Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
62s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
07/07/2024, 12:02
Static task
static1
Behavioral task
behavioral1
Sample
VirtualBox-7.0.18-162988-Win.exe
Resource
win7-20240220-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
VirtualBox-7.0.18-162988-Win.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
VirtualBox-7.0.18-162988-Win.exe
-
Size
104.6MB
-
MD5
6a046a57ca3dd222d8bf1410b8172f81
-
SHA1
49888a74780ac09ab6ec99bbcca5950890e5a227
-
SHA256
4c83894c00aa9f55f7e0f70807210896ba32e1222d4ff1d0b9487af81f328f36
-
SHA512
cb19129d62253bde686618cba40449ed05d5435ae11dbbb83ebc9a1b308fc7e9387cb964cb4cf26e91d7e38b9e8b75ebcb5de8039379986bf95cc77456a65a4b
-
SSDEEP
3145728:aTdp/Gww7IEwmuQYIuSwHn9B4mzL8M6Wfwf:aFw70RQYIfwM6Q7+wf
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\H: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\V: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\U: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\X: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\G: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\P: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\K: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\Q: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\W: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\Z: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\S: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\Y: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\I: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\O: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\N: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\I: msiexec.exe -
Loads dropped DLL 6 IoCs
pid Process 1284 MsiExec.exe 1284 MsiExec.exe 1284 MsiExec.exe 1284 MsiExec.exe 1284 MsiExec.exe 1284 MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001fb60d865bbfdfe70000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001fb60d860000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001fb60d86000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1fb60d86000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001fb60d8600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeIncreaseQuotaPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeSecurityPrivilege 4048 msiexec.exe Token: SeCreateTokenPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeAssignPrimaryTokenPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeLockMemoryPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeIncreaseQuotaPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeMachineAccountPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeTcbPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeSecurityPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeTakeOwnershipPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeLoadDriverPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeSystemProfilePrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeSystemtimePrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeProfSingleProcessPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeIncBasePriorityPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeCreatePagefilePrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeCreatePermanentPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeBackupPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeRestorePrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeShutdownPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeDebugPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeAuditPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeSystemEnvironmentPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeChangeNotifyPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeRemoteShutdownPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeUndockPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeSyncAgentPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeEnableDelegationPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeManageVolumePrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeImpersonatePrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeCreateGlobalPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeCreateTokenPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeAssignPrimaryTokenPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeLockMemoryPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeIncreaseQuotaPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeMachineAccountPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeTcbPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeSecurityPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeTakeOwnershipPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeLoadDriverPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeSystemProfilePrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeSystemtimePrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeProfSingleProcessPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeIncBasePriorityPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeCreatePagefilePrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeCreatePermanentPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeBackupPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeRestorePrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeShutdownPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeDebugPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeAuditPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeSystemEnvironmentPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeChangeNotifyPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeRemoteShutdownPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeUndockPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeSyncAgentPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeEnableDelegationPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeManageVolumePrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeImpersonatePrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeCreateGlobalPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeCreateTokenPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeAssignPrimaryTokenPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe Token: SeLockMemoryPrivilege 1992 VirtualBox-7.0.18-162988-Win.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1992 VirtualBox-7.0.18-162988-Win.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4048 wrote to memory of 1284 4048 msiexec.exe 95 PID 4048 wrote to memory of 1284 4048 msiexec.exe 95 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1992
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding C6CF2DC0D2BC83E036D925C681B340BB C2⤵
- Loads dropped DLL
PID:1284
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:384
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:2508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
324KB
MD5d045098c42378ebe26f6da17977551ee
SHA180a93acee96419dd9c44d0d15d7518aea21f782a
SHA25692b89b56400e8d01a813513ef8af685fb23adcaba49d7775853e650266b2f63a
SHA5129e110110c6ec6aa43e64069744901c955ac90253a036b9837d2e0150c5da97cb8f927db4a36e9f289684c3b91724a4d93aa189a3fde9d06d07d62dd4b8c08a35