Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2023, 11:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
purchase order.exe
Resource
win7-20230220-en
7 signatures
150 seconds
General
-
Target
purchase order.exe
-
Size
916KB
-
MD5
3f626f64cf5f7196bc812ff1814d95f6
-
SHA1
c7dcf05df40dc04d4f9af38ef7a887ffde68abb5
-
SHA256
f6a82d751b2c63e135488686a43c60f35c2cda54a5599f450d4c123043e3c6b2
-
SHA512
ecf5aca2cfc774557f1170d5ba73115a3240831b2b1bf2c7c43b8dd8b2965450efd7c25ed71b0bb0a7e28931ecb5cd614c1cf5c3fc318ca2c891813983856413
-
SSDEEP
12288:KOCmzZBEP85QaC9JhmbdqSNhjwl+eZj17y1a3RplcyqKdxKHwhj5p5U61aNf:h9BEP83O6qSNhjwtIa2DyxKkf5UMM
Malware Config
Extracted
Family
darkcloud
Attributes
- email_from
- email_to
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3812 set thread context of 4804 3812 purchase order.exe 92 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3812 purchase order.exe 3812 purchase order.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3812 purchase order.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4804 vbc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3812 wrote to memory of 4804 3812 purchase order.exe 92 PID 3812 wrote to memory of 4804 3812 purchase order.exe 92 PID 3812 wrote to memory of 4804 3812 purchase order.exe 92 PID 3812 wrote to memory of 4804 3812 purchase order.exe 92 PID 3812 wrote to memory of 4804 3812 purchase order.exe 92 PID 3812 wrote to memory of 4804 3812 purchase order.exe 92 PID 3812 wrote to memory of 4804 3812 purchase order.exe 92 PID 3812 wrote to memory of 4804 3812 purchase order.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\purchase order.exe"C:\Users\Admin\AppData\Local\Temp\purchase order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:4804
-