Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24/11/2022, 03:47
Static task
static1
Behavioral task
behavioral1
Sample
rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
Resource
win10v2004-20220812-en
General
-
Target
rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe
-
Size
180KB
-
MD5
f96874ad23fde2f0b3af2af1565beb73
-
SHA1
16e63fa7df0f2e8964d2e9cf2541b9ccd5c31106
-
SHA256
0ed91af7f5dd71ee724ef0bddaae43bdd10721fa21f2b226f69f3156085126fc
-
SHA512
e5c621a7bd62832ba331b2d0ee40d72e81d9a6892a662ded20c1c23e56b553b829f1691293728b1a8d190c6dd3c0dfdccfe77551ebe2bf7e3220d411c77e803d
-
SSDEEP
3072:t1ezQdDuZph4fWy6c3v40y+rzqVCr+YARsI6u2t4Y9sBG0hac0v2D+:t1eUNuFIdt3vTrz1r+R7F2t4pUO
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2012 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypbkryye.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ypbkryye.exe\"" Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1832 rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe 1832 rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1832 rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe Token: SeDebugPrivilege 1256 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1256 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1832 wrote to memory of 2012 1832 rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe 28 PID 1832 wrote to memory of 2012 1832 rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe 28 PID 1832 wrote to memory of 2012 1832 rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe 28 PID 1832 wrote to memory of 2012 1832 rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe 28 PID 1832 wrote to memory of 1256 1832 rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe 7 PID 1256 wrote to memory of 1132 1256 Explorer.EXE 10 PID 1256 wrote to memory of 1200 1256 Explorer.EXE 8 PID 1256 wrote to memory of 2012 1256 Explorer.EXE 28 PID 1256 wrote to memory of 1388 1256 Explorer.EXE 29 PID 1256 wrote to memory of 1388 1256 Explorer.EXE 29
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe"C:\Users\Admin\AppData\Local\Temp\rechnung_11_2014_3280000236_telekom_de_002839300002_11_0000352899_000005.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS4763~1.BAT"3⤵
- Deletes itself
PID:2012
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1200
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1132
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1770888054612873202-901907602939310166-2047457743390157209372018021-615967886"1⤵PID:1388
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201B
MD50e8e71e363062669f2243f04b8d585eb
SHA181ddb015847dcd70b043a06d68e2a92eea04d845
SHA25661c63999f8884aad8f5115f0e5158c97fdb564b725e08eb7f838c0f2f57b5a3e
SHA5122368a2cc080bc0f84b12192cf39de6e0b580bad37b912445bbf2ff12645aa32a3b9bf06774b1b6c69b55f242e4b7297f3a2f78402af95ed3e147f618afa44e10