Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 19:18
Static task
static1
Behavioral task
behavioral1
Sample
UniversalRecoilV2.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
UniversalRecoilV2.exe
Resource
win10v2004-20241007-en
General
-
Target
UniversalRecoilV2.exe
-
Size
6.7MB
-
MD5
d8e739ca8627a709dbd025c95eec3c09
-
SHA1
cb0d1baefa7b97e355e16b1bbfa418334c579e80
-
SHA256
6d97acf787fc0571e81d0c82c301f91005523246319a2b17eb9db765e754ad89
-
SHA512
85bbb0e0c2059d9a141edf49102d43aef55ffab458f52f7bb755bd434499629a936fa39c3ec8d60e289232ab4abe2cdf1ffd55b59d914e18d62a2114a5006ebf
-
SSDEEP
196608:6aLfVOixPlm+6Q9JqjodWfeNSkfoIKtAINPsbET9iorQ:NLXlm+6vjLGybNEbET9Z
Malware Config
Extracted
stealc
game
http://193.233.112.44
-
url_path
/383ccd496f3c5eee.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ VC_redistx64.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion VC_redistx64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VC_redistx64.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation VC_redistx64.exe -
Executes dropped EXE 3 IoCs
pid Process 2860 gWsmPty.exe 1364 VC_redistx64.exe 2608 UniversalRecoilV2.exe -
Loads dropped DLL 3 IoCs
pid Process 3068 WerFault.exe 3068 WerFault.exe 3068 WerFault.exe -
resource yara_rule behavioral1/files/0x0036000000019240-20.dat themida behavioral1/memory/1364-21-0x0000000000400000-0x0000000000B78000-memory.dmp themida behavioral1/memory/1364-24-0x0000000000400000-0x0000000000B78000-memory.dmp themida behavioral1/memory/1364-23-0x0000000000400000-0x0000000000B78000-memory.dmp themida behavioral1/memory/1364-31-0x0000000000400000-0x0000000000B78000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\ProgramData\\MyHiddenFolder\\VC_redistx64.exe" VC_redistx64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VC_redistx64.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1364 VC_redistx64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3068 2860 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redistx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UniversalRecoilV2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gWsmPty.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 gWsmPty.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString gWsmPty.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1364 VC_redistx64.exe 2860 gWsmPty.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2608 UniversalRecoilV2.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2860 2188 UniversalRecoilV2.exe 30 PID 2188 wrote to memory of 2860 2188 UniversalRecoilV2.exe 30 PID 2188 wrote to memory of 2860 2188 UniversalRecoilV2.exe 30 PID 2188 wrote to memory of 2860 2188 UniversalRecoilV2.exe 30 PID 2188 wrote to memory of 1364 2188 UniversalRecoilV2.exe 31 PID 2188 wrote to memory of 1364 2188 UniversalRecoilV2.exe 31 PID 2188 wrote to memory of 1364 2188 UniversalRecoilV2.exe 31 PID 2188 wrote to memory of 1364 2188 UniversalRecoilV2.exe 31 PID 2188 wrote to memory of 2608 2188 UniversalRecoilV2.exe 32 PID 2188 wrote to memory of 2608 2188 UniversalRecoilV2.exe 32 PID 2188 wrote to memory of 2608 2188 UniversalRecoilV2.exe 32 PID 2188 wrote to memory of 2608 2188 UniversalRecoilV2.exe 32 PID 2860 wrote to memory of 3068 2860 gWsmPty.exe 34 PID 2860 wrote to memory of 3068 2860 gWsmPty.exe 34 PID 2860 wrote to memory of 3068 2860 gWsmPty.exe 34 PID 2860 wrote to memory of 3068 2860 gWsmPty.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe"C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Roaming\gWsmPty.exe"C:\Users\Admin\AppData\Roaming\gWsmPty.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 8843⤵
- Loads dropped DLL
- Program crash
PID:3068
-
-
-
C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1364
-
-
C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe"C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5acf8907ce64638007fb5514265812c67
SHA1daa5404df21afc0cbfc126b9544fa68f3833e3f8
SHA2569fe5fb74600e204a4739a0ed262f16ab6c7eb9f970f61d6315a8e5010f9bc3d4
SHA512aa7478af047621b9f6d828356a20905f46a520cf364bc639ff0c21b5e9ae8eb29d5edcb2dd00c4dc327ca5348868d754c7068aff132d27d21e606e3ff821f9b6
-
Filesize
2.9MB
MD5507acc8f3249adef7468989fee931211
SHA14d66286973a21e76b0e2c746bac00fa28d446ca9
SHA2566abb77dce6d4af42005e673cb089b6d41e0ef0b88a6411f4d5dfd8e8b4858154
SHA5122faee963523b401bf1e588c86bfeef899067456f22848d299525acde5d2ce28a66f769d741deea2e6b218b4e1b0c0f7f4cc08cfc1c2fd8eac5375b3c183b7ee3
-
Filesize
322KB
MD5c57f035e099bfe7f8d56917a22266dc9
SHA188a4ab3cef2b3d293b6d94b8d5b38298d1ec6d87
SHA256d075bbba29912ff7a321ee5dcb32159b9de8e27e716a1aad9ed52bb9d9ccc4a3
SHA512836f345be084eeaef97144faa845a697f3c40a5f643088ee355d71cbedac23506c4d53267220bfa467872e850faebbc5a3919fbeb5628534619d39fbcbf1e1e4