Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
12/10/2023, 15:43
General
-
Target
Invoice.exe
-
Size
619KB
-
MD5
9b72692e206d68443a96079389898ee5
-
SHA1
8512515d696683c9c994f9fd8878b1b3b80299d9
-
SHA256
9886fa5dd072d4bb23ea5353ac0014d36b5425f49fdb0b315a2ed54cc5fcc33d
-
SHA512
a265e32d9dc6837cc8a1497c31f5630ab634a7a192c8c361b5ce7350fbe93cfa4c8fe3f77897f34bf0f45dbd45021527a7ff2f6f2b08f5640ce371f062f067f3
-
SSDEEP
12288:KMYnQ3j67SESV1eXl8OhA90pEPsL6U6g7t6+BmTsbqK3l2FzeqCrpoYoujW/:KBwfzSTM+qK12FqreaW/
Malware Config
Signatures
-
Drops startup file 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Invoice.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
552KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
140KB
-
Filesize
168KB
-
Filesize
140KB
-
Filesize
640KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
6.9MB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
256KB