Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27/09/2022, 16:33
Static task
static1
Behavioral task
behavioral1
Sample
DOCUMENTO DE ENVÍO DE DHL AWB _111832457673,pdf.exe
Resource
win7-20220812-en
General
-
Target
DOCUMENTO DE ENVÍO DE DHL AWB _111832457673,pdf.exe
-
Size
461KB
-
MD5
26860d51fddf664076d1cf601e43ba1d
-
SHA1
dcd3fa1f67c3a7496caebd09c40cf8c6e5846c53
-
SHA256
7a73079ae74c6c75f4f72bdae2437960533e8532a26b10dc98df4d8caf272f5e
-
SHA512
e7aca103565635e73a5ce0fe64027dfdec356390f39537aec134611a6aeee176f666e5aada2cae90cebb7d3002bce43c0c251a79f28d95a09ca1a36e159dd513
-
SSDEEP
12288:vj3ZrR7VyT/IdT5D7E61U6NolW1M6wRs:vj9Rs/IdFPU6+l0
Malware Config
Extracted
formbook
nrln
IG7zJSm49UqTTuu/N/oTCIg=
CVLdAPgw0CRSMuZnRRU=
PiA5Z3umP2NyX81VGQhjWyS59nFYhXiG
5i6p4GeQqtBgNRfGNQ==
5984keYswxh8mGZHz4ipAHtQ
VNJaK4Gh0CrOvHpW/p353A==
71rEtrL2icToyKGhcWrTxjsFU5T98zeO
r3q1sy1iZaL+2XIUAob7yw==
9+83Qkrk/vV/jVXsDvoTCIg=
aMFAgYF1prov8/UErH/Y1A==
Alqtx/0rxwEbCLdudftl
ImCbnglBSUHF0mv2tTSP40bPeYao
s4DFNvAJ4GIJ+g==
phOa6mtS8QQICuZnRRU=
7TSu5vqRtB45EZtf4WDSTBHPeYao
ImPWqwUUIVWMQLyMbUab7tmspvNCcT8=
HF7jKjbGox2SAffTPw==
yAM3mOQot5l+cD0ikR5MGp8=
UYzW0/8z70JcQenVLidu1kLPeYao
OoCznp5UWz+hT9OBFXbfVhXPeYao
RZAWUeouUqpRAffTPw==
qQZsaG6uSqBRXS0J4PoTCIg=
idE3YO0X4GIJ+g==
NZQvYOWIBkHd4Z7AmQwAslxY
1KTdRR1OPJb88A==
8iap4OQKp/C3gQludftl
9Tyi5kaIC/Dk7JRTK/5lx1LLzRi53w==
3Lbm4soAuhRHLuZnRRU=
F4rw7+2RqgQp3urIPPoTCIg=
WcAxntfwcZZxHdfbgtoL1FbLzRi53w==
Cb4Mn+LGQzI=
v6zC+zJc9ggtoRfSUKT5VgjPeYao
8SNotqm7G3gx
zkfYBpVE7kZy6Z1eRBc=
fGC3taUlU5/grJFa/p353A==
guxOQaxAp/H3/7hudftl
1ySVyYygrPSWgzsz5voTCIg=
kgzOYyfN4GIJ+g==
uI3MyBlFYb9zLp9O/p353A==
LiJEdPqeLRv/dUMZph0=
P44MT+MPGVCfAffTPw==
92zQztuUoOD397dudftl
KAIeV2q7G3gx
16rd9Lv/EDB9NuZnRRU=
Zq8rUUtzFDYhDLdudftl
0TzN9nwSt9Ld5oQMz8oX7KcwExI=
8C4/Zed9GAoGCuZnRRU=
0R6HvJ+vT2pZMuZnRRU=
PXCroG2LPYhB92PmoRh6SNSmrvNCcT8=
jcoShE+OVbsoB4Vm
XKDr2FEDkRYoA6F7B3bfVhXPeYao
lxlqoFqiNTE=
gth+8scYHF4q9oJM/p353A==
kV6UlVdWZM+9b/WfNw==
mMkJeLvrdq91ULk=
Nxw5ckJtib7+oGdQ/p353A==
K4vu5D5UecNAxJtKPxM=
abYdRE3u8iYkqH9x
KnPrFJC5zSp1V9mCQbIDbiMamCw7zg==
DXEGJOvxscsrAcaZBs0qfqcwExI=
JxA3dYsfQKRsEMqqNrMQekNL0+MJaAkWNg==
Q4dtrcgmnb1BThr40YjqkyMQ3A==
7l7NPgxGZMGfhgludftl
MYT9Mshe6ejKfvG1lYXezH0WmCo61w==
sincewordsmatter.com
Extracted
xloader
3.8
nrln
IG7zJSm49UqTTuu/N/oTCIg=
CVLdAPgw0CRSMuZnRRU=
PiA5Z3umP2NyX81VGQhjWyS59nFYhXiG
5i6p4GeQqtBgNRfGNQ==
5984keYswxh8mGZHz4ipAHtQ
VNJaK4Gh0CrOvHpW/p353A==
71rEtrL2icToyKGhcWrTxjsFU5T98zeO
r3q1sy1iZaL+2XIUAob7yw==
9+83Qkrk/vV/jVXsDvoTCIg=
aMFAgYF1prov8/UErH/Y1A==
Alqtx/0rxwEbCLdudftl
ImCbnglBSUHF0mv2tTSP40bPeYao
s4DFNvAJ4GIJ+g==
phOa6mtS8QQICuZnRRU=
7TSu5vqRtB45EZtf4WDSTBHPeYao
ImPWqwUUIVWMQLyMbUab7tmspvNCcT8=
HF7jKjbGox2SAffTPw==
yAM3mOQot5l+cD0ikR5MGp8=
UYzW0/8z70JcQenVLidu1kLPeYao
OoCznp5UWz+hT9OBFXbfVhXPeYao
RZAWUeouUqpRAffTPw==
qQZsaG6uSqBRXS0J4PoTCIg=
idE3YO0X4GIJ+g==
NZQvYOWIBkHd4Z7AmQwAslxY
1KTdRR1OPJb88A==
8iap4OQKp/C3gQludftl
9Tyi5kaIC/Dk7JRTK/5lx1LLzRi53w==
3Lbm4soAuhRHLuZnRRU=
F4rw7+2RqgQp3urIPPoTCIg=
WcAxntfwcZZxHdfbgtoL1FbLzRi53w==
Cb4Mn+LGQzI=
v6zC+zJc9ggtoRfSUKT5VgjPeYao
8SNotqm7G3gx
zkfYBpVE7kZy6Z1eRBc=
fGC3taUlU5/grJFa/p353A==
guxOQaxAp/H3/7hudftl
1ySVyYygrPSWgzsz5voTCIg=
kgzOYyfN4GIJ+g==
uI3MyBlFYb9zLp9O/p353A==
LiJEdPqeLRv/dUMZph0=
P44MT+MPGVCfAffTPw==
92zQztuUoOD397dudftl
KAIeV2q7G3gx
16rd9Lv/EDB9NuZnRRU=
Zq8rUUtzFDYhDLdudftl
0TzN9nwSt9Ld5oQMz8oX7KcwExI=
8C4/Zed9GAoGCuZnRRU=
0R6HvJ+vT2pZMuZnRRU=
PXCroG2LPYhB92PmoRh6SNSmrvNCcT8=
jcoShE+OVbsoB4Vm
XKDr2FEDkRYoA6F7B3bfVhXPeYao
lxlqoFqiNTE=
gth+8scYHF4q9oJM/p353A==
kV6UlVdWZM+9b/WfNw==
mMkJeLvrdq91ULk=
Nxw5ckJtib7+oGdQ/p353A==
K4vu5D5UecNAxJtKPxM=
abYdRE3u8iYkqH9x
KnPrFJC5zSp1V9mCQbIDbiMamCw7zg==
DXEGJOvxscsrAcaZBs0qfqcwExI=
JxA3dYsfQKRsEMqqNrMQekNL0+MJaAkWNg==
Q4dtrcgmnb1BThr40YjqkyMQ3A==
7l7NPgxGZMGfhgludftl
MYT9Mshe6ejKfvG1lYXezH0WmCo61w==
sincewordsmatter.com
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 6 1932 msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 1932 msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1884 set thread context of 2000 1884 DOCUMENTO DE ENVÍO DE DHL AWB _111832457673,pdf.exe 27 PID 2000 set thread context of 1216 2000 aspnet_compiler.exe 12 PID 1932 set thread context of 1216 1932 msiexec.exe 12 -
description ioc Process Key created \Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2000 aspnet_compiler.exe 2000 aspnet_compiler.exe 2000 aspnet_compiler.exe 2000 aspnet_compiler.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2000 aspnet_compiler.exe 2000 aspnet_compiler.exe 2000 aspnet_compiler.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe 1932 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2000 aspnet_compiler.exe Token: SeDebugPrivilege 1932 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1884 wrote to memory of 2000 1884 DOCUMENTO DE ENVÍO DE DHL AWB _111832457673,pdf.exe 27 PID 1884 wrote to memory of 2000 1884 DOCUMENTO DE ENVÍO DE DHL AWB _111832457673,pdf.exe 27 PID 1884 wrote to memory of 2000 1884 DOCUMENTO DE ENVÍO DE DHL AWB _111832457673,pdf.exe 27 PID 1884 wrote to memory of 2000 1884 DOCUMENTO DE ENVÍO DE DHL AWB _111832457673,pdf.exe 27 PID 1884 wrote to memory of 2000 1884 DOCUMENTO DE ENVÍO DE DHL AWB _111832457673,pdf.exe 27 PID 1884 wrote to memory of 2000 1884 DOCUMENTO DE ENVÍO DE DHL AWB _111832457673,pdf.exe 27 PID 1884 wrote to memory of 2000 1884 DOCUMENTO DE ENVÍO DE DHL AWB _111832457673,pdf.exe 27 PID 1216 wrote to memory of 1932 1216 Explorer.EXE 28 PID 1216 wrote to memory of 1932 1216 Explorer.EXE 28 PID 1216 wrote to memory of 1932 1216 Explorer.EXE 28 PID 1216 wrote to memory of 1932 1216 Explorer.EXE 28 PID 1216 wrote to memory of 1932 1216 Explorer.EXE 28 PID 1216 wrote to memory of 1932 1216 Explorer.EXE 28 PID 1216 wrote to memory of 1932 1216 Explorer.EXE 28 PID 1932 wrote to memory of 1112 1932 msiexec.exe 31 PID 1932 wrote to memory of 1112 1932 msiexec.exe 31 PID 1932 wrote to memory of 1112 1932 msiexec.exe 31 PID 1932 wrote to memory of 1112 1932 msiexec.exe 31 PID 1932 wrote to memory of 1112 1932 msiexec.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\DOCUMENTO DE ENVÍO DE DHL AWB _111832457673,pdf.exe"C:\Users\Admin\AppData\Local\Temp\DOCUMENTO DE ENVÍO DE DHL AWB _111832457673,pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1112
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5ce5c15b5092877974d5b6476ad1cb2d7
SHA176a6fc307d1524081cba1886d312df97c9dd658f
SHA2561f1a186ea26bd2462ea2a9cf35a816b92caf0897fdf332af3a61569e0ba97b24
SHA512bb9ced38c63d2a29e18c38f60020cfdf0161384cd4ad6328352626643becdf49f6b4bef47012391720344fdd8ad520aa802dcbbed15b5026d27eb93b0a839c90