Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

newstuff.exe

windows7-x64

10

newstuff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/04/2024, 10:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    newstuff.exe

  • Size

    2.8MB

  • MD5

    65f8a01db5c275706e9f13d875441b25

  • SHA1

    906103ef1d080d47a1159fce236c7450b95917f3

  • SHA256

    14c96fd6748713e8d1c561a073b6d777c4da7b31f3b1157c2698f24f16e75d5e

  • SHA512

    6d65b3cd5dfe6c8ca49032e01b79b9894ac0340ec6451a89e4199eb200983ac0d6c63952b70ec99c42a7ea72b30304ed2d5e6ea8980de1f8fbccc1d368498a7b

  • SSDEEP

    49152:XXzhpDtKSK1cb8PGK+Tfuqmpc3elWo8GnQAsYZEV4fa/me:XXzhW148Pd+Tf1mpcOldJQ3/V4yx

Score
10/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Themida packer 20 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\newstuff.exe
    "C:\Users\Admin\AppData\Local\Temp\newstuff.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4648
    • \??\c:\users\admin\appdata\local\temp\newstuff.exe 
      c:\users\admin\appdata\local\temp\newstuff.exe 
      2⤵
      • Executes dropped EXE
      PID:4432
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3564
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4788
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3268
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in System32 directory
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4172
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetWindowsHookEx
              PID:3236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\newstuff.exe 
    Filesize

    239KB

    MD5

    6109c703543ce917ab5b9975735f78ef

    SHA1

    88c6d3fc7076dce3826f8f03feac041cc15fd9b8

    SHA256

    3e1cb481036dba2c97f3d390b7266d194a2bc7b2640ddc085d8e9c8d43baa0b1

    SHA512

    94234381bff3cf743e3c441b820595a084794f822e35a2b91cf28cf59517eff4fb8d27cc6490861c463f78d03860b02e592a20a66e3b367a515460e9ccf3597e

    Download Submit

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    2.6MB

    MD5

    68f2b32f1df6f58e0b7f53e551ea55fb

    SHA1

    ef5bc5a231619488dc32ad41affd51f503b97b53

    SHA256

    b33bb97f2b41f1493859393791ebee9699407deda6c7ef45ba29cc668e57b9ad

    SHA512

    98948ff9681883af8a1fdc43cce28d0535c6fd4cc24b86b7c637533c8bac45fe75e3427ab46f6cef2e52f069cc210d69d09c86975442ff43b24c5e5c38375b44

    Download Submit

  • C:\Windows\Resources\Themes\icsys.icn.exe
    Filesize

    2.6MB

    MD5

    d513836f9ae72161ba1a862e8e13c43a

    SHA1

    8ed0157cd5ecb06d10389841eef74dbc2a2bf1fa

    SHA256

    b92bd1d20732e76e41c0149cff89a6302c2f854730369a198843eef3adfdde95

    SHA512

    b9a895a1a71b0fd9a21e253cfbe575be6549611b8e44c67646410d776a6ccb283ae08e1abc8a30fedbc2f01fd482e79abccc8a2983bd42bf624fcd2ee10fd59a

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    2.6MB

    MD5

    c536a1b62e46f6e3ba6326f3bb884855

    SHA1

    ea63309e8200cef15cf2fdd312cce1994e747cfc

    SHA256

    bb34e52427cf66446da880a69b8a00c9c79a67c59f3698ee7ce11a4c5f9d85d0

    SHA512

    0e86b410bcfddbe1cf6b14fb0df0350dac41e7ef5083c53771331fdf5ac9f859671e725266ff4f4ac572f2b919d4c1c7973219ce1eb4b5654da7c5e8ae579ea1

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    2.6MB

    MD5

    1e34ca5d5a44d2db4ed10f6d348210bf

    SHA1

    e68021dcb68fb1c46e12e77c3f82ddae9d0796a2

    SHA256

    675f4c182852452e10e2dbff212b745364f4fbf484639317737febd48376dc70

    SHA512

    1ff649447eafd64dbf0139b7895c2fab6ff76c537b137d416e085765c448d278c53f452a9666a2533e191b10e3def7b4747dc9bf08609a1ad4e72b50856cf678

    Download Submit

  • memory/3236-44-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3236-48-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3268-49-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3268-29-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3564-50-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4172-59-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4172-53-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4172-38-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4648-51-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4648-43-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4648-0-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4648-1-0x0000000077744000-0x0000000077746000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4788-52-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4788-20-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4788-64-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4788-70-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4788-72-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download