Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 08:59
Static task
static1
Behavioral task
behavioral1
Sample
15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe
Resource
win10v2004-20240508-en
General
-
Target
15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe
-
Size
5.3MB
-
MD5
c8627d527e77a0ef72d4cf95c2372029
-
SHA1
fb137315fc704f3440c1598431af75972794c673
-
SHA256
15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40
-
SHA512
e94ed1163969eb3ab88d5f922b51e13b9477f5107eddc409c2ddecca326bbb8867ff89186800f5f792e19ff52c34694debfea3a2d24f0464bd5fae742a0b1c90
-
SSDEEP
98304:LCPwQxcW9q8uwKVDhkIzfNhicx/aktet2uucyOZqcTXj5M3H4hOFe:qtiW9qZwKfVzbicxycG2uvFBzja3H4hb
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe -
resource yara_rule behavioral1/memory/2944-5-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-7-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-11-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-14-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-41-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-18-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-53-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-52-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-49-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-47-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-45-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-39-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-38-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-36-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-34-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-32-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-29-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-25-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-24-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-22-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-16-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-13-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-6-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral1/memory/2944-141-0x0000000010000000-0x000000001003F000-memory.dmp upx -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\setupD.log 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe File opened for modification C:\Windows\setupD.log 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1628 WMIC.exe Token: SeSecurityPrivilege 1628 WMIC.exe Token: SeTakeOwnershipPrivilege 1628 WMIC.exe Token: SeLoadDriverPrivilege 1628 WMIC.exe Token: SeSystemProfilePrivilege 1628 WMIC.exe Token: SeSystemtimePrivilege 1628 WMIC.exe Token: SeProfSingleProcessPrivilege 1628 WMIC.exe Token: SeIncBasePriorityPrivilege 1628 WMIC.exe Token: SeCreatePagefilePrivilege 1628 WMIC.exe Token: SeBackupPrivilege 1628 WMIC.exe Token: SeRestorePrivilege 1628 WMIC.exe Token: SeShutdownPrivilege 1628 WMIC.exe Token: SeDebugPrivilege 1628 WMIC.exe Token: SeSystemEnvironmentPrivilege 1628 WMIC.exe Token: SeRemoteShutdownPrivilege 1628 WMIC.exe Token: SeUndockPrivilege 1628 WMIC.exe Token: SeManageVolumePrivilege 1628 WMIC.exe Token: 33 1628 WMIC.exe Token: 34 1628 WMIC.exe Token: 35 1628 WMIC.exe Token: SeIncreaseQuotaPrivilege 1628 WMIC.exe Token: SeSecurityPrivilege 1628 WMIC.exe Token: SeTakeOwnershipPrivilege 1628 WMIC.exe Token: SeLoadDriverPrivilege 1628 WMIC.exe Token: SeSystemProfilePrivilege 1628 WMIC.exe Token: SeSystemtimePrivilege 1628 WMIC.exe Token: SeProfSingleProcessPrivilege 1628 WMIC.exe Token: SeIncBasePriorityPrivilege 1628 WMIC.exe Token: SeCreatePagefilePrivilege 1628 WMIC.exe Token: SeBackupPrivilege 1628 WMIC.exe Token: SeRestorePrivilege 1628 WMIC.exe Token: SeShutdownPrivilege 1628 WMIC.exe Token: SeDebugPrivilege 1628 WMIC.exe Token: SeSystemEnvironmentPrivilege 1628 WMIC.exe Token: SeRemoteShutdownPrivilege 1628 WMIC.exe Token: SeUndockPrivilege 1628 WMIC.exe Token: SeManageVolumePrivilege 1628 WMIC.exe Token: 33 1628 WMIC.exe Token: 34 1628 WMIC.exe Token: 35 1628 WMIC.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2944 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe 2944 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe 2944 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2944 wrote to memory of 1624 2944 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe 28 PID 2944 wrote to memory of 1624 2944 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe 28 PID 2944 wrote to memory of 1624 2944 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe 28 PID 2944 wrote to memory of 1624 2944 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe 28 PID 1624 wrote to memory of 1628 1624 cmd.exe 30 PID 1624 wrote to memory of 1628 1624 cmd.exe 30 PID 1624 wrote to memory of 1628 1624 cmd.exe 30 PID 1624 wrote to memory of 1628 1624 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe"C:\Users\Admin\AppData\Local\Temp\15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\cmd.execmd.exe /c Wmic Path Win32_VideoController Get Description2⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Wbem\WMIC.exeWmic Path Win32_VideoController Get Description3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
283B
MD5caacca8375366e74dac8e0bfa9d6629a
SHA1cd31270c2c128fa03a4a6c6782a26847db0c4271
SHA2563087428a08fab41e58f3644a79dc05d742dc2d9ca1980bf15c368c39c9d7a0dd
SHA5121e09b4076aec8a8f3f3c54cbd098e5673a7f8c73d8631623645d9dc18e83f86dd5b4504209c761aa4e5cf44c8508187202c185a9327cfc76d9b93886e5a2e827
-
Filesize
372B
MD5998be4fd896e0945713059b342f8c394
SHA1047bf4c55556a68bd2c4ed4f4369d57df8df078e
SHA256c4bfb719b7facbffcd4e8e9af3c91ff6418a31b8e3e7e9265253c72b6e18429b
SHA512a818055b7e2ac5827bb483f8caae387bc80e57688edaad1a7faaa4b4b333c51ff4e02c846e5c90ffc886100cae524679ea93ca119410da0b3518f85e910f26d0
-
Filesize
242B
MD5299dc6bb2b20dd9dce8eab8be9df1d20
SHA1e4b1eb77b099161808da8271693f24e3adf88da1
SHA256d04687236b43bf250e09c8244647a35b6fa9529cc895df1304b37287602dadc7
SHA5123a04451e87faa5353dbb6080966620475372ed91b977ac1eee9c25cfed385aec8c38103e20a95c956fec44e485c156306f0e06b16290e930df4493f8e6e53c80
-
Filesize
272B
MD5e3b77fd399abc8ff658d6f09138d7d72
SHA153e89cd91a7617c067624da8989da3503437b9aa
SHA256a00664db6b2da508f499097282cbb311abeafd39327ee2efc40a6549146a7797
SHA512ca3b2e4f65210b34f87cb93dc46ce2693e97b55fe84c14e381e081f675667280a80736c454fc8ee697a25245039466234b9cb9b67d39aa242e4741164c7e4a41