Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

Revised invoice.exe

windows7-x64

7

Revised invoice.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    02/11/2023, 10:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Revised invoice.exe

  • Size

    656KB

  • MD5

    20ad07241b54c7690a5914b6069151b2

  • SHA1

    b631e2d6910155d57982f27a0cebea4d5695c08b

  • SHA256

    9ab77e961ee2eaaee3da8d49b8f9f09444b279c6f258cf8e9769e4a16c22fbd4

  • SHA512

    8e851c4230926b9f7751b0ee779802318878fb127a7cbce16240bbf5b38fd4fd0d518b5594ee0d19e1b01420a339525d50abcff23420987ffbd2e590d052eeeb

  • SSDEEP

    12288:DODN9e6QLaK0//g91Xp3vjb3SMJeHH6GpP6TitTPuvdXp/Oat:yD3e6QLEWoRHvpPS

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Users\Admin\AppData\Local\Temp\Revised invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\Revised invoice.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:2688
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\SysWOW64\unregmp2.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:2216

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bxh06jy.zip
      Filesize

      433KB

      MD5

      ecc8ac417181d4885ef8c208d1f073dc

      SHA1

      33154e45485bc0ae3bb0203ffcb9baaaed4038d3

      SHA256

      d01c69d09282f9050f6b113c45884fe9b9abf3bdf5bd93b45927d9b6bfb233fe

      SHA512

      f7601763447bed9b7b45fef2bd584da669636d2657c6066516c949e713ce1caf0641a1889345e92e584b84f438fa19029d13c6f6f1583d35fcc1eb3f998631da

      Download Submit

    • \Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      828KB

      MD5

      d5ea9b5814553bd2f9bbb8bf0ea94ed6

      SHA1

      29629836c088dcd968efb321832edcbcfaac5b51

      SHA256

      5ea67d6b7f67301ca214af511740f26b9e6cc9e16b2c0ec7bba071d05b9bde78

      SHA512

      6867452995c8354622fe22ce4fb4868d2b9cb28bb31aa60b42f06e494b952f66c427aa66c7af09240954bf55ebcde62d4c7feb9d99e742ea3bc5beb3756a7a1e

      Download Submit

    • memory/1324-18-0x0000000007080000-0x0000000008043000-memory.dmp

      Filesize

      15.8MB

      Download

    • memory/1324-25-0x0000000007080000-0x0000000008043000-memory.dmp

      Filesize

      15.8MB

      Download

    • memory/1324-29-0x0000000004C70000-0x0000000004D80000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1324-31-0x0000000004C70000-0x0000000004D80000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1576-3-0x00000000005C0000-0x00000000005CE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1576-7-0x0000000007270000-0x00000000072EC000-memory.dmp

      Filesize

      496KB

      Download

    • memory/1576-6-0x0000000000890000-0x000000000089A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1576-5-0x0000000007340000-0x0000000007380000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1576-4-0x00000000745E0000-0x0000000074CCE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1576-1-0x00000000745E0000-0x0000000074CCE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1576-2-0x0000000007340000-0x0000000007380000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1576-13-0x00000000745E0000-0x0000000074CCE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1576-0-0x0000000000FA0000-0x000000000104A000-memory.dmp

      Filesize

      680KB

      Download

    • memory/2688-16-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2688-11-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2688-17-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2688-14-0x0000000000B90000-0x0000000000E93000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2688-19-0x0000000000190000-0x00000000001AF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2688-15-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2688-8-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2688-22-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2688-9-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2688-10-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2688-12-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2828-20-0x0000000000130000-0x000000000016A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2828-27-0x0000000000130000-0x000000000016A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2828-26-0x0000000000860000-0x00000000008FE000-memory.dmp

      Filesize

      632KB

      Download

    • memory/2828-30-0x0000000000860000-0x00000000008FE000-memory.dmp

      Filesize

      632KB

      Download

    • memory/2828-24-0x0000000000130000-0x000000000016A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2828-23-0x0000000002080000-0x0000000002383000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-21-0x0000000000130000-0x000000000016A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2828-72-0x0000000061E00000-0x0000000061EBC000-memory.dmp

      Filesize

      752KB

      Download