Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

FedEx Ship...oc.exe

windows7-x64

1

FedEx Ship...oc.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2022, 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FedEx Shipment doc.exe

  • Size

    1023KB

  • MD5

    18de2e338f8ebe55f152a8ba52742175

  • SHA1

    cd5538e2c8bc84605d5b5997596bf3d37872757d

  • SHA256

    f9ffa58b5dd142b4f6e87a1c7fb8915a1d2054c5ffeda62eab078c8f5b1ef644

  • SHA512

    f554a6e43e63e53248bff7227aa348551fa04bf1067ae8806978caca598e271835672e2f555c2fe1c77fbdfd21f6cd5b5d574729cfbc18fb586925ed5736c18a

  • SSDEEP

    12288:lBp2iN1/Sr+p1kZdu8oNVHiy84VHKmZ5cLfEg5yBqVxRH8c+9eFf+mDXttarruVI:lL1e+1k/W5ilaHkjEUKq5H80

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Users\Admin\AppData\Local\Temp\FedEx Shipment doc.exe
      "C:\Users\Admin\AppData\Local\Temp\FedEx Shipment doc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3224
      • C:\Users\Admin\AppData\Local\Temp\FedEx Shipment doc.exe
        "C:\Users\Admin\AppData\Local\Temp\FedEx Shipment doc.exe"
        3⤵
          PID:4388
        • C:\Users\Admin\AppData\Local\Temp\FedEx Shipment doc.exe
          "C:\Users\Admin\AppData\Local\Temp\FedEx Shipment doc.exe"
          3⤵
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1552
      • C:\Windows\SysWOW64\help.exe
        "C:\Windows\SysWOW64\help.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:620
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1904

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/620-155-0x0000000000940000-0x000000000096C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/620-153-0x00000000011F0000-0x000000000127F000-memory.dmp

        Filesize

        572KB

        Download

      • memory/620-152-0x0000000000940000-0x000000000096C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/620-151-0x0000000001290000-0x00000000015DA000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/620-150-0x00000000007A0000-0x00000000007A7000-memory.dmp

        Filesize

        28KB

        Download

      • memory/1552-148-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/1552-141-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/1552-142-0x0000000000401000-0x000000000042E000-memory.dmp

        Filesize

        180KB

        Download

      • memory/1552-144-0x00000000013B0000-0x00000000016FA000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1552-143-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/1552-145-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1552-149-0x0000000000401000-0x000000000042E000-memory.dmp

        Filesize

        180KB

        Download

      • memory/1552-139-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2740-146-0x0000000008670000-0x00000000087FD000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2740-154-0x0000000003660000-0x00000000037B9000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2740-156-0x0000000003660000-0x00000000037B9000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/3224-132-0x0000000000870000-0x0000000000976000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3224-136-0x0000000007DC0000-0x0000000007E5C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3224-135-0x0000000005300000-0x000000000530A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3224-134-0x0000000005320000-0x00000000053B2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3224-133-0x0000000005990000-0x0000000005F34000-memory.dmp

        Filesize

        5.6MB

        Download