Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2023, 18:54
Static task
static1
Behavioral task
behavioral1
Sample
DHL Shipment Document.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
DHL Shipment Document.exe
Resource
win10v2004-20230221-en
General
-
Target
DHL Shipment Document.exe
-
Size
2.0MB
-
MD5
852ecbb34661097c525cc541fcc8f093
-
SHA1
1bad774af30e8ebd3acbfd16d02446529a9018f9
-
SHA256
70bc64f3d04300d8a41114c1676cca08abdd2d69ecf37e05ae38a8461f8bf5cc
-
SHA512
90a043575f91285e89dc5782138664513d53141e373a8dd779c7116cbee5613b609eb6b02aacde4979e553518156fdd5c9408239ee22c527a395b5508b1412f4
-
SSDEEP
24576:p1v1MN0slyRnfYSIZozmwF2ny/v/LtGZsYjot02EgwT83Zm+cobMvvyThQcYAwv1:p1v1MN0slyz/s59jmkS
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation DHL Shipment Document.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2788 set thread context of 1436 2788 DHL Shipment Document.exe 90 PID 1436 set thread context of 3128 1436 RegAsm.exe 52 PID 4732 set thread context of 3128 4732 netsh.exe 52 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4124 3096 WerFault.exe 93 -
description ioc Process Key created \Registry\User\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netsh.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 4784 powershell.exe 4784 powershell.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3128 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1436 RegAsm.exe 1436 RegAsm.exe 1436 RegAsm.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe 4732 netsh.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 4784 powershell.exe Token: SeDebugPrivilege 1436 RegAsm.exe Token: SeDebugPrivilege 4732 netsh.exe Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2788 wrote to memory of 4784 2788 DHL Shipment Document.exe 85 PID 2788 wrote to memory of 4784 2788 DHL Shipment Document.exe 85 PID 2788 wrote to memory of 4784 2788 DHL Shipment Document.exe 85 PID 2788 wrote to memory of 1436 2788 DHL Shipment Document.exe 90 PID 2788 wrote to memory of 1436 2788 DHL Shipment Document.exe 90 PID 2788 wrote to memory of 1436 2788 DHL Shipment Document.exe 90 PID 2788 wrote to memory of 1436 2788 DHL Shipment Document.exe 90 PID 2788 wrote to memory of 1436 2788 DHL Shipment Document.exe 90 PID 2788 wrote to memory of 1436 2788 DHL Shipment Document.exe 90 PID 3128 wrote to memory of 4732 3128 Explorer.EXE 92 PID 3128 wrote to memory of 4732 3128 Explorer.EXE 92 PID 3128 wrote to memory of 4732 3128 Explorer.EXE 92 PID 4732 wrote to memory of 3096 4732 netsh.exe 93 PID 4732 wrote to memory of 3096 4732 netsh.exe 93 PID 4732 wrote to memory of 3096 4732 netsh.exe 93
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:3096
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3096 -s 1604⤵
- Program crash
PID:4124
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 476 -p 3096 -ip 30961⤵PID:4152
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82