Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/05/2024, 03:51
Static task
static1
Behavioral task
behavioral1
Sample
proform invoice.exe
Resource
win7-20240221-en
General
-
Target
proform invoice.exe
-
Size
562KB
-
MD5
b0d8e1c1627e947fc3d0566b856a02c6
-
SHA1
fc25210ae92295d0b22accffaf767b0c4354f5de
-
SHA256
83761885d25f6efebd14c2b5e26965961fc59896c45a3fff0c1abf555e7b3482
-
SHA512
6ae235f56e138fa072dda60a41d37c7e995d45eb69338aa0c4088d49793e1f121813940b69015b779d4b0bb49d9abb24440881b282cb28f65019c164fbd729bf
-
SSDEEP
12288:I2iKVTc8dJS4VH3bBvFEdh5OlZ77mi3Wa/UAF9VUkXMY:73cqScXtN0qBHWa/UAFTUkXM
Malware Config
Extracted
lokibot
http://sempersim.su/d9/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2820 powershell.exe 2468 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2876 set thread context of 2492 2876 proform invoice.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2620 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2876 proform invoice.exe 2876 proform invoice.exe 2876 proform invoice.exe 2876 proform invoice.exe 2876 proform invoice.exe 2876 proform invoice.exe 2468 powershell.exe 2820 powershell.exe 2876 proform invoice.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2876 proform invoice.exe Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 2492 RegSvcs.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2820 2876 proform invoice.exe 28 PID 2876 wrote to memory of 2820 2876 proform invoice.exe 28 PID 2876 wrote to memory of 2820 2876 proform invoice.exe 28 PID 2876 wrote to memory of 2820 2876 proform invoice.exe 28 PID 2876 wrote to memory of 2468 2876 proform invoice.exe 30 PID 2876 wrote to memory of 2468 2876 proform invoice.exe 30 PID 2876 wrote to memory of 2468 2876 proform invoice.exe 30 PID 2876 wrote to memory of 2468 2876 proform invoice.exe 30 PID 2876 wrote to memory of 2620 2876 proform invoice.exe 32 PID 2876 wrote to memory of 2620 2876 proform invoice.exe 32 PID 2876 wrote to memory of 2620 2876 proform invoice.exe 32 PID 2876 wrote to memory of 2620 2876 proform invoice.exe 32 PID 2876 wrote to memory of 2492 2876 proform invoice.exe 34 PID 2876 wrote to memory of 2492 2876 proform invoice.exe 34 PID 2876 wrote to memory of 2492 2876 proform invoice.exe 34 PID 2876 wrote to memory of 2492 2876 proform invoice.exe 34 PID 2876 wrote to memory of 2492 2876 proform invoice.exe 34 PID 2876 wrote to memory of 2492 2876 proform invoice.exe 34 PID 2876 wrote to memory of 2492 2876 proform invoice.exe 34 PID 2876 wrote to memory of 2492 2876 proform invoice.exe 34 PID 2876 wrote to memory of 2492 2876 proform invoice.exe 34 PID 2876 wrote to memory of 2492 2876 proform invoice.exe 34 PID 2876 wrote to memory of 2492 2876 proform invoice.exe 34 PID 2876 wrote to memory of 2492 2876 proform invoice.exe 34 PID 2876 wrote to memory of 2492 2876 proform invoice.exe 34 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\proform invoice.exe"C:\Users\Admin\AppData\Local\Temp\proform invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\proform invoice.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WnPOlC.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WnPOlC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp642F.tmp"2⤵
- Creates scheduled task(s)
PID:2620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2492
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ac92543ae93b8d1b1918b64c20f08a53
SHA1b58d78feeb1fdd5ac19f622447ed0c86410eb218
SHA2564670003fc4c4eb080cb56e7040bb94f69fd213d085e10e678290fe3990a8c390
SHA512ca9d48fbede083f405bdc1e0d9f31086abb213b623908750ce7d623b9d11e718e38a141e1793e7b04662e1f5c10b5e8189931b1df15107b1bd6f265a65d682b7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3452737119-3959686427-228443150-1000\0f5007522459c86e95ffcc62f32308f1_ad04ce47-83ca-4cca-a79e-77cdc80ce41e
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3452737119-3959686427-228443150-1000\0f5007522459c86e95ffcc62f32308f1_ad04ce47-83ca-4cca-a79e-77cdc80ce41e
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1IH3EF3A90HD4OXW9Q04.temp
Filesize7KB
MD5e674876257e5fe513120ba1b1a049112
SHA1806aeac4cf784cc8ffaa0134d4940db648bb4257
SHA256f516a3a3ed540b8426ed6d86eacd238a1f4f8e587e73bb03312457922363c61a
SHA512c7268725be6642778ca9e4d05363648e0fa4065acfe32a02cb142698dffa84754ce1b037729cffc6dd2fd4344c871cfce7cf035b5bb715c6bc6bd6eec162c138