Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
02/08/2023, 07:28
Static task
static1
Behavioral task
behavioral1
Sample
Shipment document.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Shipment document.exe
Resource
win10v2004-20230703-en
General
-
Target
Shipment document.exe
-
Size
664KB
-
MD5
a8cd4eaa803c78d7d60de36ddea14cca
-
SHA1
c5a605e276de95ece9098f8effd28d54aaf41edc
-
SHA256
3a04516d71e6a24f0f20da46230239ca177e6c1d76cb887948344694e2a376a4
-
SHA512
91a063a80bb01cfdc44edd48c8959eed1439709bac69fbab05b3157e5186062cfd8e15752c29812dc0fb8cf21cb1cd2f216b938ac09e7d4ec4c06a5e33969f47
-
SSDEEP
12288:3g7JduIEEnU6ANYZZQkyVy55elgBrjwt1GyR07zjzMxsFleptgRCtQoHb9HBENmC:3g7yIEtpYLQq5omwtQoKz7F+iRCmoxwh
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\wSStSI = "C:\\Users\\Admin\\AppData\\Roaming\\wSStSI\\wSStSI.exe" MSBuild.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2640 set thread context of 2912 2640 Shipment document.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2520 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2640 Shipment document.exe 2640 Shipment document.exe 2640 Shipment document.exe 2640 Shipment document.exe 2912 MSBuild.exe 2912 MSBuild.exe 2084 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2640 Shipment document.exe Token: SeDebugPrivilege 2912 MSBuild.exe Token: SeDebugPrivilege 2084 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2084 2640 Shipment document.exe 30 PID 2640 wrote to memory of 2084 2640 Shipment document.exe 30 PID 2640 wrote to memory of 2084 2640 Shipment document.exe 30 PID 2640 wrote to memory of 2084 2640 Shipment document.exe 30 PID 2640 wrote to memory of 2520 2640 Shipment document.exe 32 PID 2640 wrote to memory of 2520 2640 Shipment document.exe 32 PID 2640 wrote to memory of 2520 2640 Shipment document.exe 32 PID 2640 wrote to memory of 2520 2640 Shipment document.exe 32 PID 2640 wrote to memory of 2188 2640 Shipment document.exe 34 PID 2640 wrote to memory of 2188 2640 Shipment document.exe 34 PID 2640 wrote to memory of 2188 2640 Shipment document.exe 34 PID 2640 wrote to memory of 2188 2640 Shipment document.exe 34 PID 2640 wrote to memory of 2912 2640 Shipment document.exe 35 PID 2640 wrote to memory of 2912 2640 Shipment document.exe 35 PID 2640 wrote to memory of 2912 2640 Shipment document.exe 35 PID 2640 wrote to memory of 2912 2640 Shipment document.exe 35 PID 2640 wrote to memory of 2912 2640 Shipment document.exe 35 PID 2640 wrote to memory of 2912 2640 Shipment document.exe 35 PID 2640 wrote to memory of 2912 2640 Shipment document.exe 35 PID 2640 wrote to memory of 2912 2640 Shipment document.exe 35 PID 2640 wrote to memory of 2912 2640 Shipment document.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipment document.exe"C:\Users\Admin\AppData\Local\Temp\Shipment document.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JgThWkWBNlCuk.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JgThWkWBNlCuk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F7C.tmp"2⤵
- Creates scheduled task(s)
PID:2520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:2188
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5687471f8b29587ba6610dd99c4c601b8
SHA188ee7d3bd66fc2c3005dffb3a04063301186fab2
SHA256d210f7f23f1aa3693d0dd3e329c9dc9ba292c92543c2c68602d3409bf12f9f83
SHA512664fec3af55fb3ff418ce0ce5944724c08234920ca796915365ebdc89f24abe4acc083bb2fff24f1c96f473118f0ef77bb730e0d20fb16119992db2146137390