Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

09/02/2023, 12:02

230209-n7e4pabe53 7

09/02/2023, 12:01

230209-n7bq9sbb7y 7

21/01/2022, 22:50

220121-2sqtjabgf5 9

Analysis

  • max time kernel
    137s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    21/01/2022, 22:50

General

  • Target

    f8e972a26117bd14f5ec4dca9de0244d0bfd29bbbfd9104b2ccdc49fa93416d8.dll

  • Size

    143KB

  • MD5

    80a2bb7884b8bad4a8e83c2cb03ee343

  • SHA1

    6620029006c7174987ddcbe48dc0d4ceb6fe584c

  • SHA256

    f8e972a26117bd14f5ec4dca9de0244d0bfd29bbbfd9104b2ccdc49fa93416d8

  • SHA512

    6af7016a956f226fe38cfe9fb6cb64044cb47706a509dc117c061f92ea30e59013936dd942ab1a1744d080a30e6d0605866b694edf761e32818e9208af21a85c

Score
9/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f8e972a26117bd14f5ec4dca9de0244d0bfd29bbbfd9104b2ccdc49fa93416d8.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:980
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\f8e972a26117bd14f5ec4dca9de0244d0bfd29bbbfd9104b2ccdc49fa93416d8.dll
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1068
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\ProgramData\temp\DE30.tmp.bat
        3⤵
          PID:592
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\ProgramData\temp\EE47.tmp.bat
          3⤵
          • Deletes itself
          PID:1428
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /s "C:\ProgramData\Software\Microsoft\Windows\Defender\AutoUpdate.dll"
          3⤵
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          PID:1028

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/980-54-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

      Filesize

      8KB

    • memory/1068-55-0x00000000751B1000-0x00000000751B3000-memory.dmp

      Filesize

      8KB