Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
09/02/2023, 12:02
230209-n7e4pabe53 709/02/2023, 12:01
230209-n7bq9sbb7y 721/01/2022, 22:50
220121-2sqtjabgf5 9Analysis
-
max time kernel
137s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21/01/2022, 22:50
Static task
static1
Behavioral task
behavioral1
Sample
f8e972a26117bd14f5ec4dca9de0244d0bfd29bbbfd9104b2ccdc49fa93416d8.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
f8e972a26117bd14f5ec4dca9de0244d0bfd29bbbfd9104b2ccdc49fa93416d8.dll
Resource
win10-en-20211208
General
-
Target
f8e972a26117bd14f5ec4dca9de0244d0bfd29bbbfd9104b2ccdc49fa93416d8.dll
-
Size
143KB
-
MD5
80a2bb7884b8bad4a8e83c2cb03ee343
-
SHA1
6620029006c7174987ddcbe48dc0d4ceb6fe584c
-
SHA256
f8e972a26117bd14f5ec4dca9de0244d0bfd29bbbfd9104b2ccdc49fa93416d8
-
SHA512
6af7016a956f226fe38cfe9fb6cb64044cb47706a509dc117c061f92ea30e59013936dd942ab1a1744d080a30e6d0605866b694edf761e32818e9208af21a85c
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0009000000013947-59.dat acprotect behavioral1/files/0x0009000000013947-60.dat acprotect -
resource yara_rule behavioral1/files/0x0009000000013947-59.dat upx behavioral1/files/0x0009000000013947-60.dat upx -
Deletes itself 1 IoCs
pid Process 1428 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 1028 regsvr32.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderAutoUpdate = "regsvr32.exe /s \"C:\\ProgramData\\Software\\Microsoft\\Windows\\Defender\\AutoUpdate.dll\"" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderAutoUpdate = "regsvr32.exe /s \"C:\\ProgramData\\Software\\Microsoft\\Windows\\Defender\\AutoUpdate.dll\"" regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1028 regsvr32.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 980 wrote to memory of 1068 980 regsvr32.exe 27 PID 980 wrote to memory of 1068 980 regsvr32.exe 27 PID 980 wrote to memory of 1068 980 regsvr32.exe 27 PID 980 wrote to memory of 1068 980 regsvr32.exe 27 PID 980 wrote to memory of 1068 980 regsvr32.exe 27 PID 980 wrote to memory of 1068 980 regsvr32.exe 27 PID 980 wrote to memory of 1068 980 regsvr32.exe 27 PID 1068 wrote to memory of 592 1068 regsvr32.exe 28 PID 1068 wrote to memory of 592 1068 regsvr32.exe 28 PID 1068 wrote to memory of 592 1068 regsvr32.exe 28 PID 1068 wrote to memory of 592 1068 regsvr32.exe 28 PID 1068 wrote to memory of 1428 1068 regsvr32.exe 30 PID 1068 wrote to memory of 1428 1068 regsvr32.exe 30 PID 1068 wrote to memory of 1428 1068 regsvr32.exe 30 PID 1068 wrote to memory of 1428 1068 regsvr32.exe 30 PID 1068 wrote to memory of 1028 1068 regsvr32.exe 31 PID 1068 wrote to memory of 1028 1068 regsvr32.exe 31 PID 1068 wrote to memory of 1028 1068 regsvr32.exe 31 PID 1068 wrote to memory of 1028 1068 regsvr32.exe 31 PID 1068 wrote to memory of 1028 1068 regsvr32.exe 31 PID 1068 wrote to memory of 1028 1068 regsvr32.exe 31 PID 1068 wrote to memory of 1028 1068 regsvr32.exe 31
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\f8e972a26117bd14f5ec4dca9de0244d0bfd29bbbfd9104b2ccdc49fa93416d8.dll1⤵
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\f8e972a26117bd14f5ec4dca9de0244d0bfd29bbbfd9104b2ccdc49fa93416d8.dll2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\cmd.execmd /c C:\ProgramData\temp\DE30.tmp.bat3⤵PID:592
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\ProgramData\temp\EE47.tmp.bat3⤵
- Deletes itself
PID:1428
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\ProgramData\Software\Microsoft\Windows\Defender\AutoUpdate.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-