Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 17:11
Static task
static1
Behavioral task
behavioral1
Sample
Confirmation.exe
Resource
win7-20230831-en
General
-
Target
Confirmation.exe
-
Size
884KB
-
MD5
29af861baff3d90185ed2ea3d47482d6
-
SHA1
ce58279e89cd1ccbb88b37e32be7d0115c9f1572
-
SHA256
e95d1407329d9bf135e8e44cf041709c4ce426d62144c772374d9b782f3bb399
-
SHA512
1277277c73e4d87e29add0112aac81a4b8edeada4fe49216cc6707c0cfc1c2cca9f522558c90243271da43a33715dada7a4e58933d5f4cc71839b31a3e570bf9
-
SSDEEP
12288:PnX9K7iSxwfEHtrXTutnP/XGvGVfb9Pke7Qs5RcFbpEK:PntU7NHtvenP/5fbZJMs5RMpE
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1272 set thread context of 2936 1272 Confirmation.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2664 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1272 Confirmation.exe 1272 Confirmation.exe 2936 Confirmation.exe 2936 Confirmation.exe 2708 powershell.exe 2852 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1272 Confirmation.exe Token: SeDebugPrivilege 2936 Confirmation.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 2852 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1272 wrote to memory of 2708 1272 Confirmation.exe 30 PID 1272 wrote to memory of 2708 1272 Confirmation.exe 30 PID 1272 wrote to memory of 2708 1272 Confirmation.exe 30 PID 1272 wrote to memory of 2708 1272 Confirmation.exe 30 PID 1272 wrote to memory of 2852 1272 Confirmation.exe 32 PID 1272 wrote to memory of 2852 1272 Confirmation.exe 32 PID 1272 wrote to memory of 2852 1272 Confirmation.exe 32 PID 1272 wrote to memory of 2852 1272 Confirmation.exe 32 PID 1272 wrote to memory of 2664 1272 Confirmation.exe 34 PID 1272 wrote to memory of 2664 1272 Confirmation.exe 34 PID 1272 wrote to memory of 2664 1272 Confirmation.exe 34 PID 1272 wrote to memory of 2664 1272 Confirmation.exe 34 PID 1272 wrote to memory of 2936 1272 Confirmation.exe 36 PID 1272 wrote to memory of 2936 1272 Confirmation.exe 36 PID 1272 wrote to memory of 2936 1272 Confirmation.exe 36 PID 1272 wrote to memory of 2936 1272 Confirmation.exe 36 PID 1272 wrote to memory of 2936 1272 Confirmation.exe 36 PID 1272 wrote to memory of 2936 1272 Confirmation.exe 36 PID 1272 wrote to memory of 2936 1272 Confirmation.exe 36 PID 1272 wrote to memory of 2936 1272 Confirmation.exe 36 PID 1272 wrote to memory of 2936 1272 Confirmation.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\Confirmation.exe"C:\Users\Admin\AppData\Local\Temp\Confirmation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Confirmation.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\chpJlUq.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\chpJlUq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF48.tmp"2⤵
- Creates scheduled task(s)
PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\Confirmation.exe"C:\Users\Admin\AppData\Local\Temp\Confirmation.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d16b81e166a60949670fb8f58ae8ee30
SHA170e836a7844bfd6c4e4bf211a6d6829ffb0414e7
SHA2564e5982f77b17070e402772400ca468ec7cfe30e89f11c4d3f5c6d7882f15d3bf
SHA51254eab8608ddeca611a298c00783a7f5734b0046df49f2d1797a3431be22d1e8c1755c1d1c0890f66e9975a47b7e534a7c611738d517ceb34d1fc68feb1ed7390
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\34QUD8H2UEE5WA43R3SN.temp
Filesize7KB
MD5f08903e70fd442d73e8b45f75af57288
SHA19d1de49eb43500069ff19ff056f94b7cf67bd32c
SHA2569d500b3f4280f987f094bde3df3de1a28f67482a40e122bfbe95e0318117f85e
SHA5122df3b69f30490f2eab526a4b20c92605485ed96fdf1c17353293ab1e5d08ece9ccbe2fd8c33766b884c25c6167612729b307b1717a3d9897bea133ed56847a61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5f08903e70fd442d73e8b45f75af57288
SHA19d1de49eb43500069ff19ff056f94b7cf67bd32c
SHA2569d500b3f4280f987f094bde3df3de1a28f67482a40e122bfbe95e0318117f85e
SHA5122df3b69f30490f2eab526a4b20c92605485ed96fdf1c17353293ab1e5d08ece9ccbe2fd8c33766b884c25c6167612729b307b1717a3d9897bea133ed56847a61