Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/06/2024, 08:59
Static task
static1
Behavioral task
behavioral1
Sample
15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe
Resource
win10v2004-20240508-en
General
-
Target
15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe
-
Size
5.3MB
-
MD5
c8627d527e77a0ef72d4cf95c2372029
-
SHA1
fb137315fc704f3440c1598431af75972794c673
-
SHA256
15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40
-
SHA512
e94ed1163969eb3ab88d5f922b51e13b9477f5107eddc409c2ddecca326bbb8867ff89186800f5f792e19ff52c34694debfea3a2d24f0464bd5fae742a0b1c90
-
SSDEEP
98304:LCPwQxcW9q8uwKVDhkIzfNhicx/aktet2uucyOZqcTXj5M3H4hOFe:qtiW9qZwKfVzbicxycG2uvFBzja3H4hb
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe -
resource yara_rule behavioral2/memory/2816-33-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-31-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-48-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-49-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-46-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-44-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-42-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-40-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-38-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-37-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-29-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-27-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-25-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-23-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-21-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-19-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-17-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-15-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-13-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-11-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-9-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-7-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-6-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-5-0x0000000010000000-0x000000001003F000-memory.dmp upx behavioral2/memory/2816-115-0x0000000010000000-0x000000001003F000-memory.dmp upx -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1664 WMIC.exe Token: SeSecurityPrivilege 1664 WMIC.exe Token: SeTakeOwnershipPrivilege 1664 WMIC.exe Token: SeLoadDriverPrivilege 1664 WMIC.exe Token: SeSystemProfilePrivilege 1664 WMIC.exe Token: SeSystemtimePrivilege 1664 WMIC.exe Token: SeProfSingleProcessPrivilege 1664 WMIC.exe Token: SeIncBasePriorityPrivilege 1664 WMIC.exe Token: SeCreatePagefilePrivilege 1664 WMIC.exe Token: SeBackupPrivilege 1664 WMIC.exe Token: SeRestorePrivilege 1664 WMIC.exe Token: SeShutdownPrivilege 1664 WMIC.exe Token: SeDebugPrivilege 1664 WMIC.exe Token: SeSystemEnvironmentPrivilege 1664 WMIC.exe Token: SeRemoteShutdownPrivilege 1664 WMIC.exe Token: SeUndockPrivilege 1664 WMIC.exe Token: SeManageVolumePrivilege 1664 WMIC.exe Token: 33 1664 WMIC.exe Token: 34 1664 WMIC.exe Token: 35 1664 WMIC.exe Token: 36 1664 WMIC.exe Token: SeIncreaseQuotaPrivilege 1664 WMIC.exe Token: SeSecurityPrivilege 1664 WMIC.exe Token: SeTakeOwnershipPrivilege 1664 WMIC.exe Token: SeLoadDriverPrivilege 1664 WMIC.exe Token: SeSystemProfilePrivilege 1664 WMIC.exe Token: SeSystemtimePrivilege 1664 WMIC.exe Token: SeProfSingleProcessPrivilege 1664 WMIC.exe Token: SeIncBasePriorityPrivilege 1664 WMIC.exe Token: SeCreatePagefilePrivilege 1664 WMIC.exe Token: SeBackupPrivilege 1664 WMIC.exe Token: SeRestorePrivilege 1664 WMIC.exe Token: SeShutdownPrivilege 1664 WMIC.exe Token: SeDebugPrivilege 1664 WMIC.exe Token: SeSystemEnvironmentPrivilege 1664 WMIC.exe Token: SeRemoteShutdownPrivilege 1664 WMIC.exe Token: SeUndockPrivilege 1664 WMIC.exe Token: SeManageVolumePrivilege 1664 WMIC.exe Token: 33 1664 WMIC.exe Token: 34 1664 WMIC.exe Token: 35 1664 WMIC.exe Token: 36 1664 WMIC.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2816 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe 2816 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe 2816 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2816 wrote to memory of 3448 2816 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe 80 PID 2816 wrote to memory of 3448 2816 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe 80 PID 2816 wrote to memory of 3448 2816 15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe 80 PID 3448 wrote to memory of 1664 3448 cmd.exe 82 PID 3448 wrote to memory of 1664 3448 cmd.exe 82 PID 3448 wrote to memory of 1664 3448 cmd.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe"C:\Users\Admin\AppData\Local\Temp\15a1e0c61a71ed6b17625c6e43944ff20c7b87ab555f30f00a7dbc991a56aa40.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\cmd.execmd.exe /c Wmic Path Win32_VideoController Get Description2⤵
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Wbem\WMIC.exeWmic Path Win32_VideoController Get Description3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
242B
MD5299dc6bb2b20dd9dce8eab8be9df1d20
SHA1e4b1eb77b099161808da8271693f24e3adf88da1
SHA256d04687236b43bf250e09c8244647a35b6fa9529cc895df1304b37287602dadc7
SHA5123a04451e87faa5353dbb6080966620475372ed91b977ac1eee9c25cfed385aec8c38103e20a95c956fec44e485c156306f0e06b16290e930df4493f8e6e53c80
-
Filesize
272B
MD5e3b77fd399abc8ff658d6f09138d7d72
SHA153e89cd91a7617c067624da8989da3503437b9aa
SHA256a00664db6b2da508f499097282cbb311abeafd39327ee2efc40a6549146a7797
SHA512ca3b2e4f65210b34f87cb93dc46ce2693e97b55fe84c14e381e081f675667280a80736c454fc8ee697a25245039466234b9cb9b67d39aa242e4741164c7e4a41
-
Filesize
283B
MD5caacca8375366e74dac8e0bfa9d6629a
SHA1cd31270c2c128fa03a4a6c6782a26847db0c4271
SHA2563087428a08fab41e58f3644a79dc05d742dc2d9ca1980bf15c368c39c9d7a0dd
SHA5121e09b4076aec8a8f3f3c54cbd098e5673a7f8c73d8631623645d9dc18e83f86dd5b4504209c761aa4e5cf44c8508187202c185a9327cfc76d9b93886e5a2e827