Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

purchase order.exe

windows7-x64

10

purchase order.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2023, 11:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    purchase order.exe

  • Size

    916KB

  • MD5

    3f626f64cf5f7196bc812ff1814d95f6

  • SHA1

    c7dcf05df40dc04d4f9af38ef7a887ffde68abb5

  • SHA256

    f6a82d751b2c63e135488686a43c60f35c2cda54a5599f450d4c123043e3c6b2

  • SHA512

    ecf5aca2cfc774557f1170d5ba73115a3240831b2b1bf2c7c43b8dd8b2965450efd7c25ed71b0bb0a7e28931ecb5cd614c1cf5c3fc318ca2c891813983856413

  • SSDEEP

    12288:KOCmzZBEP85QaC9JhmbdqSNhjwl+eZj17y1a3RplcyqKdxKHwhj5p5U61aNf:h9BEP83O6qSNhjwtIa2DyxKkf5UMM

Score
10/10
darkcloudstealer

Malware Config

Extracted

Family

darkcloud

Attributes

Signatures

  • DarkCloud

    An information stealer written in Visual Basic.

    stealerdarkcloud
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\purchase order.exe
    "C:\Users\Admin\AppData\Local\Temp\purchase order.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:972

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/972-62-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/972-72-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/972-71-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/972-68-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/972-66-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/972-65-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/972-63-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/972-61-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1320-57-0x0000000004540000-0x0000000004580000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1320-60-0x00000000052C0000-0x0000000005332000-memory.dmp

    Filesize

    456KB

    Download

  • memory/1320-59-0x00000000058F0000-0x0000000005996000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1320-58-0x00000000004A0000-0x00000000004AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1320-54-0x0000000000CE0000-0x0000000000DCC000-memory.dmp

    Filesize

    944KB

    Download

  • memory/1320-56-0x0000000000340000-0x0000000000350000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1320-55-0x0000000004540000-0x0000000004580000-memory.dmp

    Filesize

    256KB

    Download