Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
102s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
22/03/2025, 06:13
General
-
Target
8032ddd61456915a71fc5f5f409f6190321e3b74630fcec428612f9ba0995262.exe
-
Size
8.8MB
-
MD5
81b063116bb27dc9ce34885c7e52536f
-
SHA1
596f067c80e5bb03298c90529b0890236c936130
-
SHA256
8032ddd61456915a71fc5f5f409f6190321e3b74630fcec428612f9ba0995262
-
SHA512
7bc8d106498dfbe1f1679c94e0ab0fc112bdced14cb690deb2a1c8cb69e414a252e1cf70a902711ec03bab037520ce3bca9da3f57c16e1c9faa2f56f44632b86
-
SSDEEP
196608:jxSZrxSZExSZfU+2at3DS7sJav43YmOZdqUJ9quict4Z6XfspX:jxSZrxSZExSZfU+2aJDSgJnmqukY4ZoO
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8032ddd61456915a71fc5f5f409f6190321e3b74630fcec428612f9ba0995262.exe"C:\Users\Admin\AppData\Local\Temp\8032ddd61456915a71fc5f5f409f6190321e3b74630fcec428612f9ba0995262.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8032ddd61456915a71fc5f5f409f6190321e3b74630fcec428612f9ba0995262.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8032ddd61456915a71fc5f5f409f6190321e3b74630fcec428612f9ba0995262.exe"C:\Users\Admin\AppData\Local\Temp\8032ddd61456915a71fc5f5f409f6190321e3b74630fcec428612f9ba0995262.exe" relaunch3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55cb90c90e96a3b36461ed44d339d02e5
SHA15508281a22cca7757bc4fbdb0a8e885c9f596a04
SHA25634c15d8e79fef4bddec7e34f3426df3b68f8fc6deac29ea12d110f6c529fe3bb
SHA51263735938c841c28824e3482559df18839930acc5ea8600b1074439b70a2f600a92f41593568e49991f25f079e7f7361b4f1678feadbf004f6e9e4d51d36598d4
-
Filesize
495B
MD54d7137bbb0196bf823e6b40da0a7cb16
SHA153922ada71eb1865da6217b3588752cb15c17d1f
SHA256b3cdc832579353fd229ef028b9a4a6dd1e4b3ef3aea8f5cb76c9e1c3a791ff14
SHA51248c1262c9573e92e87d0cb61efdb19829bb656c4323a0cca7ef5336af4bcfa189d038e685a35791a00f610e00cb12fcb963a3ba0b1b70ecc3fdd37d27bf7b3ac
-
Filesize
8.9MB
MD55bdb99f1e8e213b8b942cadef8beaaa7
SHA185426fa1eb5fa428a3a918456066d37e0eae80ab
SHA256acbcea8b75097bdaf8a2eac427a8c238f67b728cf6726f4eda8baf6065117d0c
SHA5129fb205f1afe8d7fff59211234385f43bac7ffa5f60f4a57f337b71f82c2f5a06a5e7698890f25f16031e5d76d694d1f9f60a5f7c461513b044262760839ac39e
-
Filesize
10.8MB
-
Filesize
80KB
-
Filesize
3.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
1.3MB
-
Filesize
7.1MB
-
Filesize
8KB
-
Filesize
80KB
-
Filesize
8KB