Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2022, 05:13
Static task
static1
Behavioral task
behavioral1
Sample
Ficha_Reembolso_1.cmd
Resource
win7-20220812-en
General
-
Target
Ficha_Reembolso_1.cmd
-
Size
1.3MB
-
MD5
eb604400d1341437d72c331613455a76
-
SHA1
137a312c8ab7389afb5af0d3980ffb7c6a7dd5e1
-
SHA256
46fd4d7d232ec606f235a8c6929ad959ae5fea1509ba4575a280513401b5f41b
-
SHA512
d2dfef736e73d3d0a25a2b707b92c3f57e4a5673198fac3de20bf5119d92d012824d2ab33a23a499be5a10b5018ff418e4c3dc48fa4d31785588eb4970c26a4b
-
SSDEEP
24576:631wpEXwOOCWVkSnz3R/sOfRQEZZjEg6GEaeJu47fnpdRgaCQIAYhrz:NpzNCWBDBsA5Z4lLD0H9z
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1464 AutoIt3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Delays execution with timeout.exe 1 IoCs
pid Process 4444 timeout.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2 AutoIt3.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 42 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1684 WMIC.exe Token: SeSecurityPrivilege 1684 WMIC.exe Token: SeTakeOwnershipPrivilege 1684 WMIC.exe Token: SeLoadDriverPrivilege 1684 WMIC.exe Token: SeSystemProfilePrivilege 1684 WMIC.exe Token: SeSystemtimePrivilege 1684 WMIC.exe Token: SeProfSingleProcessPrivilege 1684 WMIC.exe Token: SeIncBasePriorityPrivilege 1684 WMIC.exe Token: SeCreatePagefilePrivilege 1684 WMIC.exe Token: SeBackupPrivilege 1684 WMIC.exe Token: SeRestorePrivilege 1684 WMIC.exe Token: SeShutdownPrivilege 1684 WMIC.exe Token: SeDebugPrivilege 1684 WMIC.exe Token: SeSystemEnvironmentPrivilege 1684 WMIC.exe Token: SeRemoteShutdownPrivilege 1684 WMIC.exe Token: SeUndockPrivilege 1684 WMIC.exe Token: SeManageVolumePrivilege 1684 WMIC.exe Token: 33 1684 WMIC.exe Token: 34 1684 WMIC.exe Token: 35 1684 WMIC.exe Token: 36 1684 WMIC.exe Token: SeIncreaseQuotaPrivilege 1684 WMIC.exe Token: SeSecurityPrivilege 1684 WMIC.exe Token: SeTakeOwnershipPrivilege 1684 WMIC.exe Token: SeLoadDriverPrivilege 1684 WMIC.exe Token: SeSystemProfilePrivilege 1684 WMIC.exe Token: SeSystemtimePrivilege 1684 WMIC.exe Token: SeProfSingleProcessPrivilege 1684 WMIC.exe Token: SeIncBasePriorityPrivilege 1684 WMIC.exe Token: SeCreatePagefilePrivilege 1684 WMIC.exe Token: SeBackupPrivilege 1684 WMIC.exe Token: SeRestorePrivilege 1684 WMIC.exe Token: SeShutdownPrivilege 1684 WMIC.exe Token: SeDebugPrivilege 1684 WMIC.exe Token: SeSystemEnvironmentPrivilege 1684 WMIC.exe Token: SeRemoteShutdownPrivilege 1684 WMIC.exe Token: SeUndockPrivilege 1684 WMIC.exe Token: SeManageVolumePrivilege 1684 WMIC.exe Token: 33 1684 WMIC.exe Token: 34 1684 WMIC.exe Token: 35 1684 WMIC.exe Token: 36 1684 WMIC.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 1464 AutoIt3.exe 1464 AutoIt3.exe 1464 AutoIt3.exe 1464 AutoIt3.exe 1464 AutoIt3.exe 1464 AutoIt3.exe 1464 AutoIt3.exe 1464 AutoIt3.exe -
Suspicious use of SendNotifyMessage 8 IoCs
pid Process 1464 AutoIt3.exe 1464 AutoIt3.exe 1464 AutoIt3.exe 1464 AutoIt3.exe 1464 AutoIt3.exe 1464 AutoIt3.exe 1464 AutoIt3.exe 1464 AutoIt3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2380 wrote to memory of 4964 2380 cmd.exe 23 PID 2380 wrote to memory of 4964 2380 cmd.exe 23 PID 4964 wrote to memory of 2368 4964 cmd.exe 22 PID 4964 wrote to memory of 2368 4964 cmd.exe 22 PID 4964 wrote to memory of 1744 4964 cmd.exe 41 PID 4964 wrote to memory of 1744 4964 cmd.exe 41 PID 4964 wrote to memory of 2348 4964 cmd.exe 44 PID 4964 wrote to memory of 2348 4964 cmd.exe 44 PID 4964 wrote to memory of 1684 4964 cmd.exe 45 PID 4964 wrote to memory of 1684 4964 cmd.exe 45 PID 4964 wrote to memory of 4444 4964 cmd.exe 54 PID 4964 wrote to memory of 4444 4964 cmd.exe 54
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Ficha_Reembolso_1.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Ficha_Reembolso_1.cmd"2⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\system32\certutil.execertutil -decode -f ~~ "C:\Users\Admin\AppData\Roaming\pekulev\exe\v3.3.14.5_20180315\AutoIt3.exe"3⤵PID:1744
-
-
C:\Windows\system32\certutil.execertutil -decode -f C:\Users\Admin\AppData\Local\Temp\Ficha_Reembolso_1.cmd "C:\Users\Admin\AppData\Roaming\pekulev\a3x\X2NI\Ficha_Reembolso_1.a3x"3⤵PID:2348
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process call create '"C:\Users\Admin\AppData\Roaming\pekulev\exe\v3.3.14.5_20180315\AutoIt3.exe" "C:\Users\Admin\AppData\Roaming\pekulev\a3x\X2NI\Ficha_Reembolso_1.a3x" ""' ,C:\Users\Admin\AppData\Local\Temp\3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\system32\timeout.exetimeout /T 53⤵
- Delays execution with timeout.exe
PID:4444
-
-
-
C:\Windows\system32\more.commore +5 C:\Users\Admin\AppData\Local\Temp\Ficha_Reembolso_1.cmd1⤵PID:2368
-
C:\Users\Admin\AppData\Roaming\pekulev\exe\v3.3.14.5_20180315\AutoIt3.exe"C:\Users\Admin\AppData\Roaming\pekulev\exe\v3.3.14.5_20180315\AutoIt3.exe" "C:\Users\Admin\AppData\Roaming\pekulev\a3x\X2NI\Ficha_Reembolso_1.a3x" ""1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1464
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD562e5e023b0f490aa238a07dba9af6242
SHA113854398ef5458dd3b8461d258ba97b27c5da9e8
SHA256cec5ffe842dc5a5e319a462778b41cd3fdc56b1aed7bed4541d696e307ba7b54
SHA5120157b08c11b1baa12b74772a6e2bfb5cd4c94ea6c063126a612a281fc87ee53588eb3f45def4bc1c6b5185076a86d9d0784f3df658bc8a8cd81f626465e5db8e
-
Filesize
111KB
MD53094bf86168cddd1a32ec29a281290c1
SHA1a82b2a8c0b9c50e4a4130c87c903fdcf85adddee
SHA25626a2cb17bf0e6ffb1be481aedc1e1ac0fc5f2f8a74df881b815c8a1d490eba41
SHA512c1e2a8c45127a87fc767b0bb0344379dead170d7a42b38f1fc1c44b95fa8fe88102d4c71ea1acf91013b82c26afd820cd56e4aaf72e07327c9f479460ba3a725
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c