • memory/3120-43-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp

          Filesize

          16.8MB

          Download

        • memory/3120-42-0x00007FFB59990000-0x00007FFB59B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4692-33-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp

          Filesize

          16.8MB

          Download

        • memory/4692-39-0x00007FFB59990000-0x00007FFB59B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4692-38-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp

          Filesize

          16.8MB

          Download

        • memory/4692-37-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp

          Filesize

          16.8MB

          Download

        • memory/4692-36-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp

          Filesize

          16.8MB

          Download

        • memory/4692-35-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp

          Filesize

          16.8MB

          Download

        • memory/4692-34-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp

          Filesize

          16.8MB

          Download

        • memory/4692-32-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp

          Filesize

          16.8MB

          Download

        • memory/4692-31-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp

          Filesize

          16.8MB

          Download

        • memory/4692-30-0x00007FFB59990000-0x00007FFB59B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4692-29-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp

          Filesize

          16.8MB

          Download