Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 01:55
Behavioral task
behavioral1
Sample
invoice# 4816959.exe
Resource
win7-20240903-en
General
-
Target
invoice# 4816959.exe
-
Size
785KB
-
MD5
96f1b2e33db06bce963989fa8a1d6a05
-
SHA1
dc157dd6283a01887f07774ac6971b4d173dcbd1
-
SHA256
f216ee2de45ead0b027d4ee0c033a14ca22c1ad6aed2917958b8a9121522d5ef
-
SHA512
432abd26a6c8464e03086123efd7dd407f428774f90aafe463ff8a6a90c9988b44bab6ff7220c89f1d352b2cc78a5b342327e582c580201bf6c611f066ada365
-
SSDEEP
24576:M4GHnhIzOaWuTWrpVr2f9P78+q1SBGWZbJb2tk:LshdabTkEfxRqsBnVSt
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2064-0-0x0000000000640000-0x00000000007F6000-memory.dmp upx behavioral2/memory/2064-12-0x0000000000640000-0x00000000007F6000-memory.dmp upx -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2064-12-0x0000000000640000-0x00000000007F6000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2064 set thread context of 1592 2064 invoice# 4816959.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language invoice# 4816959.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1592 svchost.exe 1592 svchost.exe 1592 svchost.exe 1592 svchost.exe 1592 svchost.exe 1592 svchost.exe 1592 svchost.exe 1592 svchost.exe 1592 svchost.exe 1592 svchost.exe 1592 svchost.exe 1592 svchost.exe 1592 svchost.exe 1592 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2064 invoice# 4816959.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2064 invoice# 4816959.exe 2064 invoice# 4816959.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2064 invoice# 4816959.exe 2064 invoice# 4816959.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2064 wrote to memory of 1592 2064 invoice# 4816959.exe 87 PID 2064 wrote to memory of 1592 2064 invoice# 4816959.exe 87 PID 2064 wrote to memory of 1592 2064 invoice# 4816959.exe 87 PID 2064 wrote to memory of 1592 2064 invoice# 4816959.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice# 4816959.exe"C:\Users\Admin\AppData\Local\Temp\invoice# 4816959.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\invoice# 4816959.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD5d2664d1e9341729126a42574b82e7da4
SHA11746fade8afc1a15aa5bebd27a9dacf5effe712d
SHA2561fdf0b129fe77e6a5059a958c0a629c57a4d7e65bee531688d1e55f0000cb4bb
SHA5120e05ef3b828d9c46a49df4068e3966ca4d89cf602ef35bb74e47de3f3880bd6c981791cf269422097ee626d796a9b6573f6b7347c4151198f7fcaf765fdf8815