Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/04/2024, 13:54
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.exe
Resource
win7-20240221-en
General
-
Target
Invoice.exe
-
Size
5.8MB
-
MD5
e0ad1b070ad9c0430f491d07c2708484
-
SHA1
f36de48706a23f38d7b3fa070d8948dbc9ac3491
-
SHA256
647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712
-
SHA512
d7bea99b6595f75c0a448d93f8a1394d93a23d88933d3d26ba4c141faa69f9d87a18cf0535cb9e0e3016ad9067ade5320fc0171e7bbe84a42989bfd2f6c25ef9
-
SSDEEP
98304:AuBV+GvjiaLzY5lk+Ar+fbleEfho0b6s0LSvIragO0fMvU/5Lf62LDY:AbGvPE5Ca183
Malware Config
Signatures
-
NirSoft MailPassView 10 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1320-9-0x0000000000080000-0x0000000000108000-memory.dmp MailPassView behavioral1/memory/1320-14-0x0000000000080000-0x0000000000108000-memory.dmp MailPassView behavioral1/memory/1320-15-0x0000000000080000-0x0000000000108000-memory.dmp MailPassView behavioral1/memory/1320-7-0x0000000000080000-0x0000000000108000-memory.dmp MailPassView behavioral1/memory/1320-20-0x0000000000080000-0x0000000000108000-memory.dmp MailPassView behavioral1/memory/1320-23-0x0000000000080000-0x0000000000108000-memory.dmp MailPassView behavioral1/memory/2648-40-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2648-43-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2648-44-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2648-45-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 9 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1320-9-0x0000000000080000-0x0000000000108000-memory.dmp WebBrowserPassView behavioral1/memory/1320-14-0x0000000000080000-0x0000000000108000-memory.dmp WebBrowserPassView behavioral1/memory/1320-15-0x0000000000080000-0x0000000000108000-memory.dmp WebBrowserPassView behavioral1/memory/1320-7-0x0000000000080000-0x0000000000108000-memory.dmp WebBrowserPassView behavioral1/memory/1320-20-0x0000000000080000-0x0000000000108000-memory.dmp WebBrowserPassView behavioral1/memory/1320-23-0x0000000000080000-0x0000000000108000-memory.dmp WebBrowserPassView behavioral1/memory/2904-48-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2904-50-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2904-52-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 13 IoCs
resource yara_rule behavioral1/memory/1320-9-0x0000000000080000-0x0000000000108000-memory.dmp Nirsoft behavioral1/memory/1320-14-0x0000000000080000-0x0000000000108000-memory.dmp Nirsoft behavioral1/memory/1320-15-0x0000000000080000-0x0000000000108000-memory.dmp Nirsoft behavioral1/memory/1320-7-0x0000000000080000-0x0000000000108000-memory.dmp Nirsoft behavioral1/memory/1320-20-0x0000000000080000-0x0000000000108000-memory.dmp Nirsoft behavioral1/memory/1320-23-0x0000000000080000-0x0000000000108000-memory.dmp Nirsoft behavioral1/memory/2648-40-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2648-43-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2648-44-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2648-45-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2904-48-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2904-50-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2904-52-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 4 IoCs
pid Process 872 svchost.exe 2988 svchost.exe 2304 svchost.exe 2824 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 2220 Invoice.exe 872 svchost.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2220 set thread context of 1320 2220 Invoice.exe 30 PID 1320 set thread context of 2648 1320 Invoice.exe 40 PID 1320 set thread context of 2904 1320 Invoice.exe 41 PID 872 set thread context of 2988 872 svchost.exe 42 PID 2304 set thread context of 2824 2304 svchost.exe 52 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1628 schtasks.exe 980 schtasks.exe 1676 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1320 Invoice.exe -
Suspicious behavior: SetClipboardViewer 2 IoCs
pid Process 2988 svchost.exe 2824 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1320 Invoice.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1320 Invoice.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 1320 2220 Invoice.exe 30 PID 2220 wrote to memory of 1320 2220 Invoice.exe 30 PID 2220 wrote to memory of 1320 2220 Invoice.exe 30 PID 2220 wrote to memory of 1320 2220 Invoice.exe 30 PID 2220 wrote to memory of 1320 2220 Invoice.exe 30 PID 2220 wrote to memory of 1320 2220 Invoice.exe 30 PID 2220 wrote to memory of 1320 2220 Invoice.exe 30 PID 2220 wrote to memory of 1320 2220 Invoice.exe 30 PID 2220 wrote to memory of 1320 2220 Invoice.exe 30 PID 2220 wrote to memory of 872 2220 Invoice.exe 31 PID 2220 wrote to memory of 872 2220 Invoice.exe 31 PID 2220 wrote to memory of 872 2220 Invoice.exe 31 PID 2220 wrote to memory of 872 2220 Invoice.exe 31 PID 2220 wrote to memory of 784 2220 Invoice.exe 32 PID 2220 wrote to memory of 784 2220 Invoice.exe 32 PID 2220 wrote to memory of 784 2220 Invoice.exe 32 PID 2220 wrote to memory of 784 2220 Invoice.exe 32 PID 2220 wrote to memory of 1388 2220 Invoice.exe 34 PID 2220 wrote to memory of 1388 2220 Invoice.exe 34 PID 2220 wrote to memory of 1388 2220 Invoice.exe 34 PID 2220 wrote to memory of 1388 2220 Invoice.exe 34 PID 1388 wrote to memory of 1628 1388 cmd.exe 36 PID 1388 wrote to memory of 1628 1388 cmd.exe 36 PID 1388 wrote to memory of 1628 1388 cmd.exe 36 PID 1388 wrote to memory of 1628 1388 cmd.exe 36 PID 2220 wrote to memory of 1744 2220 Invoice.exe 37 PID 2220 wrote to memory of 1744 2220 Invoice.exe 37 PID 2220 wrote to memory of 1744 2220 Invoice.exe 37 PID 2220 wrote to memory of 1744 2220 Invoice.exe 37 PID 1320 wrote to memory of 2648 1320 Invoice.exe 40 PID 1320 wrote to memory of 2648 1320 Invoice.exe 40 PID 1320 wrote to memory of 2648 1320 Invoice.exe 40 PID 1320 wrote to memory of 2648 1320 Invoice.exe 40 PID 1320 wrote to memory of 2648 1320 Invoice.exe 40 PID 1320 wrote to memory of 2648 1320 Invoice.exe 40 PID 1320 wrote to memory of 2648 1320 Invoice.exe 40 PID 1320 wrote to memory of 2648 1320 Invoice.exe 40 PID 1320 wrote to memory of 2648 1320 Invoice.exe 40 PID 1320 wrote to memory of 2648 1320 Invoice.exe 40 PID 1320 wrote to memory of 2904 1320 Invoice.exe 41 PID 1320 wrote to memory of 2904 1320 Invoice.exe 41 PID 1320 wrote to memory of 2904 1320 Invoice.exe 41 PID 1320 wrote to memory of 2904 1320 Invoice.exe 41 PID 1320 wrote to memory of 2904 1320 Invoice.exe 41 PID 1320 wrote to memory of 2904 1320 Invoice.exe 41 PID 1320 wrote to memory of 2904 1320 Invoice.exe 41 PID 1320 wrote to memory of 2904 1320 Invoice.exe 41 PID 1320 wrote to memory of 2904 1320 Invoice.exe 41 PID 1320 wrote to memory of 2904 1320 Invoice.exe 41 PID 872 wrote to memory of 2988 872 svchost.exe 42 PID 872 wrote to memory of 2988 872 svchost.exe 42 PID 872 wrote to memory of 2988 872 svchost.exe 42 PID 872 wrote to memory of 2988 872 svchost.exe 42 PID 872 wrote to memory of 2988 872 svchost.exe 42 PID 872 wrote to memory of 2988 872 svchost.exe 42 PID 872 wrote to memory of 2988 872 svchost.exe 42 PID 872 wrote to memory of 2988 872 svchost.exe 42 PID 872 wrote to memory of 2988 872 svchost.exe 42 PID 872 wrote to memory of 1648 872 svchost.exe 43 PID 872 wrote to memory of 1648 872 svchost.exe 43 PID 872 wrote to memory of 1648 872 svchost.exe 43 PID 872 wrote to memory of 1648 872 svchost.exe 43 PID 872 wrote to memory of 1524 872 svchost.exe 45 PID 872 wrote to memory of 1524 872 svchost.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
PID:2648
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵PID:2904
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:2988
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"3⤵PID:1648
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵PID:1524
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f4⤵
- Creates scheduled task(s)
PID:980
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"3⤵PID:2896
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"2⤵PID:784
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Creates scheduled task(s)
PID:1628
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Invoice.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"2⤵PID:1744
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {D3B182CE-FA53-4DD8-8EFC-34C7FCF01B65} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵PID:1452
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeC:\Users\Admin\AppData\Roaming\svchost\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2304 -
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:2824
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"3⤵PID:2124
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵PID:2276
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f4⤵
- Creates scheduled task(s)
PID:1676
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"3⤵PID:1680
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
3.0MB
MD5536441b93db2dcf06f8d19eb6c11899b
SHA1c26f15db010956a21bc15c1155b9c82a3e2274fd
SHA2569b04247046aa7d0854bcc1ab79fbc88963e7bf50f033ef1434561476b7f91912
SHA51205513f0e424f1d80e136d3e6cfb5d992d57d960f18ca0c2d60cd8050b390b25ee15be2202a9c8d16789f807e46457a353450815d63a3d2493f93ff1f0964c926
-
Filesize
3.0MB
MD5646f6ea76cd0f29d4c2d6b0c8935e39e
SHA159962777a41b8ca3dfd0c40147e013a3a6d9bda4
SHA2560f71486baf108292e78215a8ca9643408664ecf173a6d556185c784297fc2ac5
SHA512480044c8f611ead3ba8351f4e580fe191f3b7a8dfa2ab513a3caf6a3927d9997d9a3c77ae2e26c7ffa26d1569d8d2ecec235deca23b389b491237a1cca5d9442