Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 14:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Zukigiunlocker.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
General
-
Target
Zukigiunlocker.exe
-
Size
9.3MB
-
MD5
483c79ecb7978584e4a025d801aa27e2
-
SHA1
50394f5b488ec1f045f8eedbbe38d1222d5eb6f5
-
SHA256
9d1f327a29485d68c0c288e449c0e3bd2634b78dac886775b84912c220e85c06
-
SHA512
f7c8a884f23ec42a25551e874fa7568e7aa0e074b7816d42a585d37ea11a2883a9cf19fb82552a40446daafebad26be56ddc03223de27ad8b1f72a20fcfe1718
-
SSDEEP
196608:iKIOsVbOk+0rasQ64lhPgh9QpxeQlEorvAI5YDTi8J4yn4:oxxOH0rVf4LPgXforYISiE4j
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Zukigiunlocker.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Zukigiunlocker.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Zukigiunlocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Zukigiunlocker.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Zukigiunlocker.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 46 IoCs
pid Process 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN Zukigiunlocker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe 1992 Zukigiunlocker.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2676 1992 Zukigiunlocker.exe 31 PID 1992 wrote to memory of 2676 1992 Zukigiunlocker.exe 31 PID 1992 wrote to memory of 2676 1992 Zukigiunlocker.exe 31 PID 1992 wrote to memory of 2852 1992 Zukigiunlocker.exe 32 PID 1992 wrote to memory of 2852 1992 Zukigiunlocker.exe 32 PID 1992 wrote to memory of 2852 1992 Zukigiunlocker.exe 32 PID 1992 wrote to memory of 2888 1992 Zukigiunlocker.exe 33 PID 1992 wrote to memory of 2888 1992 Zukigiunlocker.exe 33 PID 1992 wrote to memory of 2888 1992 Zukigiunlocker.exe 33 PID 1992 wrote to memory of 2780 1992 Zukigiunlocker.exe 34 PID 1992 wrote to memory of 2780 1992 Zukigiunlocker.exe 34 PID 1992 wrote to memory of 2780 1992 Zukigiunlocker.exe 34 PID 2852 wrote to memory of 2728 2852 cmd.exe 35 PID 2852 wrote to memory of 2728 2852 cmd.exe 35 PID 2852 wrote to memory of 2728 2852 cmd.exe 35 PID 2852 wrote to memory of 2716 2852 cmd.exe 36 PID 2852 wrote to memory of 2716 2852 cmd.exe 36 PID 2852 wrote to memory of 2716 2852 cmd.exe 36 PID 2852 wrote to memory of 2876 2852 cmd.exe 37 PID 2852 wrote to memory of 2876 2852 cmd.exe 37 PID 2852 wrote to memory of 2876 2852 cmd.exe 37 PID 1992 wrote to memory of 2868 1992 Zukigiunlocker.exe 38 PID 1992 wrote to memory of 2868 1992 Zukigiunlocker.exe 38 PID 1992 wrote to memory of 2868 1992 Zukigiunlocker.exe 38 PID 1992 wrote to memory of 2704 1992 Zukigiunlocker.exe 39 PID 1992 wrote to memory of 2704 1992 Zukigiunlocker.exe 39 PID 1992 wrote to memory of 2704 1992 Zukigiunlocker.exe 39 PID 1992 wrote to memory of 2916 1992 Zukigiunlocker.exe 41 PID 1992 wrote to memory of 2916 1992 Zukigiunlocker.exe 41 PID 1992 wrote to memory of 2916 1992 Zukigiunlocker.exe 41 PID 1992 wrote to memory of 2556 1992 Zukigiunlocker.exe 40 PID 1992 wrote to memory of 2556 1992 Zukigiunlocker.exe 40 PID 1992 wrote to memory of 2556 1992 Zukigiunlocker.exe 40 PID 1992 wrote to memory of 2964 1992 Zukigiunlocker.exe 42 PID 1992 wrote to memory of 2964 1992 Zukigiunlocker.exe 42 PID 1992 wrote to memory of 2964 1992 Zukigiunlocker.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\Zukigiunlocker.exe"C:\Users\Admin\AppData\Local\Temp\Zukigiunlocker.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\Zukigiunlocker.exe"C:\Users\Admin\AppData\Local\Temp\Zukigiunlocker.exe"2⤵PID:2676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Zukigiunlocker.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Zukigiunlocker.exe" MD53⤵PID:2728
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:2716
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:2876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2780
-
-
C:\Windows\system32\cmd.execmd /C "color b && title Error && echo Crash caused by: dllinjection don't tamper with the program."2⤵PID:2868
-
-
C:\Windows\system32\cmd.execmd /C "color b && title Error && echo Crash caused by: Hooking DebugBreak don't tamper with the program."2⤵PID:2704
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1992 -s 7122⤵PID:2556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2916
-
-
C:\Windows\system32\cmd.execmd /C "color b && title Error && echo Crash caused by: dllinjection don't tamper with the program."2⤵PID:2964
-