Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/09/2024, 20:05

General

  • Target

    24e16a2c305931b49153dc5d418c2bc0N.exe

  • Size

    2.5MB

  • MD5

    24e16a2c305931b49153dc5d418c2bc0

  • SHA1

    25680ed74739a088902d502789175b9516b968aa

  • SHA256

    a5e81fe157143ee1e807d13bd4cce2c7c7f9b2b9a340ce3fc7bf0ced66acf4a8

  • SHA512

    6aa5094619a804ef3bf22868ce67e37fccb245af0f07e7adf9366489f156282edcad09ea11cb70cc17b479fd0f67464f9a808a7a902c7d8e24613cdb4939d60f

  • SSDEEP

    49152:PxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxZ:Pxx9NUFkQx753uWuCyyxZ

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Themida packer 17 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24e16a2c305931b49153dc5d418c2bc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\24e16a2c305931b49153dc5d418c2bc0N.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4436
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3096
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1856
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4808
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    2.5MB

    MD5

    7f5966aac8040b928ffcdce3fba3267c

    SHA1

    225ab1b6e895c64193af4c53f16a4d2f3e2789c0

    SHA256

    122545689065def293b0481ef623a621d45dba0eda8b055c10e3c4d368c34181

    SHA512

    ebefba7e5a747d26db4f9afcf5a34b086f0f531d0cac563a1d29f24ec3ed0cad9a6c7516a215acd4df4de2031b6c28e81b0f0c7177c4a2e6b9dfe57bcd2265ad

  • C:\Windows\Resources\svchost.exe

    Filesize

    2.5MB

    MD5

    13be2ac424e775e70c797a34526db023

    SHA1

    705bcf435f305c747951ecc85caaa0987b1bbf30

    SHA256

    a0cf3d87425219a1dbb1de8e6977b0d7d5196658f5d3562d3eade223fed4c5f8

    SHA512

    656999fc06b09479e2fe5e1fe46aa4a06e2727c506c6e5b0b6156e5daef34a6ea43ae409458fd17e40a12bf20fc5d882d5f7d571f5a8eb015b7f4e03aa2a3741

  • \??\c:\windows\resources\themes\explorer.exe

    Filesize

    2.5MB

    MD5

    699e1341a262dd9e97a0290e067cc0f6

    SHA1

    d198157a5d3a357e06f9b906ecb5f813f34a0539

    SHA256

    eabe02e86d86698dd13a0722c3526af413da95949d5700be2c903379feceb4fc

    SHA512

    ce22f7576340376d0adf804fe98cbcb883976ae63ad61f51b7fc5c85ffaee343c4606df3645bcab81d7754fc2c905caa188182735200b10e04d883c48d4f2f01

  • memory/1668-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

  • memory/1668-38-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

  • memory/1856-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

  • memory/1856-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

  • memory/3096-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

  • memory/3096-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

  • memory/3096-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

  • memory/3096-57-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

  • memory/3096-45-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

  • memory/4436-1-0x0000000077AC4000-0x0000000077AC6000-memory.dmp

    Filesize

    8KB

  • memory/4436-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

  • memory/4436-41-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

  • memory/4808-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

  • memory/4808-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

  • memory/4808-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB