Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
44s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
12/07/2020, 11:26
Static task
static1
Behavioral task
behavioral1
Sample
IBAN IMPLEMENTATION.PDF.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
IBAN IMPLEMENTATION.PDF.exe
Resource
win10
General
-
Target
IBAN IMPLEMENTATION.PDF.exe
-
Size
715KB
-
MD5
30d1189cb067a539d35c24262202c9e1
-
SHA1
131e08e5925151f68c08464fba3359ea8a04ca1a
-
SHA256
fdeac1758dae3e3811f020f3d9d44fb984c4397c924c4c8e880f4e41fdf130f7
-
SHA512
dfd595030472a0243709f85e64b7f3f039dd27c8cf5c706c3c404c9b8f2fcf093d18464436dafd1117eae71b4f82a66f896b0692a18786680b963edc7dc3a747
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1356 IBAN IMPLEMENTATION.PDF.exe Token: SeDebugPrivilege 1736 IBAN IMPLEMENTATION.PDF.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1356 IBAN IMPLEMENTATION.PDF.exe 1356 IBAN IMPLEMENTATION.PDF.exe 1356 IBAN IMPLEMENTATION.PDF.exe 1736 IBAN IMPLEMENTATION.PDF.exe 1736 IBAN IMPLEMENTATION.PDF.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1356 wrote to memory of 1736 1356 IBAN IMPLEMENTATION.PDF.exe 26 PID 1356 wrote to memory of 1736 1356 IBAN IMPLEMENTATION.PDF.exe 26 PID 1356 wrote to memory of 1736 1356 IBAN IMPLEMENTATION.PDF.exe 26 PID 1356 wrote to memory of 1736 1356 IBAN IMPLEMENTATION.PDF.exe 26 PID 1356 wrote to memory of 1736 1356 IBAN IMPLEMENTATION.PDF.exe 26 PID 1356 wrote to memory of 1736 1356 IBAN IMPLEMENTATION.PDF.exe 26 PID 1356 wrote to memory of 1736 1356 IBAN IMPLEMENTATION.PDF.exe 26 PID 1356 wrote to memory of 1736 1356 IBAN IMPLEMENTATION.PDF.exe 26 PID 1356 wrote to memory of 1736 1356 IBAN IMPLEMENTATION.PDF.exe 26 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1356 set thread context of 1736 1356 IBAN IMPLEMENTATION.PDF.exe 26 -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
Processes
-
C:\Users\Admin\AppData\Local\Temp\IBAN IMPLEMENTATION.PDF.exe"C:\Users\Admin\AppData\Local\Temp\IBAN IMPLEMENTATION.PDF.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\IBAN IMPLEMENTATION.PDF.exe"C:\Users\Admin\AppData\Local\Temp\IBAN IMPLEMENTATION.PDF.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1736
-