Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11/07/2022, 08:43
Static task
static1
Behavioral task
behavioral1
Sample
dhl.exe
Resource
win7-20220414-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
dhl.exe
Resource
win10v2004-20220414-en
0 signatures
0 seconds
General
-
Target
dhl.exe
-
Size
4.9MB
-
MD5
28c49dff3e6cce47ac148f844d5f657f
-
SHA1
fb5c3e86cf44dc8c627d4d78bcbb56e0d06ceaa9
-
SHA256
8d35a509c8341803a0e7f804817f4870c68274bb47523018b8842e759252d9ea
-
SHA512
0e68853476ccc6670ad27b5be2da6dbd465954b1a3a045c5426dc5cd038985138b3f387ec77c9a3a4fa04a3212763efe95baf48981438350600c6d7349cac7c3
Score
10/10
Malware Config
Extracted
Family
oski
C2
domazy.ga
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1572 set thread context of 1276 1572 dhl.exe 81 -
Program crash 1 IoCs
pid pid_target Process procid_target 3768 1276 WerFault.exe 81 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1572 dhl.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1572 wrote to memory of 1276 1572 dhl.exe 81 PID 1572 wrote to memory of 1276 1572 dhl.exe 81 PID 1572 wrote to memory of 1276 1572 dhl.exe 81 PID 1572 wrote to memory of 1276 1572 dhl.exe 81 PID 1572 wrote to memory of 1276 1572 dhl.exe 81 PID 1572 wrote to memory of 1276 1572 dhl.exe 81 PID 1572 wrote to memory of 1276 1572 dhl.exe 81 PID 1572 wrote to memory of 1276 1572 dhl.exe 81 PID 1572 wrote to memory of 1276 1572 dhl.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\dhl.exe"C:\Users\Admin\AppData\Local\Temp\dhl.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"2⤵PID:1276
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 5443⤵
- Program crash
PID:3768
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1276 -ip 12761⤵PID:3764