Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
56s -
max time network
67s -
platform
windows7_x64 -
resource
win7 -
submitted
08/07/2020, 12:11
Static task
static1
Behavioral task
behavioral1
Sample
240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe
-
Size
624KB
-
MD5
0189f099f1d4340903c64c40fcf3d3a2
-
SHA1
57ef299e94c76a87cc083097bf88af2061e1d04b
-
SHA256
240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a
-
SHA512
860689bedcb99e33729b70fb28a67d677db72ef81cc48bfa8c8113f522e74971c998ba25122a26e5004dabd0e4eb8f9ba4694808159652475e7b09e6407093e9
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 112 wrote to memory of 1096 112 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 24 PID 112 wrote to memory of 1096 112 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 24 PID 112 wrote to memory of 1096 112 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 24 PID 112 wrote to memory of 1096 112 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 24 PID 112 wrote to memory of 1512 112 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 112 wrote to memory of 1512 112 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 112 wrote to memory of 1512 112 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 112 wrote to memory of 1512 112 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 112 wrote to memory of 1512 112 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 112 wrote to memory of 1512 112 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 112 wrote to memory of 1512 112 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 112 wrote to memory of 1512 112 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 112 wrote to memory of 1512 112 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 112 wrote to memory of 1512 112 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 112 wrote to memory of 1512 112 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 112 wrote to memory of 1512 112 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 1512 wrote to memory of 1876 1512 RegSvcs.exe 28 PID 1512 wrote to memory of 1876 1512 RegSvcs.exe 28 PID 1512 wrote to memory of 1876 1512 RegSvcs.exe 28 PID 1512 wrote to memory of 1876 1512 RegSvcs.exe 28 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 112 set thread context of 1512 112 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeImpersonatePrivilege 1512 RegSvcs.exe Token: SeTcbPrivilege 1512 RegSvcs.exe Token: SeChangeNotifyPrivilege 1512 RegSvcs.exe Token: SeCreateTokenPrivilege 1512 RegSvcs.exe Token: SeBackupPrivilege 1512 RegSvcs.exe Token: SeRestorePrivilege 1512 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 1512 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 1512 RegSvcs.exe Token: SeImpersonatePrivilege 1512 RegSvcs.exe Token: SeTcbPrivilege 1512 RegSvcs.exe Token: SeChangeNotifyPrivilege 1512 RegSvcs.exe Token: SeCreateTokenPrivilege 1512 RegSvcs.exe Token: SeBackupPrivilege 1512 RegSvcs.exe Token: SeRestorePrivilege 1512 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 1512 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 1512 RegSvcs.exe Token: SeImpersonatePrivilege 1512 RegSvcs.exe Token: SeTcbPrivilege 1512 RegSvcs.exe Token: SeChangeNotifyPrivilege 1512 RegSvcs.exe Token: SeCreateTokenPrivilege 1512 RegSvcs.exe Token: SeBackupPrivilege 1512 RegSvcs.exe Token: SeRestorePrivilege 1512 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 1512 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 1512 RegSvcs.exe Token: SeImpersonatePrivilege 1512 RegSvcs.exe Token: SeTcbPrivilege 1512 RegSvcs.exe Token: SeChangeNotifyPrivilege 1512 RegSvcs.exe Token: SeCreateTokenPrivilege 1512 RegSvcs.exe Token: SeBackupPrivilege 1512 RegSvcs.exe Token: SeRestorePrivilege 1512 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 1512 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 1512 RegSvcs.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1096 schtasks.exe -
Checks for installed software on the system 1 TTPs 10 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName RegSvcs.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall RegSvcs.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe"C:\Users\Admin\AppData\Local\Temp\240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:112 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VIfLoEDyviu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA025.tmp"2⤵
- Creates scheduled task(s)
PID:1096
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Checks for installed software on the system
PID:1512 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\113818.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" "3⤵PID:1876
-
-