Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

b76d12f6d6...0c.exe

windows7-x64

10

b76d12f6d6...0c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 01:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe

  • Size

    1.9MB

  • MD5

    bf0be7951a7f27a4396800841e696208

  • SHA1

    995f57699b300b9032443fcdfe5501e515f90ffc

  • SHA256

    b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c

  • SHA512

    5780f9eb37fe1f4bd9f7ee932b5e313a73784eda997418428fa96131c2cc4db25b974511a41ccdcfcbe9ec34c6bd0d1f588cfa9b4110de6364656856517ed253

  • SSDEEP

    49152:ISlNHydXboE+2pKWTvP6p9kB/GS0fsXCFh:ISjydNCYn0+M

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe
    "C:\Users\Admin\AppData\Local\Temp\b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1428
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1776
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4280
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2988
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:232

Network

  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 52.111.227.13:443
    322 B
     7
  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    1.9MB

    MD5

    d739d0c5a6f2887ac536d0248af885f8

    SHA1

    c93b055e729ff4d574af1f5d443680c0a9a36a16

    SHA256

    b1c7410efeded069f661ba4895c4a2cbba58edfeac996844a53dfaa0441f63e5

    SHA512

    585281bf24bd5f7ebeed1c840c57e5ed22d15bb5cad88be6c1f35255aebabf3e38a53be46f02ad99879c011ec7c21c0280560cb16281281680618be728ce043b

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    1.9MB

    MD5

    d285a4b800e2fc06c7ce3315408620fa

    SHA1

    5c7339babd1f95aa8b93ad89f5e2c8d17933be09

    SHA256

    2880952f9191a6b8deee0f449f0e9989db29e053669487904bbc1aed2b643086

    SHA512

    655dd2d42067a33a11e8b088bd113b2058835d903b67d486568a7636364c749340f9b4637ed9e6a7e442e3a39fe65476b9099a4b777e1df036383a274cb9ceb1

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    1.9MB

    MD5

    1d485dbe04a10b9cb681fcae1f0e874b

    SHA1

    8be9ebbb1d7922601a5e90671cdbb584a84bae42

    SHA256

    4e3afbd9d80ddff805be69dab2ba9b084a0543c5c6bf8e6320893085cb2d0547

    SHA512

    34316c0d6bf3162b43ec33215c69106de53f3dd82689f045ccd23f5c68a1e2182c57938e54df6e41fef29ad8c872efb3604e86e9f3cf07a4cc6dbee3b1a505cd

    Download Submit

  • memory/232-36-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/232-31-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1428-0-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1428-39-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1776-51-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1776-55-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1776-69-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1776-41-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1776-42-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1776-67-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1776-65-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1776-45-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1776-63-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1776-47-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1776-61-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1776-49-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1776-59-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1776-9-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1776-57-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1776-53-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2988-62-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2988-46-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2988-56-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2988-52-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2988-58-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2988-50-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2988-60-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2988-48-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2988-70-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2988-64-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2988-54-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2988-44-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2988-66-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2988-43-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2988-68-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2988-26-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/4280-40-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.