Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

7

CardingMachine.exe

windows7-x64

9

CardingMachine.exe

windows10-2004-x64

9

Resubmissions

21/07/2024, 05:03 UTC

240721-fprqrsvcjf 9

18/05/2024, 00:50 UTC

240518-a7abjsca2z 9

Analysis

  • max time kernel
    10s
  • max time network
    19s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/05/2024, 00:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CardingMachine.exe

  • Size

    615.1MB

  • MD5

    796c4e013accc1d47e263f2438248e5e

  • SHA1

    dbca3bb74c9715a4b21259fa644a39a59bb438a7

  • SHA256

    e934ef0b1bad86d0a8d2a08a90b64b309404b2983649f8e34d400704ce8c65c0

  • SHA512

    5ae71ea3ac4f15c6143a424e1e2491294e5f2e5508ca4c05b6fa2676634140ec03e27b698ab0378726b421369e36988f56e016e145ba10b2d517577a00de926c

  • SSDEEP

    49152:lNjqYcOatzfsFfG/oDx4tDhdLDG15f9pTo0trQyYxQw:lNjFcOaxYG/M43HA5fVt8Q

Score
9/10
evasionexecutionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CardingMachine.exe
    "C:\Users\Admin\AppData\Local\Temp\CardingMachine.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:3308
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:548
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4684
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s2jw.0.bat" "
      2⤵
        PID:4844
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:2324

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    No results found
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      330 B
       5

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      8.8.8.8.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      4a02b34a2c61fc7c963de999669a7256

      SHA1

      3b1c821f5adcaf1acdb5bda68e9e69c0cdba4419

      SHA256

      0d86374d5a9f9afb2f1e9aaec829d990fc9539ec884240bb80f02ea513f5cc08

      SHA512

      45c83eccf1a8bad38ff4cc8058dadbc1dc11edbbbaa37e6a5eaeb78f9f7ade31ccb4abf0b60c76932baed279fd5f46156369a4aa2c5503af919f9c032c8971ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rfht1ie3.wq2.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\s2jw.0.bat
      Filesize

      174B

      MD5

      2154b0f57b1c1a5dfd77f805b3104089

      SHA1

      0f0bf78d11c52d84c5c69b65de6c12cba9192276

      SHA256

      52e819f30f4a78ad00d519cabf23e4223ee39edc0f0878b47a5927a85475e7e0

      SHA512

      f47b4cba5c09140a235348050d0c92cea735e2aa36bbece57a436a5680f9b3365cd869f38c3ac70e21426b8983905e7d3ac4e26c5a559efb9ade256ad7523242

      Download Submit

    • memory/548-68-0x0000000006F50000-0x0000000006F5A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/548-18-0x0000000005570000-0x00000000058C4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/548-63-0x0000000073F70000-0x0000000074720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/548-39-0x0000000006170000-0x00000000061A2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/548-62-0x0000000006DC0000-0x0000000006E63000-memory.dmp

      Filesize

      652KB

      Download

    • memory/548-9-0x0000000073F70000-0x0000000074720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/548-10-0x0000000004C70000-0x0000000005298000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/548-11-0x0000000073F70000-0x0000000074720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/548-40-0x0000000070800000-0x000000007084C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/548-13-0x0000000073F70000-0x0000000074720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/548-77-0x0000000073F70000-0x0000000074720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/548-74-0x0000000007200000-0x0000000007208000-memory.dmp

      Filesize

      32KB

      Download

    • memory/548-17-0x0000000005380000-0x00000000053E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/548-64-0x0000000073F70000-0x0000000074720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/548-16-0x0000000005310000-0x0000000005376000-memory.dmp

      Filesize

      408KB

      Download

    • memory/548-72-0x0000000007120000-0x0000000007134000-memory.dmp

      Filesize

      80KB

      Download

    • memory/548-73-0x0000000007220000-0x000000000723A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3308-4-0x0000000000150000-0x00000000007D3000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3308-0-0x0000000000150000-0x00000000007D3000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3308-3-0x0000000000150000-0x00000000007D3000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3308-5-0x0000000000150000-0x00000000007D3000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3308-2-0x0000000000150000-0x00000000007D3000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3308-6-0x0000000000150000-0x00000000007D3000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3308-88-0x0000000000150000-0x00000000007D3000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3308-1-0x0000000077DB4000-0x0000000077DB6000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4684-61-0x0000000073F70000-0x0000000074720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4684-65-0x0000000073F70000-0x0000000074720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4684-67-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4684-66-0x0000000008110000-0x000000000878A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4684-41-0x0000000070800000-0x000000007084C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4684-69-0x0000000007D40000-0x0000000007DD6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4684-70-0x0000000007CC0000-0x0000000007CD1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4684-71-0x0000000007CF0000-0x0000000007CFE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4684-37-0x0000000006790000-0x00000000067AE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4684-38-0x00000000067C0000-0x000000000680C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4684-15-0x00000000056E0000-0x0000000005702000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4684-14-0x0000000073F70000-0x0000000074720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4684-12-0x0000000073F70000-0x0000000074720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4684-8-0x0000000002E80000-0x0000000002EB6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4684-81-0x0000000073F70000-0x0000000074720000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4684-7-0x0000000073F7E000-0x0000000073F7F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4684-60-0x0000000006D50000-0x0000000006D6E000-memory.dmp

      Filesize

      120KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.