Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
124s -
platform
windows10_x64 -
resource
win10 -
submitted
07/07/2020, 09:34
Static task
static1
Behavioral task
behavioral1
Sample
ORIGINAL SHIPPING DOCUMENT.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
ORIGINAL SHIPPING DOCUMENT.exe
Resource
win10
General
-
Target
ORIGINAL SHIPPING DOCUMENT.exe
-
Size
548KB
-
MD5
8303e2f205ff8f2c024cd640e49a19a4
-
SHA1
d40be6bb61f2ccc045ffa01d9f371e7cf4ce65b0
-
SHA256
954171c43ee36bd140f210f717cfd680607c10d761a425e5a7306fc28c983d2a
-
SHA512
96d1fd674f1ea1c99d3cbc339e30a5bd0a8b302781c246166cd52358e8004477343b9fe279fae05e5d5f57afd6eff68b9f45009a9b8a3cf4628497ae276f9ab1
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3676 wrote to memory of 3872 3676 ORIGINAL SHIPPING DOCUMENT.exe 67 PID 3676 wrote to memory of 3872 3676 ORIGINAL SHIPPING DOCUMENT.exe 67 PID 3676 wrote to memory of 3872 3676 ORIGINAL SHIPPING DOCUMENT.exe 67 PID 3676 wrote to memory of 3872 3676 ORIGINAL SHIPPING DOCUMENT.exe 67 PID 3676 wrote to memory of 3872 3676 ORIGINAL SHIPPING DOCUMENT.exe 67 PID 3676 wrote to memory of 3872 3676 ORIGINAL SHIPPING DOCUMENT.exe 67 PID 3676 wrote to memory of 3872 3676 ORIGINAL SHIPPING DOCUMENT.exe 67 PID 3676 wrote to memory of 3872 3676 ORIGINAL SHIPPING DOCUMENT.exe 67 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3676 set thread context of 3872 3676 ORIGINAL SHIPPING DOCUMENT.exe 67 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3872 ORIGINAL SHIPPING DOCUMENT.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3872 ORIGINAL SHIPPING DOCUMENT.exe 3872 ORIGINAL SHIPPING DOCUMENT.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORIGINAL SHIPPING DOCUMENT.exe"C:\Users\Admin\AppData\Local\Temp\ORIGINAL SHIPPING DOCUMENT.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\ORIGINAL SHIPPING DOCUMENT.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3872
-