Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30/06/2024, 18:00
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win10v2004-20240508-en
General
-
Target
Loader.exe
-
Size
16.8MB
-
MD5
0107075cd4f1ba34b951c895eacc1285
-
SHA1
f50404806a62dc04ab129397e30a9cb1d2dbc8db
-
SHA256
b6977ad0b0332d1466e0843ebef2decc3e2fcc01f8fc62da2d3f2e716a63dc81
-
SHA512
0ededb1af828e7fd85b3fa38f5f17ba21222c6e0da5a1f46f5328acd379aca9153d9dd5c9da904d1a834d2b5baac2e12017aaa023d93f5b3bf312f19e1540915
-
SSDEEP
393216:muBhAp43/nfPmZXtCshmXQ3KIpoOwkwbyco/76hikE1cpPFLc5:FspnJh13Zcm76+MPZE
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe -
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\winhb.sys Loader.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader.exe -
resource yara_rule behavioral1/memory/2352-0-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral1/memory/2352-2-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral1/memory/2352-5-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral1/memory/2352-4-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral1/memory/2352-3-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral1/memory/2352-11-0x0000000140000000-0x00000001425F1000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2879} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2859} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2869} Loader.exe File opened for modification C:\Windows\System32\IME\IMETC\{69CD1F2D-DF68-4E23-9108-1B70783F2879} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899} Loader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2352 Loader.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2893} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2892} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2859} Loader.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2860 sc.exe 2108 sc.exe 2736 sc.exe 2548 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2380 2352 Loader.exe 29 PID 2352 wrote to memory of 2380 2352 Loader.exe 29 PID 2352 wrote to memory of 2380 2352 Loader.exe 29 PID 2380 wrote to memory of 2860 2380 cmd.exe 31 PID 2380 wrote to memory of 2860 2380 cmd.exe 31 PID 2380 wrote to memory of 2860 2380 cmd.exe 31 PID 2352 wrote to memory of 2116 2352 Loader.exe 32 PID 2352 wrote to memory of 2116 2352 Loader.exe 32 PID 2352 wrote to memory of 2116 2352 Loader.exe 32 PID 2116 wrote to memory of 2108 2116 cmd.exe 34 PID 2116 wrote to memory of 2108 2116 cmd.exe 34 PID 2116 wrote to memory of 2108 2116 cmd.exe 34 PID 2352 wrote to memory of 1996 2352 Loader.exe 35 PID 2352 wrote to memory of 1996 2352 Loader.exe 35 PID 2352 wrote to memory of 1996 2352 Loader.exe 35 PID 2352 wrote to memory of 2696 2352 Loader.exe 36 PID 2352 wrote to memory of 2696 2352 Loader.exe 36 PID 2352 wrote to memory of 2696 2352 Loader.exe 36 PID 2352 wrote to memory of 2724 2352 Loader.exe 38 PID 2352 wrote to memory of 2724 2352 Loader.exe 38 PID 2352 wrote to memory of 2724 2352 Loader.exe 38 PID 2696 wrote to memory of 2736 2696 cmd.exe 40 PID 2696 wrote to memory of 2736 2696 cmd.exe 40 PID 2696 wrote to memory of 2736 2696 cmd.exe 40 PID 2352 wrote to memory of 2560 2352 Loader.exe 41 PID 2352 wrote to memory of 2560 2352 Loader.exe 41 PID 2352 wrote to memory of 2560 2352 Loader.exe 41 PID 2560 wrote to memory of 2440 2560 cmd.exe 42 PID 2560 wrote to memory of 2440 2560 cmd.exe 42 PID 2560 wrote to memory of 2440 2560 cmd.exe 42 PID 2560 wrote to memory of 2156 2560 cmd.exe 43 PID 2560 wrote to memory of 2156 2560 cmd.exe 43 PID 2560 wrote to memory of 2156 2560 cmd.exe 43 PID 2560 wrote to memory of 2872 2560 cmd.exe 44 PID 2560 wrote to memory of 2872 2560 cmd.exe 44 PID 2560 wrote to memory of 2872 2560 cmd.exe 44 PID 2724 wrote to memory of 2548 2724 cmd.exe 45 PID 2724 wrote to memory of 2548 2724 cmd.exe 45 PID 2724 wrote to memory of 2548 2724 cmd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys2⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\system32\sc.exesc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys3⤵
- Launches sc.exe
PID:2860
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc start windowsproc2⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\system32\sc.exesc start windowsproc3⤵
- Launches sc.exe
PID:2108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1996
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys2⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\sc.exesc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys3⤵
- Launches sc.exe
PID:2736
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc start windowsproc2⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\system32\sc.exesc start windowsproc3⤵
- Launches sc.exe
PID:2548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD53⤵PID:2440
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:2156
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:2872
-
-