Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
25/08/2023, 15:02
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT BANK INSTRUCTION COPY.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
PAYMENT BANK INSTRUCTION COPY.exe
Resource
win10v2004-20230703-en
General
-
Target
PAYMENT BANK INSTRUCTION COPY.exe
-
Size
495KB
-
MD5
ef485efc8a94d9e7fc3bb0379a44f084
-
SHA1
6aa85df83a914bf32bd5165cd1299d26f1905dfb
-
SHA256
378f4daa6190153fc7f9cac724c04ad425e83918d92cfd3a186bceab66bae343
-
SHA512
0939bbfa97c2fb302b32c5f6598bbd510a203fc59dfc4c8a4e6b1105dff998f405903487e9c70439a51225ce3693f40baf85c9bb335a4a60023ef87717bac332
-
SSDEEP
12288:2nXB9dO8KsqQnirS0DSngIE0SCAtRnZagLCWh:2R9M8Kj9SJgT0sVZnLCWh
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2736 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2164 PAYMENT BANK INSTRUCTION COPY.exe 2164 PAYMENT BANK INSTRUCTION COPY.exe 2164 PAYMENT BANK INSTRUCTION COPY.exe 2164 PAYMENT BANK INSTRUCTION COPY.exe 2164 PAYMENT BANK INSTRUCTION COPY.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2164 PAYMENT BANK INSTRUCTION COPY.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2736 2164 PAYMENT BANK INSTRUCTION COPY.exe 30 PID 2164 wrote to memory of 2736 2164 PAYMENT BANK INSTRUCTION COPY.exe 30 PID 2164 wrote to memory of 2736 2164 PAYMENT BANK INSTRUCTION COPY.exe 30 PID 2164 wrote to memory of 2736 2164 PAYMENT BANK INSTRUCTION COPY.exe 30 PID 2164 wrote to memory of 2828 2164 PAYMENT BANK INSTRUCTION COPY.exe 32 PID 2164 wrote to memory of 2828 2164 PAYMENT BANK INSTRUCTION COPY.exe 32 PID 2164 wrote to memory of 2828 2164 PAYMENT BANK INSTRUCTION COPY.exe 32 PID 2164 wrote to memory of 2828 2164 PAYMENT BANK INSTRUCTION COPY.exe 32 PID 2164 wrote to memory of 2712 2164 PAYMENT BANK INSTRUCTION COPY.exe 33 PID 2164 wrote to memory of 2712 2164 PAYMENT BANK INSTRUCTION COPY.exe 33 PID 2164 wrote to memory of 2712 2164 PAYMENT BANK INSTRUCTION COPY.exe 33 PID 2164 wrote to memory of 2712 2164 PAYMENT BANK INSTRUCTION COPY.exe 33 PID 2164 wrote to memory of 2708 2164 PAYMENT BANK INSTRUCTION COPY.exe 34 PID 2164 wrote to memory of 2708 2164 PAYMENT BANK INSTRUCTION COPY.exe 34 PID 2164 wrote to memory of 2708 2164 PAYMENT BANK INSTRUCTION COPY.exe 34 PID 2164 wrote to memory of 2708 2164 PAYMENT BANK INSTRUCTION COPY.exe 34 PID 2164 wrote to memory of 2728 2164 PAYMENT BANK INSTRUCTION COPY.exe 35 PID 2164 wrote to memory of 2728 2164 PAYMENT BANK INSTRUCTION COPY.exe 35 PID 2164 wrote to memory of 2728 2164 PAYMENT BANK INSTRUCTION COPY.exe 35 PID 2164 wrote to memory of 2728 2164 PAYMENT BANK INSTRUCTION COPY.exe 35 PID 2164 wrote to memory of 2744 2164 PAYMENT BANK INSTRUCTION COPY.exe 36 PID 2164 wrote to memory of 2744 2164 PAYMENT BANK INSTRUCTION COPY.exe 36 PID 2164 wrote to memory of 2744 2164 PAYMENT BANK INSTRUCTION COPY.exe 36 PID 2164 wrote to memory of 2744 2164 PAYMENT BANK INSTRUCTION COPY.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LPuYvaJpW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE4F2.tmp"2⤵
- Creates scheduled task(s)
PID:2736
-
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe"{path}"2⤵PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe"{path}"2⤵PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe"{path}"2⤵PID:2708
-
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe"{path}"2⤵PID:2728
-
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT BANK INSTRUCTION COPY.exe"{path}"2⤵PID:2744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD552ded2d3d5db403471e3938b79744076
SHA1d8683e240d5bf8f5e8f486ca051d2546f394a16f
SHA256228b82fb96490804934c461f22e23a87f9de942f1b206468fb8a820eeb1ff05d
SHA51223c0cde17e2821a7471c44e50f435bd71b4107a2dc9e627e6d5fcec09e069169a04b361c9f649ba0a9ce7edd0872ffac12c46b3d8b1ca3a295b7648ff1dce156