Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
44s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
02/02/2023, 14:24
Static task
static1
Behavioral task
behavioral1
Sample
Product presentation.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Product presentation.exe
Resource
win10v2004-20220812-en
General
-
Target
Product presentation.exe
-
Size
1.2MB
-
MD5
d81ed82ea53f8e56bb98eaaef98f4d80
-
SHA1
01d76f1b404b125a7b8bf3f3829101124965ad9a
-
SHA256
f90d2b7322438acc8decf28392f29916b9b87ce99072f867d3e278ce6fc295fb
-
SHA512
49b6b1306d27cf347673c2e8641ea377a941b0f2689e648130fe28fbc7e519a8744b61a9d2635c800c2074af148ff41d6bc2093aa1b73e98670a7aab135f6a3f
-
SSDEEP
24576:QpbnahUHVL9XoveLj48xCbGmx31VprkdhVKfhoyNDjgGKySlXYrZSD:QpuKHXLU8kb11/JeyNDjgxySeZSD
Malware Config
Signatures
-
Detect PureCrypter injector 1 IoCs
resource yara_rule behavioral1/memory/2024-55-0x0000000004E50000-0x00000000050C0000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Product presentation.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Product presentation.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Product presentation.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sxvtzhi = "\"C:\\Users\\Admin\\AppData\\Roaming\\Wklnwuncgsj\\Sxvtzhi.exe\"" Product presentation.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2024 set thread context of 820 2024 Product presentation.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1732 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2024 Product presentation.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 820 Product presentation.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1732 2024 Product presentation.exe 27 PID 2024 wrote to memory of 1732 2024 Product presentation.exe 27 PID 2024 wrote to memory of 1732 2024 Product presentation.exe 27 PID 2024 wrote to memory of 1732 2024 Product presentation.exe 27 PID 2024 wrote to memory of 820 2024 Product presentation.exe 29 PID 2024 wrote to memory of 820 2024 Product presentation.exe 29 PID 2024 wrote to memory of 820 2024 Product presentation.exe 29 PID 2024 wrote to memory of 820 2024 Product presentation.exe 29 PID 2024 wrote to memory of 820 2024 Product presentation.exe 29 PID 2024 wrote to memory of 820 2024 Product presentation.exe 29 PID 2024 wrote to memory of 820 2024 Product presentation.exe 29 PID 2024 wrote to memory of 820 2024 Product presentation.exe 29 PID 2024 wrote to memory of 820 2024 Product presentation.exe 29 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Product presentation.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Product presentation.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Product presentation.exe"C:\Users\Admin\AppData\Local\Temp\Product presentation.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Users\Admin\AppData\Local\Temp\Product presentation.exe"C:\Users\Admin\AppData\Local\Temp\Product presentation.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:820
-