Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    132s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    12/07/2020, 08:03

General

  • Target

    po30 URGENT QUOTE NEEDED FOR 9th JULY 2020.exe

  • Size

    646KB

  • MD5

    4cb1b5c688395f40d9eb8e8f2ad6c1fb

  • SHA1

    718051b56921d6a85024afb8357e6b06e38356e8

  • SHA256

    e3fc20c3720e3822c54c48f53cffb77b3a21769eb9c03c63fe7fb032d7181bfa

  • SHA512

    bbe1a416cee69d17c376aff7b5379cba92a0c9d077a026704a121993af7540491869ab37f88a90e90947a6fde8221c67a5f5703ffc4319190eeab814ad764b8b

Score
7/10

Malware Config

Signatures

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\po30 URGENT QUOTE NEEDED FOR 9th JULY 2020.exe
    "C:\Users\Admin\AppData\Local\Temp\po30 URGENT QUOTE NEEDED FOR 9th JULY 2020.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nWkEbp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1C27.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1388
    • C:\Users\Admin\AppData\Local\Temp\po30 URGENT QUOTE NEEDED FOR 9th JULY 2020.exe
      "{path}"
      2⤵
        PID:1384
      • C:\Users\Admin\AppData\Local\Temp\po30 URGENT QUOTE NEEDED FOR 9th JULY 2020.exe
        "{path}"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1380

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1380-4-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

    • memory/1380-6-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

    • memory/1380-7-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB