Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
29/03/2023, 18:54
Static task
static1
Behavioral task
behavioral1
Sample
DHL Shipment Document.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
DHL Shipment Document.exe
Resource
win10v2004-20230221-en
General
-
Target
DHL Shipment Document.exe
-
Size
2.0MB
-
MD5
852ecbb34661097c525cc541fcc8f093
-
SHA1
1bad774af30e8ebd3acbfd16d02446529a9018f9
-
SHA256
70bc64f3d04300d8a41114c1676cca08abdd2d69ecf37e05ae38a8461f8bf5cc
-
SHA512
90a043575f91285e89dc5782138664513d53141e373a8dd779c7116cbee5613b609eb6b02aacde4979e553518156fdd5c9408239ee22c527a395b5508b1412f4
-
SSDEEP
24576:p1v1MN0slyRnfYSIZozmwF2ny/v/LtGZsYjot02EgwT83Zm+cobMvvyThQcYAwv1:p1v1MN0slyz/s59jmkS
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Loads dropped DLL 1 IoCs
pid Process 1420 wuapp.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1704 set thread context of 800 1704 DHL Shipment Document.exe 29 PID 800 set thread context of 1344 800 RegAsm.exe 14 PID 1420 set thread context of 1344 1420 wuapp.exe 14 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \Registry\User\S-1-5-21-1914912747-3343861975-731272777-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wuapp.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 696 powershell.exe 800 RegAsm.exe 800 RegAsm.exe 800 RegAsm.exe 800 RegAsm.exe 1420 wuapp.exe 1420 wuapp.exe 1420 wuapp.exe 1420 wuapp.exe 1420 wuapp.exe 1420 wuapp.exe 1420 wuapp.exe 1420 wuapp.exe 1420 wuapp.exe 1420 wuapp.exe 1420 wuapp.exe 1420 wuapp.exe 1420 wuapp.exe 1420 wuapp.exe 1420 wuapp.exe 1420 wuapp.exe 1420 wuapp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1344 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 800 RegAsm.exe 800 RegAsm.exe 800 RegAsm.exe 1420 wuapp.exe 1420 wuapp.exe 1420 wuapp.exe 1420 wuapp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 696 powershell.exe Token: SeDebugPrivilege 800 RegAsm.exe Token: SeDebugPrivilege 1420 wuapp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1344 Explorer.EXE 1344 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1344 Explorer.EXE 1344 Explorer.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1704 wrote to memory of 696 1704 DHL Shipment Document.exe 27 PID 1704 wrote to memory of 696 1704 DHL Shipment Document.exe 27 PID 1704 wrote to memory of 696 1704 DHL Shipment Document.exe 27 PID 1704 wrote to memory of 696 1704 DHL Shipment Document.exe 27 PID 1704 wrote to memory of 800 1704 DHL Shipment Document.exe 29 PID 1704 wrote to memory of 800 1704 DHL Shipment Document.exe 29 PID 1704 wrote to memory of 800 1704 DHL Shipment Document.exe 29 PID 1704 wrote to memory of 800 1704 DHL Shipment Document.exe 29 PID 1704 wrote to memory of 800 1704 DHL Shipment Document.exe 29 PID 1704 wrote to memory of 800 1704 DHL Shipment Document.exe 29 PID 1704 wrote to memory of 800 1704 DHL Shipment Document.exe 29 PID 1704 wrote to memory of 800 1704 DHL Shipment Document.exe 29 PID 1704 wrote to memory of 800 1704 DHL Shipment Document.exe 29 PID 1704 wrote to memory of 800 1704 DHL Shipment Document.exe 29 PID 1344 wrote to memory of 1420 1344 Explorer.EXE 30 PID 1344 wrote to memory of 1420 1344 Explorer.EXE 30 PID 1344 wrote to memory of 1420 1344 Explorer.EXE 30 PID 1344 wrote to memory of 1420 1344 Explorer.EXE 30 PID 1344 wrote to memory of 1420 1344 Explorer.EXE 30 PID 1344 wrote to memory of 1420 1344 Explorer.EXE 30 PID 1344 wrote to memory of 1420 1344 Explorer.EXE 30 PID 1420 wrote to memory of 1884 1420 wuapp.exe 33 PID 1420 wrote to memory of 1884 1420 wuapp.exe 33 PID 1420 wrote to memory of 1884 1420 wuapp.exe 33 PID 1420 wrote to memory of 1884 1420 wuapp.exe 33 PID 1420 wrote to memory of 1884 1420 wuapp.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:800
-
-
-
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1884
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
478KB
MD572b88067a5a1a4f8d52c45e6621d13fe
SHA1f84542474b8583f4371749282e5cc4d52661c222
SHA25670a11669bb8ad1099fd7fba9da92e1a75124bef0d16a01fd10dcdc45e9582092
SHA512a8bf75fd4f38e4c8dee5e6f2527062c5be21f5a8bae4ea561f4aa28139d65a6f215afb212f1e4857ee482e16e813fc0d63ef8ec43ec94d5f8a722489e89e154d
-
Filesize
910KB
MD5d79258c5189103d69502eac786addb04
SHA1f34b33681cfe8ce649218173a7f58b237821c1ef
SHA25657d89a52061d70d87e40281f1196d53273f87860c4d707d667a8c7d9573da675
SHA512da797f4dd1ad628aa4e8004b2e00b7c278facbc57a313f56b70dc8fcfbdb0050ea8b025b3475098223cce96ea53537d678273656d46c2d33d81b496d90da34b2