Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
06/06/2024, 20:46
Static task
static1
Behavioral task
behavioral1
Sample
vers/da hood/build.exe
Resource
win11-20240508-en
Behavioral task
behavioral2
Sample
vers/hood custom/build.exe
Resource
win11-20240508-en
Behavioral task
behavioral3
Sample
vers/other games/build.exe
Resource
win11-20240426-en
General
-
Target
vers/other games/build.exe
-
Size
1.8MB
-
MD5
222b980c96c7442b36193d65db0a68e1
-
SHA1
cba5e81400f0d5e14e1932fea20203f36a815e5c
-
SHA256
d25b4bc99a5642ea1d79fa5efd1e037fb164ff6194e92474b745e61ea4476ce3
-
SHA512
bf8983162f6e94a2eb653f5664d65ba2de8dbd46fcbb8c1a45647b13b595a46a1912a230e5022a8eb9ca521072cb9055460bfa71eb8c5033cdef00774175e5be
-
SSDEEP
49152:Bulch6hbadoX61Sb/UOyodfDfOE6vtK/UNZ:cl1RX61SbVbcN
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1576 taskmgr.exe Token: SeSystemProfilePrivilege 1576 taskmgr.exe Token: SeCreateGlobalPrivilege 1576 taskmgr.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe 1576 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vers\other games\build.exe"C:\Users\Admin\AppData\Local\Temp\vers\other games\build.exe"1⤵PID:1220
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1576