Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/08/2024, 23:06
Static task
static1
Behavioral task
behavioral1
Sample
Skeptical enigma remade (1).exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Skeptical enigma remade (1).exe
Resource
win10v2004-20240802-en
General
-
Target
Skeptical enigma remade (1).exe
-
Size
1.7MB
-
MD5
21d0503591599d833536e4d1bb7cb352
-
SHA1
9664ffc0a92896b89911c35d73cab84605ab3b8b
-
SHA256
cc9a7ddcb53c96c1b2acb8a77f0259319cc51f3405e8b00036bddc612ee56db6
-
SHA512
2ea754b0eca571ce0536651b8d7127d35a8079006773af892b5ceb985be67710bc8297d426779cc7b4c26c4e35ae0eb8542e16da97a2b9f3178bbb291bef8848
-
SSDEEP
24576:BI5g2vzFqkz5PTCtzRGhLArFVlebI+Jnmb2+ocKrREOKSS2u2Kr:e/NLOXfond+ocwEfXD
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Skeptical enigma remade (1).exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Skeptical enigma remade (1).exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Skeptical enigma remade (1).exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Skeptical enigma remade (1).exe -
Executes dropped EXE 1 IoCs
pid Process 3564 mp.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN Skeptical enigma remade (1).exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe 4892 Skeptical enigma remade (1).exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4892 wrote to memory of 1916 4892 Skeptical enigma remade (1).exe 91 PID 4892 wrote to memory of 1916 4892 Skeptical enigma remade (1).exe 91 PID 4892 wrote to memory of 2460 4892 Skeptical enigma remade (1).exe 92 PID 4892 wrote to memory of 2460 4892 Skeptical enigma remade (1).exe 92 PID 4892 wrote to memory of 4984 4892 Skeptical enigma remade (1).exe 93 PID 4892 wrote to memory of 4984 4892 Skeptical enigma remade (1).exe 93 PID 4892 wrote to memory of 2024 4892 Skeptical enigma remade (1).exe 94 PID 4892 wrote to memory of 2024 4892 Skeptical enigma remade (1).exe 94 PID 2024 wrote to memory of 3564 2024 cmd.exe 95 PID 2024 wrote to memory of 3564 2024 cmd.exe 95 PID 4892 wrote to memory of 2084 4892 Skeptical enigma remade (1).exe 96 PID 4892 wrote to memory of 2084 4892 Skeptical enigma remade (1).exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\Skeptical enigma remade (1).exe"C:\Users\Admin\AppData\Local\Temp\Skeptical enigma remade (1).exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 22⤵PID:4984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\mp.exe C:\Users\dr.sys2⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\mp.exeC:\Users\mp.exe C:\Users\dr.sys3⤵
- Executes dropped EXE
PID:3564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 72⤵PID:2084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4128,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:81⤵PID:832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
530KB
MD554ed683eba9340abf6783bd8d7b39445
SHA1950e3c11c71354097c8440529b31f8ac2b3c32a8
SHA2562d0a9d5ca563ffa82a974903bb43411b22c863311ec926449f08d16f483e4e70
SHA5129ff8c110823bad1e0a79a810b151e1d5557022080af0c8aaa9ff76996bd040747346f62459c50468cf86f49389c0e5fb7f057e9bd30fa31fed49ae5692d50ae2