Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 18:44
Static task
static1
Behavioral task
behavioral1
Sample
2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
Resource
win10v2004-20220812-en
General
-
Target
2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe
-
Size
176KB
-
MD5
8e9f821390b3affa596053cbadc4e824
-
SHA1
cd2fc0abfa71caf23bd71debad20a4715c6f9edf
-
SHA256
d0eba3801e3a1aa54315098cdc246086b51c6a5818377c9521a968c8fcf31dac
-
SHA512
13e5aa6db26fb086f9ee191cf7306b4e1db884a6746d74901ecb81c9c0ebc905d4022c38e7f608c2f8c3dc15e439e64c873e638b908406537e94ffb0fe672030
-
SSDEEP
3072:T9fHcmI+0MEJRSDOWHQKjEukcqRiGl7ITMsvDWhjWxB50G2eaNLw1hKeW8SaP3/1:TpH8DNJwOxvukJHl0TTvDWcB50tNLwX9
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1088 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ianvmjrr.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ianvmjrr.exe\"" Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2032 set thread context of 1232 2032 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 28 -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2032 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 2032 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 2032 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 1232 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 1232 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1220 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1232 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe Token: SeDebugPrivilege 1220 Explorer.EXE Token: SeShutdownPrivilege 1220 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2032 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 2032 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1220 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1232 2032 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 28 PID 2032 wrote to memory of 1232 2032 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 28 PID 2032 wrote to memory of 1232 2032 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 28 PID 2032 wrote to memory of 1232 2032 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 28 PID 2032 wrote to memory of 1232 2032 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 28 PID 2032 wrote to memory of 1232 2032 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 28 PID 2032 wrote to memory of 1232 2032 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 28 PID 2032 wrote to memory of 1232 2032 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 28 PID 2032 wrote to memory of 1232 2032 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 28 PID 2032 wrote to memory of 1232 2032 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 28 PID 1232 wrote to memory of 1088 1232 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 29 PID 1232 wrote to memory of 1088 1232 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 29 PID 1232 wrote to memory of 1088 1232 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 29 PID 1232 wrote to memory of 1088 1232 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 29 PID 1232 wrote to memory of 1220 1232 2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe 16 PID 1220 wrote to memory of 1116 1220 Explorer.EXE 17 PID 1220 wrote to memory of 1172 1220 Explorer.EXE 9 PID 1220 wrote to memory of 1088 1220 Explorer.EXE 29 PID 1220 wrote to memory of 1088 1220 Explorer.EXE 29
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe"C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exeC:\Users\Admin\AppData\Local\Temp\2014_11rechnung_pdf_telekom_00002383882_november_002818273_11_0000000392_000005.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS2660~1.BAT"4⤵
- Deletes itself
PID:1088
-
-
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201B
MD5a0e48e90c0d6d8b32df9b8eb9dc9146e
SHA1754c081534f0a12da8f2cc5139ede91e72d090de
SHA2562de9fa5982cfe1b5f519fa11861549bbaad917fd07e88e377905a08c997b9f24
SHA5127f41aa0ed4f6f5c0cad7e9b95fa00ac433b41753c35a0757d71ae06852dccde068cca86cebdd88dde5f2671a0f4ab0334b0e02348d47ac12caafd7befbac5478