Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

proform invoice.exe

windows7-x64

10

proform invoice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 03:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    proform invoice.exe

  • Size

    562KB

  • MD5

    b0d8e1c1627e947fc3d0566b856a02c6

  • SHA1

    fc25210ae92295d0b22accffaf767b0c4354f5de

  • SHA256

    83761885d25f6efebd14c2b5e26965961fc59896c45a3fff0c1abf555e7b3482

  • SHA512

    6ae235f56e138fa072dda60a41d37c7e995d45eb69338aa0c4088d49793e1f121813940b69015b779d4b0bb49d9abb24440881b282cb28f65019c164fbd729bf

  • SSDEEP

    12288:I2iKVTc8dJS4VH3bBvFEdh5OlZ77mi3Wa/UAF9VUkXMY:73cqScXtN0qBHWa/UAFTUkXM

Score
10/10
lokibotcollectionexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/d9/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\proform invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\proform invoice.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\proform invoice.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2820
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WnPOlC.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2468
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WnPOlC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp642F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2620
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp642F.tmp
    Filesize

    1KB

    MD5

    ac92543ae93b8d1b1918b64c20f08a53

    SHA1

    b58d78feeb1fdd5ac19f622447ed0c86410eb218

    SHA256

    4670003fc4c4eb080cb56e7040bb94f69fd213d085e10e678290fe3990a8c390

    SHA512

    ca9d48fbede083f405bdc1e0d9f31086abb213b623908750ce7d623b9d11e718e38a141e1793e7b04662e1f5c10b5e8189931b1df15107b1bd6f265a65d682b7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3452737119-3959686427-228443150-1000\0f5007522459c86e95ffcc62f32308f1_ad04ce47-83ca-4cca-a79e-77cdc80ce41e
    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3452737119-3959686427-228443150-1000\0f5007522459c86e95ffcc62f32308f1_ad04ce47-83ca-4cca-a79e-77cdc80ce41e
    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1IH3EF3A90HD4OXW9Q04.temp
    Filesize

    7KB

    MD5

    e674876257e5fe513120ba1b1a049112

    SHA1

    806aeac4cf784cc8ffaa0134d4940db648bb4257

    SHA256

    f516a3a3ed540b8426ed6d86eacd238a1f4f8e587e73bb03312457922363c61a

    SHA512

    c7268725be6642778ca9e4d05363648e0fa4065acfe32a02cb142698dffa84754ce1b037729cffc6dd2fd4344c871cfce7cf035b5bb715c6bc6bd6eec162c138

    Download Submit

  • memory/2492-26-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2492-18-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2492-59-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2492-50-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2492-24-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2492-30-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2492-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2492-22-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2492-20-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2492-29-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2876-5-0x0000000004500000-0x0000000004562000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2876-0-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2876-31-0x0000000074C30000-0x000000007531E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2876-2-0x0000000074C30000-0x000000007531E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2876-1-0x0000000001000000-0x0000000001092000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2876-3-0x0000000000550000-0x0000000000568000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2876-4-0x0000000000570000-0x0000000000580000-memory.dmp

    Filesize

    64KB

    Download