Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24/11/2022, 04:49
Static task
static1
Behavioral task
behavioral1
Sample
2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe
Resource
win10v2004-20221111-en
General
-
Target
2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe
-
Size
176KB
-
MD5
0bdbb242c3d65c99b0c4b3bdad19a793
-
SHA1
1b2a37b64b1a7ca71b801125faca273408bb7e67
-
SHA256
942b643d07c0cb4ac1593dccd846fe4bcda402f5f74fa4ba1437248e7c89e0c3
-
SHA512
387c6455dc286989d0de8b418505b5453ce82c262132eba2975006b59057a698bb5fe33bfa428690d0db30b3396ba6b699a1ad2b68482bc04df27975ca19206e
-
SSDEEP
3072:bBfHcmI+fMEJRvGGs4Edlb9kMv0UNLp+CSYnzyZyvBwwQlF9KwrrznF19AaROhze:blH80NJ5ZEdT8UlpaYzyZeBzQJPrrjFt
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1796 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dhohjter.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\dhohjter.exe\"" Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1504 set thread context of 1536 1504 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 26 -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 1504 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 1504 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 1504 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 1536 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 1536 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1536 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe Token: SeDebugPrivilege 1396 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1504 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 1504 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1396 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1504 wrote to memory of 1536 1504 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 26 PID 1504 wrote to memory of 1536 1504 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 26 PID 1504 wrote to memory of 1536 1504 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 26 PID 1504 wrote to memory of 1536 1504 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 26 PID 1504 wrote to memory of 1536 1504 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 26 PID 1504 wrote to memory of 1536 1504 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 26 PID 1504 wrote to memory of 1536 1504 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 26 PID 1504 wrote to memory of 1536 1504 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 26 PID 1504 wrote to memory of 1536 1504 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 26 PID 1504 wrote to memory of 1536 1504 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 26 PID 1536 wrote to memory of 1796 1536 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 27 PID 1536 wrote to memory of 1796 1536 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 27 PID 1536 wrote to memory of 1796 1536 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 27 PID 1536 wrote to memory of 1796 1536 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 27 PID 1536 wrote to memory of 1396 1536 2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe 12 PID 1396 wrote to memory of 1260 1396 Explorer.EXE 13 PID 1396 wrote to memory of 1344 1396 Explorer.EXE 7 PID 1396 wrote to memory of 1796 1396 Explorer.EXE 27 PID 1396 wrote to memory of 1796 1396 Explorer.EXE 27 PID 1396 wrote to memory of 792 1396 Explorer.EXE 28
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1344
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe"C:\Users\Admin\AppData\Local\Temp\2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exeC:\Users\Admin\AppData\Local\Temp\2014_11vodafone_onlinerechnung_002120003909_november_390321980009_11_00000000445.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS1567~1.BAT"4⤵
- Deletes itself
PID:1796
-
-
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1260
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1035388673-49390344986238328-780695326-15180360221853456369-1052598401862982445"1⤵PID:792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201B
MD5a2f857a67ec5000c3fe3d81bbcac3799
SHA1060af9dea8b4f7f9e73cf8232bd307426011941d
SHA256be2081a4c09b0474846a5549ff7936fd42937ac25cd0978ebdf7a4df441022c5
SHA5124ecf014f2aafb332d7e22eb180f4bf4cc775b9ac0b5e89b145155982588ffbcf256cebcee48589aeeed8a917fc26f6e2b35e75c9e7103d5ad0c859f55dc1f611