Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

5d1dabd9b1...0N.exe

windows7-x64

9

5d1dabd9b1...0N.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2024, 23:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d1dabd9b137c665ca2c214f3a04eca0N.exe

  • Size

    1016KB

  • MD5

    5d1dabd9b137c665ca2c214f3a04eca0

  • SHA1

    c84ca92c47f02dfc797853e427178a8b92c089ff

  • SHA256

    b406f9c15d6ed333532c88cd6308a67498b724fd3a978c60c2096c3cb902cc49

  • SHA512

    c14a88b26c799db2b7d8ad529295ffa9f58739b85f43aa8b87a14e41c546e6e11c2ed6c50431078807d9d2e8475e6e56e60b8d677176692048714f3f0e557e40

  • SSDEEP

    12288:affM9DnhlUeFz3cOsEyEAbfTRDZaaDxm1l5Yx46x4fuYrl63/Xs9XKycWVCBHOFi:aM9tuqsECJ+5YyyMC+KGVmOFtyt+aGg

Score
9/10
discoveryevasion

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d1dabd9b137c665ca2c214f3a04eca0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5d1dabd9b137c665ca2c214f3a04eca0N.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\shortcut.vbs" /c
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2664
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping server.aionroy.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SysWOW64\PING.EXE
        ping server.aionroy.com
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1084

Network

  • flag-us
    DNS
    server.aionroy.com
    5d1dabd9b137c665ca2c214f3a04eca0N.exe
    Remote address:
    8.8.8.8:53
    Request
    server.aionroy.com
    IN A
    Response
  • 192.168.1.103:8888
    5d1dabd9b137c665ca2c214f3a04eca0N.exe
    152 B
     3
  • 192.168.1.1:443
    5d1dabd9b137c665ca2c214f3a04eca0N.exe
    152 B
     3
  • 192.168.1.103:8888
    5d1dabd9b137c665ca2c214f3a04eca0N.exe
    152 B
     3
  • 192.168.1.1:443
    5d1dabd9b137c665ca2c214f3a04eca0N.exe
    152 B
     3
  • 192.168.1.103:8888
    5d1dabd9b137c665ca2c214f3a04eca0N.exe
    152 B
     3
  • 192.168.1.1:443
    5d1dabd9b137c665ca2c214f3a04eca0N.exe
    152 B
     3
  • 192.168.1.103:8888
    5d1dabd9b137c665ca2c214f3a04eca0N.exe
    152 B
     3
  • 192.168.1.1:443
    5d1dabd9b137c665ca2c214f3a04eca0N.exe
    152 B
     3
  • 192.168.1.103:8888
    5d1dabd9b137c665ca2c214f3a04eca0N.exe
    52 B
     1
  • 8.8.8.8:53
    server.aionroy.com
    dns
    5d1dabd9b137c665ca2c214f3a04eca0N.exe
    64 B
     125 B
     1
    1

    DNS Request

    server.aionroy.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\shortcut.vbs
    Filesize

    828B

    MD5

    2d7dcfe6a447c5823e8bc269cd473c9b

    SHA1

    6a670806bce62a826e3d2fd21f4a9ad2cda9e4cc

    SHA256

    4bbca39b4ef0ae60c1027ab4d94e41228a36267a4ec23e579cbc67058602c4a1

    SHA512

    b3781410c43a0400cad1bd92b7ba6449356e0dfe778f12d9d8c715c824d786a159afe90e5b0e24433cd7fbf121acc3f1a993e9141d51d2795f27685adcbd845f

    Download Submit

  • memory/2116-0-0x0000000000400000-0x00000000005EA000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2116-6-0x0000000000400000-0x00000000005EA000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2664-5-0x00000000001E0000-0x00000000001F0000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.