Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
63s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26/05/2023, 11:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
purchase order.exe
Resource
win7-20230220-en
7 signatures
150 seconds
General
-
Target
purchase order.exe
-
Size
916KB
-
MD5
3f626f64cf5f7196bc812ff1814d95f6
-
SHA1
c7dcf05df40dc04d4f9af38ef7a887ffde68abb5
-
SHA256
f6a82d751b2c63e135488686a43c60f35c2cda54a5599f450d4c123043e3c6b2
-
SHA512
ecf5aca2cfc774557f1170d5ba73115a3240831b2b1bf2c7c43b8dd8b2965450efd7c25ed71b0bb0a7e28931ecb5cd614c1cf5c3fc318ca2c891813983856413
-
SSDEEP
12288:KOCmzZBEP85QaC9JhmbdqSNhjwl+eZj17y1a3RplcyqKdxKHwhj5p5U61aNf:h9BEP83O6qSNhjwtIa2DyxKkf5UMM
Malware Config
Extracted
Family
darkcloud
Attributes
- email_from
- email_to
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1320 set thread context of 972 1320 purchase order.exe 28 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1320 purchase order.exe 1320 purchase order.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1320 purchase order.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 972 vbc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1320 wrote to memory of 972 1320 purchase order.exe 28 PID 1320 wrote to memory of 972 1320 purchase order.exe 28 PID 1320 wrote to memory of 972 1320 purchase order.exe 28 PID 1320 wrote to memory of 972 1320 purchase order.exe 28 PID 1320 wrote to memory of 972 1320 purchase order.exe 28 PID 1320 wrote to memory of 972 1320 purchase order.exe 28 PID 1320 wrote to memory of 972 1320 purchase order.exe 28 PID 1320 wrote to memory of 972 1320 purchase order.exe 28 PID 1320 wrote to memory of 972 1320 purchase order.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\purchase order.exe"C:\Users\Admin\AppData\Local\Temp\purchase order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:972
-