Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
05/10/2023, 08:30 UTC
Static task
static1
Behavioral task
behavioral1
Sample
Doc.exe
Resource
win7-20230831-en
General
-
Target
Doc.exe
-
Size
720KB
-
MD5
6fac1d175f51ebf8890cc785e2eefdaf
-
SHA1
aa50651bfc4f3c2be45f42dda737ac8f5a42b6f5
-
SHA256
a94bcff5683c5d1b1a3cead3d8236c98590ba2ea9b9018d4cc5ff9b67f08dc4e
-
SHA512
ffdedb550a54a943c35a75308d0d6282141d540b3aefd564258a69a84bb20e076564afb89f674648f7723110bf781da80b9a6ab7dc08227ab129870d3ad83971
-
SSDEEP
12288:XMYnQ3j67SESV1eXl8OhA90G/zoEVEKM3vmVFw3Bzfm8nH9X4OvJq4BTaeec7KEC:XBGpOP9f5nH9IO8IeN9EPOQ+zYe
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe Powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe Powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2996 set thread context of 2512 2996 Doc.exe 30 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2512 Doc.exe 2512 Doc.exe 2640 Powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2996 Doc.exe Token: SeDebugPrivilege 2512 Doc.exe Token: SeDebugPrivilege 2640 Powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2996 wrote to memory of 2640 2996 Doc.exe 28 PID 2996 wrote to memory of 2640 2996 Doc.exe 28 PID 2996 wrote to memory of 2640 2996 Doc.exe 28 PID 2996 wrote to memory of 2640 2996 Doc.exe 28 PID 2996 wrote to memory of 2512 2996 Doc.exe 30 PID 2996 wrote to memory of 2512 2996 Doc.exe 30 PID 2996 wrote to memory of 2512 2996 Doc.exe 30 PID 2996 wrote to memory of 2512 2996 Doc.exe 30 PID 2996 wrote to memory of 2512 2996 Doc.exe 30 PID 2996 wrote to memory of 2512 2996 Doc.exe 30 PID 2996 wrote to memory of 2512 2996 Doc.exe 30 PID 2996 wrote to memory of 2512 2996 Doc.exe 30 PID 2996 wrote to memory of 2512 2996 Doc.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Doc.exe"C:\Users\Admin\AppData\Local\Temp\Doc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Doc.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Users\Admin\AppData\Local\Temp\Doc.exe"C:\Users\Admin\AppData\Local\Temp\Doc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512
-