Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
02/10/2022, 20:24
Static task
static1
Behavioral task
behavioral1
Sample
39c25b45fb1cd7cfc3000bf0060799052000124ac10607f51d16e71e5dc35592.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
39c25b45fb1cd7cfc3000bf0060799052000124ac10607f51d16e71e5dc35592.dll
Resource
win10v2004-20220812-en
General
-
Target
39c25b45fb1cd7cfc3000bf0060799052000124ac10607f51d16e71e5dc35592.dll
-
Size
216KB
-
MD5
3bc080b863aa68efa4a7a291c75e9ba9
-
SHA1
5c0b8b7a65e5437bdf0ce28839ac192108096f03
-
SHA256
39c25b45fb1cd7cfc3000bf0060799052000124ac10607f51d16e71e5dc35592
-
SHA512
28ae6ce0275037d0ea2de404be987089b4cad7ea5535565acf52596ba3740960b32cd92be568b6daf2caf1e6a7e8756c9ac8de49cef2c04fd3f9c2fe247b3c20
-
SSDEEP
6144:sv80ayHyYc7roVdQTuYOiWB1z1GC53DItkjzfip:sv8loDQy7DzZDzy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2044 hrl388F.tmp -
Loads dropped DLL 2 IoCs
pid Process 1776 rundll32.exe 1776 rundll32.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1344 wrote to memory of 1776 1344 rundll32.exe 27 PID 1344 wrote to memory of 1776 1344 rundll32.exe 27 PID 1344 wrote to memory of 1776 1344 rundll32.exe 27 PID 1344 wrote to memory of 1776 1344 rundll32.exe 27 PID 1344 wrote to memory of 1776 1344 rundll32.exe 27 PID 1344 wrote to memory of 1776 1344 rundll32.exe 27 PID 1344 wrote to memory of 1776 1344 rundll32.exe 27 PID 1776 wrote to memory of 2044 1776 rundll32.exe 28 PID 1776 wrote to memory of 2044 1776 rundll32.exe 28 PID 1776 wrote to memory of 2044 1776 rundll32.exe 28 PID 1776 wrote to memory of 2044 1776 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\39c25b45fb1cd7cfc3000bf0060799052000124ac10607f51d16e71e5dc35592.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\39c25b45fb1cd7cfc3000bf0060799052000124ac10607f51d16e71e5dc35592.dll,#12⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\hrl388F.tmpC:\Users\Admin\AppData\Local\Temp\hrl388F.tmp3⤵
- Executes dropped EXE
PID:2044
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD5d5450d1885577b308d0c081acc8dcd0b
SHA15950c3ec40d452073e96438f60b9af67163fc87d
SHA2564fd0feb1affaaf2790e36ffc86a72c9ced3077020d9037fbc62950f7b4becd2f
SHA512b0014a28244a33d2daf4d03d0bfaa487607158564b8993dfbaff6b193066bc8bbba1feac1ec7054e93ffa4867c7e0d7226caa36233887a9c9e8352aeb8115046
-
Filesize
209KB
MD5d5450d1885577b308d0c081acc8dcd0b
SHA15950c3ec40d452073e96438f60b9af67163fc87d
SHA2564fd0feb1affaaf2790e36ffc86a72c9ced3077020d9037fbc62950f7b4becd2f
SHA512b0014a28244a33d2daf4d03d0bfaa487607158564b8993dfbaff6b193066bc8bbba1feac1ec7054e93ffa4867c7e0d7226caa36233887a9c9e8352aeb8115046
-
Filesize
209KB
MD5d5450d1885577b308d0c081acc8dcd0b
SHA15950c3ec40d452073e96438f60b9af67163fc87d
SHA2564fd0feb1affaaf2790e36ffc86a72c9ced3077020d9037fbc62950f7b4becd2f
SHA512b0014a28244a33d2daf4d03d0bfaa487607158564b8993dfbaff6b193066bc8bbba1feac1ec7054e93ffa4867c7e0d7226caa36233887a9c9e8352aeb8115046