Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
05/08/2024, 23:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Skeptical enigma remade (1).exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
Skeptical enigma remade (1).exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
Skeptical enigma remade (1).exe
-
Size
1.7MB
-
MD5
21d0503591599d833536e4d1bb7cb352
-
SHA1
9664ffc0a92896b89911c35d73cab84605ab3b8b
-
SHA256
cc9a7ddcb53c96c1b2acb8a77f0259319cc51f3405e8b00036bddc612ee56db6
-
SHA512
2ea754b0eca571ce0536651b8d7127d35a8079006773af892b5ceb985be67710bc8297d426779cc7b4c26c4e35ae0eb8542e16da97a2b9f3178bbb291bef8848
-
SSDEEP
24576:BI5g2vzFqkz5PTCtzRGhLArFVlebI+Jnmb2+ocKrREOKSS2u2Kr:e/NLOXfond+ocwEfXD
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Skeptical enigma remade (1).exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Skeptical enigma remade (1).exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Skeptical enigma remade (1).exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Skeptical enigma remade (1).exe -
Executes dropped EXE 1 IoCs
pid Process 2656 mp.exe -
Loads dropped DLL 1 IoCs
pid Process 2680 cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN Skeptical enigma remade (1).exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe 2372 Skeptical enigma remade (1).exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2764 2372 Skeptical enigma remade (1).exe 32 PID 2372 wrote to memory of 2764 2372 Skeptical enigma remade (1).exe 32 PID 2372 wrote to memory of 2764 2372 Skeptical enigma remade (1).exe 32 PID 2372 wrote to memory of 2792 2372 Skeptical enigma remade (1).exe 33 PID 2372 wrote to memory of 2792 2372 Skeptical enigma remade (1).exe 33 PID 2372 wrote to memory of 2792 2372 Skeptical enigma remade (1).exe 33 PID 2372 wrote to memory of 2796 2372 Skeptical enigma remade (1).exe 34 PID 2372 wrote to memory of 2796 2372 Skeptical enigma remade (1).exe 34 PID 2372 wrote to memory of 2796 2372 Skeptical enigma remade (1).exe 34 PID 2372 wrote to memory of 2680 2372 Skeptical enigma remade (1).exe 35 PID 2372 wrote to memory of 2680 2372 Skeptical enigma remade (1).exe 35 PID 2372 wrote to memory of 2680 2372 Skeptical enigma remade (1).exe 35 PID 2680 wrote to memory of 2656 2680 cmd.exe 36 PID 2680 wrote to memory of 2656 2680 cmd.exe 36 PID 2680 wrote to memory of 2656 2680 cmd.exe 36 PID 2372 wrote to memory of 2868 2372 Skeptical enigma remade (1).exe 37 PID 2372 wrote to memory of 2868 2372 Skeptical enigma remade (1).exe 37 PID 2372 wrote to memory of 2868 2372 Skeptical enigma remade (1).exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\Skeptical enigma remade (1).exe"C:\Users\Admin\AppData\Local\Temp\Skeptical enigma remade (1).exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 22⤵PID:2796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\mp.exe C:\Users\dr.sys2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\mp.exeC:\Users\mp.exe C:\Users\dr.sys3⤵
- Executes dropped EXE
PID:2656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 72⤵PID:2868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
530KB
MD554ed683eba9340abf6783bd8d7b39445
SHA1950e3c11c71354097c8440529b31f8ac2b3c32a8
SHA2562d0a9d5ca563ffa82a974903bb43411b22c863311ec926449f08d16f483e4e70
SHA5129ff8c110823bad1e0a79a810b151e1d5557022080af0c8aaa9ff76996bd040747346f62459c50468cf86f49389c0e5fb7f057e9bd30fa31fed49ae5692d50ae2