Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
63s -
max time network
77s -
platform
windows7_x64 -
resource
win7 -
submitted
25/07/2020, 16:17
Static task
static1
Behavioral task
behavioral1
Sample
c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe
Resource
win7
Behavioral task
behavioral2
Sample
c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe
Resource
win10v200722
General
-
Target
c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe
-
Size
915KB
-
MD5
76d274c823439cf02f18a0deccfe70c5
-
SHA1
1cd7cd1fc0f7890da57af806e67061d2022abcd4
-
SHA256
af53e36a62f237597b47d34349e40c16a3682a492fe7c320c7e834f6247e078a
-
SHA512
a094877fd2fe166517446eeb2134268fedfeaacba20cd7b964adf7f34affba675fa598c4f9d2689342e07d2bcd8a0e08d2f11202cfd00abffea679bb9d300c48
Malware Config
Signatures
-
Looks for VMWare Tools registry key 2 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1124 c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe Token: SeDebugPrivilege 1616 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1616 1124 WerFault.exe 23 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1124 wrote to memory of 1616 1124 c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe 26 PID 1124 wrote to memory of 1616 1124 c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe 26 PID 1124 wrote to memory of 1616 1124 c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe 26 PID 1124 wrote to memory of 1616 1124 c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe 26 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1616 WerFault.exe 1616 WerFault.exe 1616 WerFault.exe 1616 WerFault.exe 1616 WerFault.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe"C:\Users\Admin\AppData\Local\Temp\c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe"1⤵
- Maps connected drives based on registry
- Checks BIOS information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 11082⤵
- Suspicious use of AdjustPrivilegeToken
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:1616
-