Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Velocity Spoofer.exe

windows7-x64

10

Velocity Spoofer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2024, 01:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Velocity Spoofer.exe

  • Size

    19.7MB

  • MD5

    6cb66ac3e7d224dcf60fce2902f50d4b

  • SHA1

    2bf70cf93d9d6ac13916c2affb610f2c6a885764

  • SHA256

    dd2f3d7118883fd2d37095ff4abf738f99a23e801935671a56a85594aa6ceb04

  • SHA512

    1ad4eb84196ff724f715b7338e08c1591fdcb28ddf0786e42cf02fcdcab05cd941e3b0bf43f39705f865ddf77dd9a2c82625441008fb5cd7b890b2bc94f73b39

  • SSDEEP

    393216:l4qMf3RuoaX5L7nFv2TGIlkeBqkRbfxL9tMtbmE/WUnwbZSDUX:lPMvRU1rl+GxeBqkltMtV/WUnwbZ1

Score
10/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Velocity Spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\Velocity Spoofer.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3804
    • \??\c:\users\admin\appdata\local\temp\velocity spoofer.exe 
      "c:\users\admin\appdata\local\temp\velocity spoofer.exe "
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2500
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 940
        3⤵
        • Program crash
        PID:5016
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1424
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3596
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1092
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4524
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:5032
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2500 -ip 2500
    1⤵
      PID:4204

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\velocity spoofer.exe 
      Filesize

      19.6MB

      MD5

      0043cb93d8ff5d31698fc8682905ed21

      SHA1

      91579a84f56c6850e9e996508f86cccccbca6744

      SHA256

      e1b9f69a162f2d05059269bc8da64c6f1d1f799e8da5010545b2f490f6a370b4

      SHA512

      d61683d0d72403e6d88b8e678c2b3834790611a587a4b7f043d0ddec9619c03aa9293afd16f71a442133ccb793fa0fe5975066a1f0817d19b835683b472a9471

      Download Submit

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      f944b95621ac9aad407c172f88aff48e

      SHA1

      42ce0a18edfd935db079276cda9003624fff6d56

      SHA256

      035b12ca2e0bb60f565921abaac2f584654bf1c8256dffd64443cc5657b62a9f

      SHA512

      199b4b893293920a3246b5e22e49cb852435540880f368ef16f2681f47b8858e41be8cc011ee2449b5cfa1b6bf0deef774ca228de428251daef5b0a39e46de97

      Download Submit

    • C:\Windows\Resources\Themes\icsys.icn.exe
      Filesize

      135KB

      MD5

      fcea7592f5a6d8c6e5cfd07fab4864dd

      SHA1

      ce01fc7bb1adce3b8d4716a37f2b541b264681e1

      SHA256

      f0346017cd86cc770065be85c7f959f151d2c1e4e80a9b26cd33831d9fa0facb

      SHA512

      2851bf5691436af51f9070761fc2c976ee5d4de683efee7d2020284aec93d83d99a495ef9b66c75f7ce7f9e37289c083be408c50133434a1736994d8147929a7

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      ce50d34c5343d1151028611f9cebb761

      SHA1

      02c98c66ccbc9e03b96aef22e805adb6232ba8e4

      SHA256

      f3f362348f41b96cd253c5d7e5595457bce3ac067d29d0e6a96443d4bd911c7c

      SHA512

      f2995dae9a08015927001c1bd7331e4ce7030c714246e58724f16c681a9692ac3bad5349f7cd2e7d877aa9990705797aba642500242e3374ecb8ee63fa87af88

      Download Submit

    • \??\c:\windows\resources\svchost.exe
      Filesize

      135KB

      MD5

      1396c7377e7f59a7f218f9e8cfa3fb7c

      SHA1

      79ce219df08cd18e39e64f3647f9d25181bd7aaf

      SHA256

      45ee03a172aebabe646bcc2fdaa46d22169f93fbb0e40bf73a8d0ff0a65a88ef

      SHA512

      ea051968e1d42622d3fb6834edc14fee433b7b86a4d34342446583fc061b0081709fe8a34bee52a0a9f4c659f7cbdcd14046c80f7a94a6cad0cbe3f72a2cd5ac

      Download Submit

    • memory/1092-64-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1424-30-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1424-65-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2500-13-0x0000000077130000-0x0000000077220000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2500-26-0x0000000077130000-0x0000000077220000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2500-17-0x0000000077130000-0x0000000077220000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2500-18-0x0000000077130000-0x0000000077220000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2500-20-0x0000000000400000-0x0000000001D1E000-memory.dmp

      Filesize

      25.1MB

      Download

    • memory/2500-21-0x0000000000400000-0x0000000001D1E000-memory.dmp

      Filesize

      25.1MB

      Download

    • memory/2500-22-0x00000000063F0000-0x0000000006994000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2500-23-0x0000000006200000-0x0000000006292000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2500-24-0x00000000062C0000-0x00000000062D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2500-16-0x0000000077130000-0x0000000077220000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2500-12-0x0000000077130000-0x0000000077220000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2500-9-0x0000000000400000-0x0000000001D1E000-memory.dmp

      Filesize

      25.1MB

      Download

    • memory/2500-34-0x0000000000400000-0x0000000001D1E000-memory.dmp

      Filesize

      25.1MB

      Download

    • memory/2500-14-0x0000000077130000-0x0000000077220000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2500-15-0x0000000077130000-0x0000000077220000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2500-10-0x0000000077150000-0x0000000077151000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2500-11-0x0000000077130000-0x0000000077220000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3804-66-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/3804-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/5032-63-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download