Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21/02/2024, 13:23
Static task
static1
Behavioral task
behavioral1
Sample
Dhl pdf.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Dhl pdf.exe
Resource
win10v2004-20240221-en
General
-
Target
Dhl pdf.exe
-
Size
1.3MB
-
MD5
0943213bec70ca803563e99519d2a1b6
-
SHA1
6ad538ab1d4552308138f20e8e9b4e81a708d560
-
SHA256
9f708fc26f51a62c4255027c9e07cdc9c885c0453da450735795153ae33f0366
-
SHA512
ceb16e920d7f6975412cd1b5115dd2e35ba2e1ec2c2539a296d44284ae6ee189090018e15de3ceb553c91e7e35314de9a9c334968e5e0e914462c60119b6d8f9
-
SSDEEP
24576:JqDEvCTbMWu7rQYlBQcBiT6rprG8aoge3HeYNODu/VC0/pt:JTvC/MTQYxsWR7a7oHeFDuF
Malware Config
Signatures
-
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2652 set thread context of 2676 2652 Dhl pdf.exe 28 PID 2676 set thread context of 1192 2676 svchost.exe 21 PID 2676 set thread context of 2612 2676 svchost.exe 29 PID 2612 set thread context of 1192 2612 HOSTNAME.EXE 21 -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2676 svchost.exe 2676 svchost.exe 2676 svchost.exe 2676 svchost.exe 2676 svchost.exe 2676 svchost.exe 2676 svchost.exe 2676 svchost.exe 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2652 Dhl pdf.exe 2676 svchost.exe 1192 Explorer.EXE 1192 Explorer.EXE 2612 HOSTNAME.EXE 2612 HOSTNAME.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2652 wrote to memory of 2676 2652 Dhl pdf.exe 28 PID 2652 wrote to memory of 2676 2652 Dhl pdf.exe 28 PID 2652 wrote to memory of 2676 2652 Dhl pdf.exe 28 PID 2652 wrote to memory of 2676 2652 Dhl pdf.exe 28 PID 2652 wrote to memory of 2676 2652 Dhl pdf.exe 28 PID 1192 wrote to memory of 2612 1192 Explorer.EXE 29 PID 1192 wrote to memory of 2612 1192 Explorer.EXE 29 PID 1192 wrote to memory of 2612 1192 Explorer.EXE 29 PID 1192 wrote to memory of 2612 1192 Explorer.EXE 29
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\Dhl pdf.exe"C:\Users\Admin\AppData\Local\Temp\Dhl pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Dhl pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2676
-
-
-
C:\Windows\SysWOW64\HOSTNAME.EXE"C:\Windows\SysWOW64\HOSTNAME.EXE"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2612
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
250KB
MD5dd1306ebfdddcef5feda4b82b8ea5761
SHA17b1782dd02a730c75a381ee63a9c0565548d4159
SHA25664d9c1f65ecde38d50faa749b7022e73cf5f49d7831eca90fa54afb10d628c74
SHA5123caf9a3b2b3e6415a894c60173181e88f6862feafe4ce570da99f7e1111fa8918b26857791fe9cb91d0a2238930fa5170caacc1de24019bf08a2d8538b299991