Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
97s -
max time network
63s -
platform
windows7_x64 -
resource
win7 -
submitted
09/07/2020, 18:44
Static task
static1
Behavioral task
behavioral1
Sample
SHIPMENT.exe
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SHIPMENT.exe
Resource
win10
0 signatures
0 seconds
General
-
Target
SHIPMENT.exe
-
Size
397KB
-
MD5
df32f99868ae7a3d6ae8322795f309f1
-
SHA1
6fab769a3c4ffb45f5c1cb2112f398af7f9b8efe
-
SHA256
36dc75aba4921481245ab67c3ad19489576b7e7ee3e7c348c62c53c088f7be3f
-
SHA512
1a6664bc1250fa0cda07b6db94de2c665caa574b8bb73c0dfd6299ff7fbdaa0a0138d80c77d33138655972e9bcdf2928984b5fb9a250f84a52553681b631a292
Score
8/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1108 SHIPMENT.exe 1108 SHIPMENT.exe 1108 SHIPMENT.exe 240 RegAsm.exe 240 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1108 SHIPMENT.exe Token: SeDebugPrivilege 240 RegAsm.exe -
Loads dropped DLL 2 IoCs
pid Process 1108 SHIPMENT.exe 240 RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1108 wrote to memory of 240 1108 SHIPMENT.exe 24 PID 1108 wrote to memory of 240 1108 SHIPMENT.exe 24 PID 1108 wrote to memory of 240 1108 SHIPMENT.exe 24 PID 1108 wrote to memory of 240 1108 SHIPMENT.exe 24 PID 1108 wrote to memory of 240 1108 SHIPMENT.exe 24 PID 1108 wrote to memory of 240 1108 SHIPMENT.exe 24 PID 1108 wrote to memory of 240 1108 SHIPMENT.exe 24 PID 1108 wrote to memory of 240 1108 SHIPMENT.exe 24 PID 1108 wrote to memory of 240 1108 SHIPMENT.exe 24 PID 1108 wrote to memory of 240 1108 SHIPMENT.exe 24 PID 1108 wrote to memory of 240 1108 SHIPMENT.exe 24 PID 1108 wrote to memory of 240 1108 SHIPMENT.exe 24 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1108 set thread context of 240 1108 SHIPMENT.exe 24 -
Executes dropped EXE 1 IoCs
pid Process 240 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 240 RegAsm.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\\\.exe" RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SHIPMENT.exe"C:\Users\Admin\AppData\Local\Temp\SHIPMENT.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Adds Run entry to start application
PID:240
-