Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Request Fo...71.exe

windows7-x64

8

Request Fo...71.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 06:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Request For Quote (Kobelco) INV#180222OM24 & #160222OM71.exe

  • Size

    564KB

  • MD5

    0b5d25a78e3930329645177f916c635e

  • SHA1

    657354750be2feb546a9142253d7ee9045343791

  • SHA256

    ef3551aae96f3756275e977c313b915120660a4c3c23390fb9a3a4b836989c2e

  • SHA512

    044a878e12cd3c3107de27ab8ca90a0db859c7d24f4c6d2c895f1910fe407837092c5dee3599799d77a52d58470f1e54b9aeaa59e9510810b78036d5c94047dd

  • SSDEEP

    12288:hWkYoL3rlW475lzzSb+ZRAvtIYzkUm/anGT6rLS/F68Yf9o70A67kR:fLvJoqnAvtJoUmCnG/hYfS70Av

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Request For Quote (Kobelco) INV#180222OM24 & #160222OM71.exe
    "C:\Users\Admin\AppData\Local\Temp\Request For Quote (Kobelco) INV#180222OM24 & #160222OM71.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Request For Quote (Kobelco) INV#180222OM24 & #160222OM71.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2760
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SgprtlKLT.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2724
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgprtlKLT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp39B6.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2828
    • C:\Users\Admin\AppData\Local\Temp\Request For Quote (Kobelco) INV#180222OM24 & #160222OM71.exe
      "C:\Users\Admin\AppData\Local\Temp\Request For Quote (Kobelco) INV#180222OM24 & #160222OM71.exe"
      2⤵
        PID:920
      • C:\Users\Admin\AppData\Local\Temp\Request For Quote (Kobelco) INV#180222OM24 & #160222OM71.exe
        "C:\Users\Admin\AppData\Local\Temp\Request For Quote (Kobelco) INV#180222OM24 & #160222OM71.exe"
        2⤵
          PID:268
        • C:\Users\Admin\AppData\Local\Temp\Request For Quote (Kobelco) INV#180222OM24 & #160222OM71.exe
          "C:\Users\Admin\AppData\Local\Temp\Request For Quote (Kobelco) INV#180222OM24 & #160222OM71.exe"
          2⤵
            PID:1120
          • C:\Users\Admin\AppData\Local\Temp\Request For Quote (Kobelco) INV#180222OM24 & #160222OM71.exe
            "C:\Users\Admin\AppData\Local\Temp\Request For Quote (Kobelco) INV#180222OM24 & #160222OM71.exe"
            2⤵
              PID:1408
            • C:\Users\Admin\AppData\Local\Temp\Request For Quote (Kobelco) INV#180222OM24 & #160222OM71.exe
              "C:\Users\Admin\AppData\Local\Temp\Request For Quote (Kobelco) INV#180222OM24 & #160222OM71.exe"
              2⤵
                PID:1216

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp39B6.tmp
              Filesize

              1KB

              MD5

              a8761cbfcf28d95e6459168321382a2a

              SHA1

              02cfa28f57cdf7135908564be9e9c3cb8d750c38

              SHA256

              1e9cbc45513e1ad2bf2b763fb3f078789fc80f6642bc62291f53a68942a55e56

              SHA512

              84381af36054f4a38d311635745a4d4964bc1613ef315a4a0cce715cd8b37f3c819a80a71dfe9681b5d90bb2afa22973afc5b1b96cb1a3f31ea69b7d43d5ca6b

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Filesize

              7KB

              MD5

              f75b833d4fcc0ae9d3daac26f26342e5

              SHA1

              c740a37aa26a2c6a921b9522418a6c9311dcbcf7

              SHA256

              487a2660001e1d6560b079ff15da3f9437da31532bdf4914aa53646bba746d6d

              SHA512

              16484487d27ac82af0a38efd30ce43f99cad63ed3f78cc24a7c63cb0fe338acd65fbbe159d3afc822d5e92d3a9a8b1a3f06ffda4750a92c7f23680aa43ceece1

              Download Submit

            • memory/2660-0-0x0000000073FCE000-0x0000000073FCF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2660-1-0x00000000003D0000-0x0000000000460000-memory.dmp

              Filesize

              576KB

              Download

            • memory/2660-2-0x0000000073FC0000-0x00000000746AE000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2660-3-0x0000000000380000-0x000000000039A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/2660-4-0x0000000073FCE000-0x0000000073FCF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2660-5-0x0000000073FC0000-0x00000000746AE000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2660-6-0x00000000003A0000-0x00000000003AC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2660-7-0x00000000003B0000-0x00000000003C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2660-8-0x0000000004EC0000-0x0000000004F22000-memory.dmp

              Filesize

              392KB

              Download

            • memory/2660-21-0x0000000073FC0000-0x00000000746AE000-memory.dmp

              Filesize

              6.9MB

              Download