Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
07/09/2024, 23:25
General
-
Target
5d1dabd9b137c665ca2c214f3a04eca0N.exe
-
Size
1016KB
-
MD5
5d1dabd9b137c665ca2c214f3a04eca0
-
SHA1
c84ca92c47f02dfc797853e427178a8b92c089ff
-
SHA256
b406f9c15d6ed333532c88cd6308a67498b724fd3a978c60c2096c3cb902cc49
-
SHA512
c14a88b26c799db2b7d8ad529295ffa9f58739b85f43aa8b87a14e41c546e6e11c2ed6c50431078807d9d2e8475e6e56e60b8d677176692048714f3f0e557e40
-
SSDEEP
12288:affM9DnhlUeFz3cOsEyEAbfTRDZaaDxm1l5Yx46x4fuYrl63/Xs9XKycWVCBHOFi:aM9tuqsECJ+5YyyMC+KGVmOFtyt+aGg
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d1dabd9b137c665ca2c214f3a04eca0N.exe"C:\Users\Admin\AppData\Local\Temp\5d1dabd9b137c665ca2c214f3a04eca0N.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\shortcut.vbs" /c2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c ping server.aionroy.com2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping server.aionroy.com3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
828B
MD52d7dcfe6a447c5823e8bc269cd473c9b
SHA16a670806bce62a826e3d2fd21f4a9ad2cda9e4cc
SHA2564bbca39b4ef0ae60c1027ab4d94e41228a36267a4ec23e579cbc67058602c4a1
SHA512b3781410c43a0400cad1bd92b7ba6449356e0dfe778f12d9d8c715c824d786a159afe90e5b0e24433cd7fbf121acc3f1a993e9141d51d2795f27685adcbd845f
-
Filesize
1.9MB
-
Filesize
1.9MB