Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19/04/2024, 01:51
Static task
static1
Behavioral task
behavioral1
Sample
DOC 331-100920-00.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
DOC 331-100920-00.exe
Resource
win10v2004-20240412-en
General
-
Target
DOC 331-100920-00.exe
-
Size
1.1MB
-
MD5
81556c04b78490685e602d47202617e3
-
SHA1
afcf7ca914c76a8b80136cdbbf2b31d8c6b96c7b
-
SHA256
54c9ab39f879d1c9f3fc61e3cb1ffb06ac237bb20647c1f521d09b2dbb4964d2
-
SHA512
d7283501deeccbe53d9cdf0d3c12a179cb810c30fa8ab02066ed079c9fa424ecc710a11010db64e81a7cb011b9a2ca6aa8df56357484f152fd78bbb0453605b9
-
SSDEEP
24576:wAHnh+eWsN3skA4RV1Hom2KXMmHa2OqYIe6JZW9jV0jy59Qa03NSh5:nh+ZkldoPK8Ya2Oce0W9jSyLB
Malware Config
Signatures
-
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1160 set thread context of 852 1160 DOC 331-100920-00.exe 28 PID 852 set thread context of 1368 852 svchost.exe 21 PID 852 set thread context of 2840 852 svchost.exe 29 PID 2840 set thread context of 1368 2840 netbtugc.exe 21 -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 852 svchost.exe 852 svchost.exe 852 svchost.exe 852 svchost.exe 852 svchost.exe 852 svchost.exe 852 svchost.exe 852 svchost.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe 2840 netbtugc.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 1160 DOC 331-100920-00.exe 852 svchost.exe 1368 Explorer.EXE 1368 Explorer.EXE 2840 netbtugc.exe 2840 netbtugc.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1160 DOC 331-100920-00.exe 1160 DOC 331-100920-00.exe 1368 Explorer.EXE 1368 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1160 DOC 331-100920-00.exe 1160 DOC 331-100920-00.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1160 wrote to memory of 852 1160 DOC 331-100920-00.exe 28 PID 1160 wrote to memory of 852 1160 DOC 331-100920-00.exe 28 PID 1160 wrote to memory of 852 1160 DOC 331-100920-00.exe 28 PID 1160 wrote to memory of 852 1160 DOC 331-100920-00.exe 28 PID 1160 wrote to memory of 852 1160 DOC 331-100920-00.exe 28 PID 1368 wrote to memory of 2840 1368 Explorer.EXE 29 PID 1368 wrote to memory of 2840 1368 Explorer.EXE 29 PID 1368 wrote to memory of 2840 1368 Explorer.EXE 29 PID 1368 wrote to memory of 2840 1368 Explorer.EXE 29
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\DOC 331-100920-00.exe"C:\Users\Admin\AppData\Local\Temp\DOC 331-100920-00.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\DOC 331-100920-00.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:852
-
-
-
C:\Windows\SysWOW64\netbtugc.exe"C:\Windows\SysWOW64\netbtugc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2840
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD56096b4946e5c7c4cbe25f2c73a79258e
SHA1c8d132b9458f95d3765b983e2743950c9986b76b
SHA256f66d39d90b67086468fe0596fcb6608c55f028168aef16bc49382b5dd5279289
SHA51240816ccac64d8371d3d312d582003e193a3fe92cc2f7f2c3281cc69cf37eb8c701338f535ec7cdf14aab33147b439f36c25df9b74ad4ed8bf57e06ac222ff955