Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    10/07/2020, 09:17

General

  • Target

    quotation List #039.pdf.exe

  • Size

    325KB

  • MD5

    2b1b6a99d9427ced3bcaaf141dd36b34

  • SHA1

    43e55e4c97dd72e3186e1849242f3cd62d991bd6

  • SHA256

    36f76be816898a8ac90603edeed2ff90983d062f047f6e00c66d54964c582cc8

  • SHA512

    1b73afad027bf565e0e4007ee5c6d0cd5b2420182c4de7179dcef7f7f91789aabab8a2b4efd17a5cd50432c3598ced5058130104daa57d9f0f8b71c4fd41b1fa

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Adds Run entry to start application 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Deletes itself 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SendNotifyMessage
    • Checks whether UAC is enabled
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\quotation List #039.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\quotation List #039.pdf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      PID:1492
    • C:\Windows\SysWOW64\wininit.exe
      "C:\Windows\SysWOW64\wininit.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Adds Run entry to start application
      • Suspicious use of AdjustPrivilegeToken
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\quotation List #039.pdf.exe"
        3⤵
        • Deletes itself
        PID:1620

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1600-1-0x00000000005B0000-0x00000000005CA000-memory.dmp

    Filesize

    104KB

  • memory/1600-3-0x0000000002EA0000-0x0000000002FB7000-memory.dmp

    Filesize

    1.1MB