Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2024, 07:36

General

  • Target

    cb6b4bb0b3fc19a3626bd33f40f4399e667db405f4ac56b69b2b271816df371bN.exe

  • Size

    1.8MB

  • MD5

    7d259326e9642c8a13d30573dafe3d90

  • SHA1

    fc5ba1d2215d2785b5223f501ce0254973adad2c

  • SHA256

    cb6b4bb0b3fc19a3626bd33f40f4399e667db405f4ac56b69b2b271816df371b

  • SHA512

    ddb2e84a2f3e88eda5f4c847a7bb836fc7eff26d6d47d5e74bc27180f6f346b78cb5d4aa35040b6be0f24e53651024ea59a9623f83c939762ccc216a567e4fbb

  • SSDEEP

    49152:tEUr5fRFAZmYEuoqNGsDfxOPfHzTOYsohE:t7BspoqppOPv/h

Malware Config

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

  • Gcleaner family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb6b4bb0b3fc19a3626bd33f40f4399e667db405f4ac56b69b2b271816df371bN.exe
    "C:\Users\Admin\AppData\Local\Temp\cb6b4bb0b3fc19a3626bd33f40f4399e667db405f4ac56b69b2b271816df371bN.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\download[1].htm

    Filesize

    1B

    MD5

    cfcd208495d565ef66e7dff9f98764da

    SHA1

    b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

    SHA256

    5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

    SHA512

    31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

  • \Users\Admin\AppData\Local\Temp\fA9v5uDe37ZYeF3\Y-Cleaner.exe

    Filesize

    1.4MB

    MD5

    a8cf5621811f7fac55cfe8cb3fa6b9f6

    SHA1

    121356839e8138a03141f5f5856936a85bd2a474

    SHA256

    614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c

    SHA512

    4479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd

  • memory/2236-12-0x0000000010000000-0x000000001001C000-memory.dmp

    Filesize

    112KB

  • memory/2236-18-0x0000000000400000-0x0000000000C4D000-memory.dmp

    Filesize

    8.3MB

  • memory/2236-3-0x0000000000400000-0x0000000000C4D000-memory.dmp

    Filesize

    8.3MB

  • memory/2236-6-0x0000000000400000-0x0000000000C4D000-memory.dmp

    Filesize

    8.3MB

  • memory/2236-7-0x0000000000400000-0x0000000000C4D000-memory.dmp

    Filesize

    8.3MB

  • memory/2236-8-0x0000000000400000-0x0000000000C4D000-memory.dmp

    Filesize

    8.3MB

  • memory/2236-0-0x0000000000400000-0x0000000000C4D000-memory.dmp

    Filesize

    8.3MB

  • memory/2236-16-0x0000000000400000-0x0000000000C4D000-memory.dmp

    Filesize

    8.3MB

  • memory/2236-17-0x0000000000401000-0x0000000000426000-memory.dmp

    Filesize

    148KB

  • memory/2236-4-0x0000000000400000-0x0000000000C4D000-memory.dmp

    Filesize

    8.3MB

  • memory/2236-20-0x0000000000400000-0x0000000000C4D000-memory.dmp

    Filesize

    8.3MB

  • memory/2236-21-0x0000000000400000-0x0000000000C4D000-memory.dmp

    Filesize

    8.3MB

  • memory/2236-2-0x0000000000401000-0x0000000000426000-memory.dmp

    Filesize

    148KB

  • memory/2236-26-0x0000000000400000-0x0000000000C4D000-memory.dmp

    Filesize

    8.3MB

  • memory/2236-32-0x0000000000400000-0x0000000000C4D000-memory.dmp

    Filesize

    8.3MB

  • memory/2236-1-0x0000000077050000-0x0000000077052000-memory.dmp

    Filesize

    8KB

  • memory/2236-42-0x0000000000400000-0x0000000000C4D000-memory.dmp

    Filesize

    8.3MB