Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
31003gdDR3/EAC.exe
windows7-x64
71003gdDR3/EAC.exe
windows10-2004-x64
71003gdDR3/EBC.sys
windows7-x64
11003gdDR3/EBC.sys
windows10-2004-x64
11003gdDR3/...AC.bat
windows7-x64
81003gdDR3/...AC.bat
windows10-2004-x64
81003gdDR3/...in.bat
windows7-x64
81003gdDR3/...in.bat
windows10-2004-x64
81003gdDR3/execute.sys
windows10-2004-x64
11003imxyvi...AC.exe
windows7-x64
71003imxyvi...AC.exe
windows10-2004-x64
71003imxyvi...AC.bat
windows7-x64
81003imxyvi...AC.bat
windows10-2004-x64
81003imxyvi...in.bat
windows7-x64
81003imxyvi...in.bat
windows10-2004-x64
81003imxyvi...ac.sys
windows10-2004-x64
1Analysis
-
max time kernel
13s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 20:10
Static task
static1
Behavioral task
behavioral1
Sample
1003gdDR3/EAC.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1003gdDR3/EAC.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
1003gdDR3/EBC.sys
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
1003gdDR3/EBC.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
1003gdDR3/InstallEAC.bat
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
1003gdDR3/InstallEAC.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
1003gdDR3/InstallEAC_Admin.bat
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
1003gdDR3/InstallEAC_Admin.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
1003gdDR3/execute.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral10
Sample
1003imxyviMapper/EAC.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
1003imxyviMapper/EAC.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral12
Sample
1003imxyviMapper/InstallEAC.bat
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
1003imxyviMapper/InstallEAC.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral14
Sample
1003imxyviMapper/InstallEAC_Admin.bat
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
1003imxyviMapper/InstallEAC_Admin.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral16
Sample
1003imxyviMapper/drvrecode_eac.sys
Resource
win10v2004-20240802-en
General
-
Target
1003imxyviMapper/InstallEAC.bat
-
Size
43B
-
MD5
35ddf9efd9112d982292c7d622f60c68
-
SHA1
c6c7a96f136894131c9c6a3190eb835faf55418e
-
SHA256
42a0560ea661a122ec99eb7ec201f9f47e679c24b1afa54a7dac4b0be95105ff
-
SHA512
cae665bfd3bd698d03f32d24e8a44c49292ef3dc92c00dd6f4a30d47f63521675b68c96facab797c890246388987dd66ae52c0d394458bb89c41990d7c0e240d
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" EAC.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion EAC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion EAC.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2204 EAC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLoadDriverPrivilege 2204 EAC.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 792 wrote to memory of 2204 792 cmd.exe 31 PID 792 wrote to memory of 2204 792 cmd.exe 31 PID 792 wrote to memory of 2204 792 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1003imxyviMapper\InstallEAC.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Users\Admin\AppData\Local\Temp\1003imxyviMapper\EAC.exeEAC.exe drvrecode_eac.sys2⤵
- Sets service image path in registry
- Checks BIOS information in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2204
-