Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
17s -
max time network
23s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17/05/2024, 13:20
Static task
static1
Behavioral task
behavioral1
Sample
Yeah.exe
Resource
win7-20240215-en
General
-
Target
Yeah.exe
-
Size
4.7MB
-
MD5
82b3a00eb4303992a25ac286cc81a586
-
SHA1
facb18dbd463b8c710b5b5353b1042ea54dec669
-
SHA256
081343ccb0f148c536a0e0811710b55e51d604c0496f2fde5c407cc1e75292eb
-
SHA512
8b41660a7aa32e7472ea57edb4b8817fae9e6f4d6d77eff30b22a3033bc97c70bfbbc6a2f4479e2500585eda059cdeab2acd87c106fe219d109ab6707b6e52f0
-
SSDEEP
98304:zaoiuuvagisE3E6uU2zBlsuVVVHYAj4fB07VY7m9istT:zNbgisCxaBlsQVVHdjpim95T
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Yeah.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools Yeah.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Yeah.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Yeah.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Yeah.exe -
Maps connected drives based on registry 3 TTPs 7 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Disk\Enum Yeah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\Disk\Enum Yeah.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Yeah.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 Yeah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Yeah.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\DeviceDesc Yeah.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\FriendlyName Yeah.exe -
Checks system information in the registry 2 TTPs 1 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName Yeah.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 736 Yeah.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN Yeah.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\BIOS Yeah.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Yeah.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Yeah.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe 736 Yeah.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 736 Yeah.exe Token: SeSecurityPrivilege 736 Yeah.exe Token: SeTakeOwnershipPrivilege 736 Yeah.exe Token: SeLoadDriverPrivilege 736 Yeah.exe Token: SeSystemProfilePrivilege 736 Yeah.exe Token: SeSystemtimePrivilege 736 Yeah.exe Token: SeProfSingleProcessPrivilege 736 Yeah.exe Token: SeIncBasePriorityPrivilege 736 Yeah.exe Token: SeCreatePagefilePrivilege 736 Yeah.exe Token: SeBackupPrivilege 736 Yeah.exe Token: SeRestorePrivilege 736 Yeah.exe Token: SeShutdownPrivilege 736 Yeah.exe Token: SeDebugPrivilege 736 Yeah.exe Token: SeSystemEnvironmentPrivilege 736 Yeah.exe Token: SeChangeNotifyPrivilege 736 Yeah.exe Token: SeRemoteShutdownPrivilege 736 Yeah.exe Token: SeUndockPrivilege 736 Yeah.exe Token: SeManageVolumePrivilege 736 Yeah.exe Token: SeImpersonatePrivilege 736 Yeah.exe Token: SeCreateGlobalPrivilege 736 Yeah.exe Token: 33 736 Yeah.exe Token: 34 736 Yeah.exe Token: 35 736 Yeah.exe Token: 36 736 Yeah.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Yeah.exe"C:\Users\Admin\AppData\Local\Temp\Yeah.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks for VirtualBox DLLs, possible anti-VM trick
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:736