Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
71s -
max time network
73s -
platform
windows7_x64 -
resource
win7 -
submitted
11/07/2020, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
DOC.exe
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DOC.exe
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
DOC.exe
-
Size
801KB
-
MD5
fe2c7229891329bd1590ab1ce9a50bb1
-
SHA1
e3165b722ced95332f8d8356002f200d6b9f71a3
-
SHA256
5bf4fbef77c2b3d4a07c3339b4dd439a3cd08f817361c975958061243e002668
-
SHA512
96a49fc36f153842dc937cbe6ebe81abfd228ae79e5587696599c2a5fbf5a00a606416bfde6063e75c531471ec787d8ba4d082204b2962afbaff8f5f208b8909
Score
7/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1600 RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1600 RegSvcs.exe 1600 RegSvcs.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\BAVLA = "C:\\Users\\Admin\\AppData\\Roaming\\BAVLA\\BAVLA.exe" RegSvcs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1492 wrote to memory of 1600 1492 DOC.exe 24 PID 1492 wrote to memory of 1600 1492 DOC.exe 24 PID 1492 wrote to memory of 1600 1492 DOC.exe 24 PID 1492 wrote to memory of 1600 1492 DOC.exe 24 PID 1492 wrote to memory of 1600 1492 DOC.exe 24 PID 1492 wrote to memory of 1600 1492 DOC.exe 24 PID 1492 wrote to memory of 1600 1492 DOC.exe 24 PID 1492 wrote to memory of 1600 1492 DOC.exe 24 PID 1492 wrote to memory of 1600 1492 DOC.exe 24 PID 1492 wrote to memory of 1600 1492 DOC.exe 24 PID 1492 wrote to memory of 1600 1492 DOC.exe 24 PID 1492 wrote to memory of 1600 1492 DOC.exe 24 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1492 set thread context of 1600 1492 DOC.exe 24
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOC.exe"C:\Users\Admin\AppData\Local\Temp\DOC.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1492 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
PID:1600
-