Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    43s
  • max time network
    108s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    08/09/2022, 05:13

General

  • Target

    Ficha_Reembolso_1.cmd

  • Size

    1.3MB

  • MD5

    eb604400d1341437d72c331613455a76

  • SHA1

    137a312c8ab7389afb5af0d3980ffb7c6a7dd5e1

  • SHA256

    46fd4d7d232ec606f235a8c6929ad959ae5fea1509ba4575a280513401b5f41b

  • SHA512

    d2dfef736e73d3d0a25a2b707b92c3f57e4a5673198fac3de20bf5119d92d012824d2ab33a23a499be5a10b5018ff418e4c3dc48fa4d31785588eb4970c26a4b

  • SSDEEP

    24576:631wpEXwOOCWVkSnz3R/sOfRQEZZjEg6GEaeJu47fnpdRgaCQIAYhrz:NpzNCWBDBsA5Z4lLD0H9z

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Delays execution with timeout.exe 1 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • NTFS ADS 1 IoCs
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 11 IoCs
  • Suspicious use of SendNotifyMessage 11 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Ficha_Reembolso_1.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Ficha_Reembolso_1.cmd"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Windows\system32\more.com
        more +5 C:\Users\Admin\AppData\Local\Temp\Ficha_Reembolso_1.cmd
        3⤵
          PID:960
        • C:\Windows\system32\certutil.exe
          certutil -decode -f ~~ "C:\Users\Admin\AppData\Roaming\pekulev\exe\v3.3.14.5_20180315\AutoIt3.exe"
          3⤵
            PID:940
          • C:\Windows\system32\certutil.exe
            certutil -decode -f C:\Users\Admin\AppData\Local\Temp\Ficha_Reembolso_1.cmd "C:\Users\Admin\AppData\Roaming\pekulev\a3x\X2NI\Ficha_Reembolso_1.a3x"
            3⤵
              PID:1992
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic process call create '"C:\Users\Admin\AppData\Roaming\pekulev\exe\v3.3.14.5_20180315\AutoIt3.exe" "C:\Users\Admin\AppData\Roaming\pekulev\a3x\X2NI\Ficha_Reembolso_1.a3x" ""' ,C:\Users\Admin\AppData\Local\Temp\
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2028
            • C:\Windows\system32\timeout.exe
              timeout /T 5
              3⤵
              • Delays execution with timeout.exe
              PID:1704
        • C:\Users\Admin\AppData\Roaming\pekulev\exe\v3.3.14.5_20180315\AutoIt3.exe
          "C:\Users\Admin\AppData\Roaming\pekulev\exe\v3.3.14.5_20180315\AutoIt3.exe" "C:\Users\Admin\AppData\Roaming\pekulev\a3x\X2NI\Ficha_Reembolso_1.a3x" ""
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Accesses Microsoft Outlook profiles
          • Modifies system certificate store
          • NTFS ADS
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:1224
          • C:\Windows\SysWOW64\msiexec.exe
            msiexec /i "C:\Users\Admin\AppData\Local\Temp\df6uiv.txt" /qn
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2000
        • C:\Windows\system32\msiexec.exe
          C:\Windows\system32\msiexec.exe /V
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1552

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\~~

          Filesize

          1.3MB

          MD5

          62e5e023b0f490aa238a07dba9af6242

          SHA1

          13854398ef5458dd3b8461d258ba97b27c5da9e8

          SHA256

          cec5ffe842dc5a5e319a462778b41cd3fdc56b1aed7bed4541d696e307ba7b54

          SHA512

          0157b08c11b1baa12b74772a6e2bfb5cd4c94ea6c063126a612a281fc87ee53588eb3f45def4bc1c6b5185076a86d9d0784f3df658bc8a8cd81f626465e5db8e

        • C:\Users\Admin\AppData\Roaming\pekulev\a3x\X2NI\Ficha_Reembolso_1.a3x

          Filesize

          111KB

          MD5

          3094bf86168cddd1a32ec29a281290c1

          SHA1

          a82b2a8c0b9c50e4a4130c87c903fdcf85adddee

          SHA256

          26a2cb17bf0e6ffb1be481aedc1e1ac0fc5f2f8a74df881b815c8a1d490eba41

          SHA512

          c1e2a8c45127a87fc767b0bb0344379dead170d7a42b38f1fc1c44b95fa8fe88102d4c71ea1acf91013b82c26afd820cd56e4aaf72e07327c9f479460ba3a725

        • C:\Users\Admin\AppData\Roaming\pekulev\exe\V3314~1.5_2\AutoIt3.exe

          Filesize

          872KB

          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        • C:\Users\Admin\AppData\Roaming\pekulev\exe\v3.3.14.5_20180315\AutoIt3.exe

          Filesize

          872KB

          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        • \Users\Admin\AppData\Local\Temp\sqlite3.dll

          Filesize

          858KB

          MD5

          c7719f774bb859240eb6dfa91a1f10be

          SHA1

          be1461e770333eb13e0fe66d378e3fac4f1112b5

          SHA256

          b3ce811fb696b94f9117ee7fe725ae6b907d695636beceeb1672d5d5eeb81df4

          SHA512

          8a561e927a7a65f5211c76b488bed2a3cc0525ecd9775d25e1863b52ff532349c125b76a51eb63ea2e4479a567e8fac6b8ae38b7fd1970bad2556befe9e3b529

        • memory/940-57-0x00000000FF361000-0x00000000FF363000-memory.dmp

          Filesize

          8KB

        • memory/1224-64-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

          Filesize

          8KB

        • memory/1552-70-0x000007FEFC291000-0x000007FEFC293000-memory.dmp

          Filesize

          8KB

        • memory/1992-60-0x00000000FF9F1000-0x00000000FF9F3000-memory.dmp

          Filesize

          8KB