Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7 -
submitted
10/07/2020, 09:17
Static task
static1
Behavioral task
behavioral1
Sample
quotation List #039.pdf.exe
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
quotation List #039.pdf.exe
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
quotation List #039.pdf.exe
-
Size
325KB
-
MD5
2b1b6a99d9427ced3bcaaf141dd36b34
-
SHA1
43e55e4c97dd72e3186e1849242f3cd62d991bd6
-
SHA256
36f76be816898a8ac90603edeed2ff90983d062f047f6e00c66d54964c582cc8
-
SHA512
1b73afad027bf565e0e4007ee5c6d0cd5b2420182c4de7179dcef7f7f91789aabab8a2b4efd17a5cd50432c3598ced5058130104daa57d9f0f8b71c4fd41b1fa
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 1492 quotation List #039.pdf.exe 1492 quotation List #039.pdf.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe 1600 wininit.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1492 quotation List #039.pdf.exe 1492 quotation List #039.pdf.exe 1492 quotation List #039.pdf.exe 1600 wininit.exe 1600 wininit.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1492 set thread context of 1228 1492 quotation List #039.pdf.exe 20 PID 1600 set thread context of 1228 1600 wininit.exe 20 -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Gsdf0d\mshlg4q6x.exe wininit.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run wininit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OLFPJLW8 = "C:\\Program Files (x86)\\Gsdf0d\\mshlg4q6x.exe" wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1492 quotation List #039.pdf.exe Token: SeDebugPrivilege 1600 wininit.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Deletes itself 1 IoCs
pid Process 1620 cmd.exe -
description ioc Process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wininit.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1228 wrote to memory of 1600 1228 Explorer.EXE 24 PID 1228 wrote to memory of 1600 1228 Explorer.EXE 24 PID 1228 wrote to memory of 1600 1228 Explorer.EXE 24 PID 1228 wrote to memory of 1600 1228 Explorer.EXE 24 PID 1600 wrote to memory of 1620 1600 wininit.exe 25 PID 1600 wrote to memory of 1620 1600 wininit.exe 25 PID 1600 wrote to memory of 1620 1600 wininit.exe 25 PID 1600 wrote to memory of 1620 1600 wininit.exe 25
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\quotation List #039.pdf.exe"C:\Users\Admin\AppData\Local\Temp\quotation List #039.pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Adds Run entry to start application
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\quotation List #039.pdf.exe"3⤵
- Deletes itself
PID:1620
-
-