Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows10_x64 -
resource
win10 -
submitted
13/07/2020, 06:55
Static task
static1
Behavioral task
behavioral1
Sample
STATEMENT OF ACCOUNT.exe
Resource
win7v200430
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
STATEMENT OF ACCOUNT.exe
Resource
win10
0 signatures
0 seconds
General
-
Target
STATEMENT OF ACCOUNT.exe
-
Size
332KB
-
MD5
ee68d3b0f702077810bddec50179f75d
-
SHA1
e84957da433e6df765486f71391edf69f882f50a
-
SHA256
ee3971f3a905a7bd6126d3d02e0ecaa71bbe41136d3faa0680eec42a4cf20af9
-
SHA512
957eeeef26c139874fc7983078872b491f534ccc447f98d920ac43d11df7b36ffd3cfa1519fb178d6d103a04237b31f4cd5523cedbea778095a93fc0343cebe4
Score
10/10
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe STATEMENT OF ACCOUNT.exe -
Suspicious behavior: MapViewOfSection 10 IoCs
pid Process 2896 STATEMENT OF ACCOUNT.exe 2896 STATEMENT OF ACCOUNT.exe 2896 STATEMENT OF ACCOUNT.exe 3692 RegAsm.exe 3692 RegAsm.exe 3692 RegAsm.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run systray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TJILGNEHOB = "C:\\Program Files (x86)\\Eorudr\\jdpd8vwx1b8.exe" systray.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 3692 RegAsm.exe Token: SeDebugPrivilege 3812 systray.exe Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE -
description ioc Process Key created \Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Eorudr\jdpd8vwx1b8.exe systray.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2896 wrote to memory of 3520 2896 STATEMENT OF ACCOUNT.exe 67 PID 2896 wrote to memory of 3520 2896 STATEMENT OF ACCOUNT.exe 67 PID 2896 wrote to memory of 3520 2896 STATEMENT OF ACCOUNT.exe 67 PID 2896 wrote to memory of 3632 2896 STATEMENT OF ACCOUNT.exe 68 PID 2896 wrote to memory of 3632 2896 STATEMENT OF ACCOUNT.exe 68 PID 2896 wrote to memory of 3632 2896 STATEMENT OF ACCOUNT.exe 68 PID 2896 wrote to memory of 3692 2896 STATEMENT OF ACCOUNT.exe 69 PID 2896 wrote to memory of 3692 2896 STATEMENT OF ACCOUNT.exe 69 PID 2896 wrote to memory of 3692 2896 STATEMENT OF ACCOUNT.exe 69 PID 2896 wrote to memory of 3692 2896 STATEMENT OF ACCOUNT.exe 69 PID 2984 wrote to memory of 3812 2984 Explorer.EXE 70 PID 2984 wrote to memory of 3812 2984 Explorer.EXE 70 PID 2984 wrote to memory of 3812 2984 Explorer.EXE 70 PID 3812 wrote to memory of 3024 3812 systray.exe 71 PID 3812 wrote to memory of 3024 3812 systray.exe 71 PID 3812 wrote to memory of 3024 3812 systray.exe 71 PID 3812 wrote to memory of 3944 3812 systray.exe 74 PID 3812 wrote to memory of 3944 3812 systray.exe 74 PID 3812 wrote to memory of 3944 3812 systray.exe 74 PID 3812 wrote to memory of 2344 3812 systray.exe 77 PID 3812 wrote to memory of 2344 3812 systray.exe 77 PID 3812 wrote to memory of 2344 3812 systray.exe 77 -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2896 set thread context of 3692 2896 STATEMENT OF ACCOUNT.exe 69 PID 3692 set thread context of 2984 3692 RegAsm.exe 56 PID 3812 set thread context of 2984 3812 systray.exe 56 -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 3692 RegAsm.exe 3692 RegAsm.exe 3692 RegAsm.exe 3692 RegAsm.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe 3812 systray.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"2⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:2896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:3520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:3632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3692
-
-
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Adds Run entry to start application
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3812 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:3024
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:3944
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:2344
-
-