Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
128s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2024, 01:44
General
-
Target
Slap - Copia - Copia.zip
-
Size
17.5MB
-
MD5
e9c72f6f2083ca0935e418cd6f3d97ae
-
SHA1
0c24eb62a79847f439d854b4abf5124e08288148
-
SHA256
3a30a8a5dbe77d31b890b995f99051fa2b1add4a4edc0969754b9acd35ec9309
-
SHA512
bc76a12082b01cf938329582b2c6a0a899501ac27f4c3b068a1d2e3fcf40fac5b2f04add4af2a3c4b79ddb5f1e3f775e4eb20c611b74bc248b621db1a85ae3df
-
SSDEEP
393216:ZoddfnVT528ZIeoAG0e2bodlZtFYb8vi5qbBnaPdfCzA5:ZaddT0KIeZvbbalzFYb8vJnatCk
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ slap.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ slap.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion slap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion slap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion slap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion slap.exe -
Executes dropped EXE 2 IoCs
pid Process 4692 slap.exe 3120 slap.exe -
resource yara_rule behavioral1/files/0x000500000001da6f-27.dat themida behavioral1/memory/4692-29-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp themida behavioral1/memory/4692-31-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp themida behavioral1/memory/4692-32-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp themida behavioral1/memory/4692-33-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp themida behavioral1/memory/4692-34-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp themida behavioral1/memory/4692-35-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp themida behavioral1/memory/4692-36-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp themida behavioral1/memory/4692-37-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp themida behavioral1/memory/4692-38-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp themida behavioral1/memory/3120-41-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp themida behavioral1/memory/3120-43-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp themida behavioral1/memory/3120-44-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp themida behavioral1/memory/3120-45-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp themida behavioral1/memory/3120-46-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp themida behavioral1/memory/3120-47-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp themida behavioral1/memory/3120-48-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp themida behavioral1/memory/3120-49-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp themida behavioral1/memory/3120-50-0x00007FF78A1B0000-0x00007FF78B27F000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA slap.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA slap.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4692 slap.exe 3120 slap.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 3232 7zG.exe Token: 35 3232 7zG.exe Token: SeSecurityPrivilege 3232 7zG.exe Token: SeSecurityPrivilege 3232 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3232 7zG.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Slap - Copia - Copia.zip"1⤵PID:4488
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3704
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Slap - Copia - Copia\" -ad -an -ai#7zMap15765:98:7zEvent279231⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3232
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Slap - Copia - Copia\slap v1.28 (works)\how to use.txt1⤵PID:2300
-
C:\Users\Admin\Desktop\Slap - Copia - Copia\slap v1.28 (works)\slap.exe"C:\Users\Admin\Desktop\Slap - Copia - Copia\slap v1.28 (works)\slap.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4692
-
C:\Users\Admin\Desktop\Slap - Copia - Copia\slap v1.28 (works)\slap.exe"C:\Users\Admin\Desktop\Slap - Copia - Copia\slap v1.28 (works)\slap.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3120
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD58a36c27f073777f563d46293b4408524
SHA1e48afbbbfd6554aa878ddc9a0db62a773f5ce2cb
SHA256927352136d546321fe3638c86a647b53154ae49f7e81e133dbbfa95ce3f7148f
SHA51280e0bcf348f20438c5aff036449774d13c4dc75a8ac876a5f5980320ad146cd7abd04f0e371ce765b5868c70af89eab818702c21c3b6997a2f7d3eade4d1d80a
-
Filesize
7.3MB
MD5cde2a1b5aa17584d9dcd5eb8e6239124
SHA1065bc349cc88f86c6a8cd94921bca8f39b658883
SHA256876c4492ec205277298130817cbdf2c8428823ea38b7bf741ac9aa3c0f7e84ce
SHA512680f12afdaec31307a27b6ad3b7fad22d107982842b8b57180361ce8a7b0adbd9af179ca94fdad21dee7a9568a4248aea4230403abeedc92ca00967e422e1435