Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
04/10/2024, 01:07
Static task
static1
Behavioral task
behavioral1
Sample
payment slip.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
payment slip.exe
Resource
win10v2004-20240802-en
General
-
Target
payment slip.exe
-
Size
1.3MB
-
MD5
89caacf3b4c7850f58e13b22c1abf425
-
SHA1
612fa3a9c39e7740026ae6685708bec6a170a442
-
SHA256
060f6e4baa9b2ac462805c173f9bec5927321333ae978c91d4de3bd0da6b415d
-
SHA512
3b6d5b46ba51764e29fc063742e8871262dd5ba01e726a1864db2ee3768f726a8f12955b24408a8203250eeecff7a45e98d482e811674120b71a2259cbbf4cd0
-
SSDEEP
24576:ffmMv6Ckr7Mny5QLXI0mlORaXRY6n4u0uUTTzPVbSG/oe:f3v+7/5QLSf6610uUfpbD/L
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3032 set thread context of 3040 3032 payment slip.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language payment slip.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3040 svchost.exe 3040 svchost.exe 3040 svchost.exe 3040 svchost.exe 3040 svchost.exe 3040 svchost.exe 3040 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3032 payment slip.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3032 wrote to memory of 3040 3032 payment slip.exe 31 PID 3032 wrote to memory of 3040 3032 payment slip.exe 31 PID 3032 wrote to memory of 3040 3032 payment slip.exe 31 PID 3032 wrote to memory of 3040 3032 payment slip.exe 31 PID 3032 wrote to memory of 3040 3032 payment slip.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment slip.exe"C:\Users\Admin\AppData\Local\Temp\payment slip.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\payment slip.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040
-