Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
148s -
platform
windows10_x64 -
resource
win10 -
submitted
09/07/2020, 12:00
Static task
static1
Behavioral task
behavioral1
Sample
send the quotation please.exe
Resource
win7
Behavioral task
behavioral2
Sample
send the quotation please.exe
Resource
win10
General
-
Target
send the quotation please.exe
-
Size
538KB
-
MD5
725b624537a6fa7d5240a803c8c96fda
-
SHA1
eb3dffff34cd7541128fcf77b6d6f3484d988133
-
SHA256
5c0b94de79ed0aecb92dabe4a6904eae55797d7296c40f21ada935ccac38e0c4
-
SHA512
fbd28adc6003879d14915410fd9d3b3c7d08f272e57b504a77646c252c0c72157764a6dfcbf63385aa362de0ebcbe41882dd80cce28a7d53c852e30275e3f6e7
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 792 wrote to memory of 3756 792 send the quotation please.exe 66 PID 792 wrote to memory of 3756 792 send the quotation please.exe 66 PID 792 wrote to memory of 3756 792 send the quotation please.exe 66 PID 792 wrote to memory of 3756 792 send the quotation please.exe 66 PID 792 wrote to memory of 3756 792 send the quotation please.exe 66 PID 792 wrote to memory of 3756 792 send the quotation please.exe 66 PID 792 wrote to memory of 3756 792 send the quotation please.exe 66 PID 792 wrote to memory of 3756 792 send the quotation please.exe 66 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 792 set thread context of 3756 792 send the quotation please.exe 66 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3756 RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3756 RegSvcs.exe 3756 RegSvcs.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\BAVLA = "C:\\Users\\Admin\\AppData\\Roaming\\BAVLA\\BAVLA.exe" RegSvcs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
Processes
-
C:\Users\Admin\AppData\Local\Temp\send the quotation please.exe"C:\Users\Admin\AppData\Local\Temp\send the quotation please.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:792 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
PID:3756
-