Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2023 Custo...oc.exe

windows7-x64

6

2023 Custo...oc.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    06/10/2023, 13:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2023 Customer Information Export(1).doc.exe

  • Size

    690KB

  • MD5

    decf06be9f0c0eed2d93bf190ba4b99b

  • SHA1

    e4aa992415440850a9e0a17b2038c066d952bf4f

  • SHA256

    4d845e9e862b6cc61cf4909f4c16c2330483ba62d32c977c0080020a841bf3e1

  • SHA512

    a00a7ffba5a666d19fdeccf7c8520e1bee55f72bbe6e4802565b131040adfeb5e1590af23d8d066ef2d38b63aeb51ac1bbc203b07c7ccc252b8d78315ece8ec3

  • SSDEEP

    12288:s44lO9ZVrJDoPAYzy8DjzzUl1XW9OSJLIF:s44lkl0N2kzzu1XW9OOMF

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2023 Customer Information Export(1).doc.exe
    "C:\Users\Admin\AppData\Local\Temp\2023 Customer Information Export(1).doc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hETSNfSV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC4C5.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2716
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpC4C5.tmp
    Filesize

    1KB

    MD5

    7a4b5ddbc2fde0420c865b316e276959

    SHA1

    29a0f9f4ad1dc3291c63c1a022e9a0e290fe9cb3

    SHA256

    358f2b79797d56b37f28df9532b31a6d822365ccdd9c619d98865d72b631af6c

    SHA512

    86f4cf6e53b6e854ee2f4d6a668bb475a37f6fc22295fa30c2356cf0cd635f67b0d4921d4f1efbf216991b6dd7f8f8cd27eaf7c495024c9c692d420dc2f2a1fc

    Download Submit

  • memory/1864-1-0x00000000744C0000-0x0000000074BAE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1864-0-0x0000000000230000-0x00000000002E2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1864-2-0x0000000004D80000-0x0000000004DC0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1864-3-0x000000007EF40000-0x000000007EF50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1864-4-0x00000000003D0000-0x00000000003DC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1864-5-0x00000000744C0000-0x0000000074BAE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1864-6-0x0000000004D80000-0x0000000004DC0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1864-7-0x000000007EF40000-0x000000007EF50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1864-8-0x0000000005260000-0x00000000052DE000-memory.dmp

    Filesize

    504KB

    Download

  • memory/1864-9-0x0000000002060000-0x00000000020A2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1864-24-0x00000000744C0000-0x0000000074BAE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2696-14-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2696-15-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2696-16-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2696-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-19-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2696-21-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2696-23-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2696-13-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2696-25-0x00000000744C0000-0x0000000074BAE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2696-26-0x0000000004980000-0x00000000049C0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2696-29-0x00000000744C0000-0x0000000074BAE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2696-30-0x0000000004980000-0x00000000049C0000-memory.dmp

    Filesize

    256KB

    Download