Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
74s -
max time network
75s -
platform
windows7_x64 -
resource
win7 -
submitted
09/07/2020, 12:00
Static task
static1
Behavioral task
behavioral1
Sample
send the quotation please.exe
Resource
win7
Behavioral task
behavioral2
Sample
send the quotation please.exe
Resource
win10
General
-
Target
send the quotation please.exe
-
Size
538KB
-
MD5
725b624537a6fa7d5240a803c8c96fda
-
SHA1
eb3dffff34cd7541128fcf77b6d6f3484d988133
-
SHA256
5c0b94de79ed0aecb92dabe4a6904eae55797d7296c40f21ada935ccac38e0c4
-
SHA512
fbd28adc6003879d14915410fd9d3b3c7d08f272e57b504a77646c252c0c72157764a6dfcbf63385aa362de0ebcbe41882dd80cce28a7d53c852e30275e3f6e7
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1140 wrote to memory of 1416 1140 send the quotation please.exe 24 PID 1140 wrote to memory of 1416 1140 send the quotation please.exe 24 PID 1140 wrote to memory of 1416 1140 send the quotation please.exe 24 PID 1140 wrote to memory of 1416 1140 send the quotation please.exe 24 PID 1140 wrote to memory of 1416 1140 send the quotation please.exe 24 PID 1140 wrote to memory of 1416 1140 send the quotation please.exe 24 PID 1140 wrote to memory of 1416 1140 send the quotation please.exe 24 PID 1140 wrote to memory of 1452 1140 send the quotation please.exe 25 PID 1140 wrote to memory of 1452 1140 send the quotation please.exe 25 PID 1140 wrote to memory of 1452 1140 send the quotation please.exe 25 PID 1140 wrote to memory of 1452 1140 send the quotation please.exe 25 PID 1140 wrote to memory of 1452 1140 send the quotation please.exe 25 PID 1140 wrote to memory of 1452 1140 send the quotation please.exe 25 PID 1140 wrote to memory of 1452 1140 send the quotation please.exe 25 PID 1140 wrote to memory of 1452 1140 send the quotation please.exe 25 PID 1140 wrote to memory of 1452 1140 send the quotation please.exe 25 PID 1140 wrote to memory of 1452 1140 send the quotation please.exe 25 PID 1140 wrote to memory of 1452 1140 send the quotation please.exe 25 PID 1140 wrote to memory of 1452 1140 send the quotation please.exe 25 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1140 send the quotation please.exe Token: SeDebugPrivilege 1452 RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1140 send the quotation please.exe 1452 RegSvcs.exe 1452 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1140 set thread context of 1452 1140 send the quotation please.exe 25 -
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\BAVLA = "C:\\Users\\Admin\\AppData\\Roaming\\BAVLA\\BAVLA.exe" RegSvcs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
Processes
-
C:\Users\Admin\AppData\Local\Temp\send the quotation please.exe"C:\Users\Admin\AppData\Local\Temp\send the quotation please.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1140 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵PID:1416
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
PID:1452
-