Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
126s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
13/07/2020, 06:55
Static task
static1
Behavioral task
behavioral1
Sample
STATEMENT OF ACCOUNT.exe
Resource
win7v200430
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
STATEMENT OF ACCOUNT.exe
Resource
win10
0 signatures
0 seconds
General
-
Target
STATEMENT OF ACCOUNT.exe
-
Size
332KB
-
MD5
ee68d3b0f702077810bddec50179f75d
-
SHA1
e84957da433e6df765486f71391edf69f882f50a
-
SHA256
ee3971f3a905a7bd6126d3d02e0ecaa71bbe41136d3faa0680eec42a4cf20af9
-
SHA512
957eeeef26c139874fc7983078872b491f534ccc447f98d920ac43d11df7b36ffd3cfa1519fb178d6d103a04237b31f4cd5523cedbea778095a93fc0343cebe4
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1232 wrote to memory of 1420 1232 STATEMENT OF ACCOUNT.exe 24 PID 1232 wrote to memory of 1420 1232 STATEMENT OF ACCOUNT.exe 24 PID 1232 wrote to memory of 1420 1232 STATEMENT OF ACCOUNT.exe 24 PID 1232 wrote to memory of 1420 1232 STATEMENT OF ACCOUNT.exe 24 PID 1232 wrote to memory of 1420 1232 STATEMENT OF ACCOUNT.exe 24 PID 1232 wrote to memory of 1420 1232 STATEMENT OF ACCOUNT.exe 24 PID 1232 wrote to memory of 1420 1232 STATEMENT OF ACCOUNT.exe 24 PID 1232 wrote to memory of 1420 1232 STATEMENT OF ACCOUNT.exe 24 PID 1348 wrote to memory of 1460 1348 Explorer.EXE 25 PID 1348 wrote to memory of 1460 1348 Explorer.EXE 25 PID 1348 wrote to memory of 1460 1348 Explorer.EXE 25 PID 1348 wrote to memory of 1460 1348 Explorer.EXE 25 PID 1460 wrote to memory of 744 1460 wlanext.exe 26 PID 1460 wrote to memory of 744 1460 wlanext.exe 26 PID 1460 wrote to memory of 744 1460 wlanext.exe 26 PID 1460 wrote to memory of 744 1460 wlanext.exe 26 PID 1460 wrote to memory of 1280 1460 wlanext.exe 31 PID 1460 wrote to memory of 1280 1460 wlanext.exe 31 PID 1460 wrote to memory of 1280 1460 wlanext.exe 31 PID 1460 wrote to memory of 1280 1460 wlanext.exe 31 PID 1460 wrote to memory of 1280 1460 wlanext.exe 31 -
description ioc Process Key created \Registry\User\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wlanext.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1348 Explorer.EXE 1348 Explorer.EXE 1348 Explorer.EXE 1348 Explorer.EXE 1348 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1348 Explorer.EXE 1348 Explorer.EXE 1348 Explorer.EXE 1348 Explorer.EXE -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe STATEMENT OF ACCOUNT.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 1232 STATEMENT OF ACCOUNT.exe 1420 RegAsm.exe 1420 RegAsm.exe 1420 RegAsm.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1420 RegAsm.exe 1420 RegAsm.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1420 RegAsm.exe Token: SeDebugPrivilege 1460 wlanext.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\W2d4\vgak6g4cfw.exe wlanext.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1232 set thread context of 1420 1232 STATEMENT OF ACCOUNT.exe 24 PID 1420 set thread context of 1348 1420 RegAsm.exe 20 PID 1460 set thread context of 1348 1460 wlanext.exe 20 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run entry to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run wlanext.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8PTXHFWXGV = "C:\\Program Files (x86)\\W2d4\\vgak6g4cfw.exe" wlanext.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"2⤵
- Suspicious use of WriteProcessMemory
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1232 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1420
-
-
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of WriteProcessMemory
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Suspicious use of SetThreadContext
- Adds Run entry to start application
PID:1460 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:744
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1280
-
-