Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
11/07/2020, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
DOC.exe
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DOC.exe
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
DOC.exe
-
Size
801KB
-
MD5
fe2c7229891329bd1590ab1ce9a50bb1
-
SHA1
e3165b722ced95332f8d8356002f200d6b9f71a3
-
SHA256
5bf4fbef77c2b3d4a07c3339b4dd439a3cd08f817361c975958061243e002668
-
SHA512
96a49fc36f153842dc937cbe6ebe81abfd228ae79e5587696599c2a5fbf5a00a606416bfde6063e75c531471ec787d8ba4d082204b2962afbaff8f5f208b8909
Score
7/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1628 wrote to memory of 2784 1628 DOC.exe 72 PID 1628 wrote to memory of 2784 1628 DOC.exe 72 PID 1628 wrote to memory of 2784 1628 DOC.exe 72 PID 1628 wrote to memory of 2784 1628 DOC.exe 72 PID 1628 wrote to memory of 2784 1628 DOC.exe 72 PID 1628 wrote to memory of 2784 1628 DOC.exe 72 PID 1628 wrote to memory of 2784 1628 DOC.exe 72 PID 1628 wrote to memory of 2784 1628 DOC.exe 72 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1628 set thread context of 2784 1628 DOC.exe 72 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2784 RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2784 RegSvcs.exe 2784 RegSvcs.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\BAVLA = "C:\\Users\\Admin\\AppData\\Roaming\\BAVLA\\BAVLA.exe" RegSvcs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOC.exe"C:\Users\Admin\AppData\Local\Temp\DOC.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1628 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
PID:2784
-