Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

b589b79d19...25.dll

windows7-x64

8

b589b79d19...25.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    133s
  • max time network
    85s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2022, 05:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b589b79d19de9389c621142fc05f9bd180a1c84f7d2ee701d6f8ace9e0ccab25.dll

  • Size

    1.6MB

  • MD5

    80a52efd0c41ba37770c711fb85ca4f0

  • SHA1

    508a62cdf6835cc78fb90d2a0723bf55e3556b90

  • SHA256

    b589b79d19de9389c621142fc05f9bd180a1c84f7d2ee701d6f8ace9e0ccab25

  • SHA512

    2e59884bf8dfffcefc3ac67d56b399b2a00bd5cefd7cec4be1ad164115b6d41b5547419ff85aa1e4dc82a593a3b2ee7561ad358abc3e30b39c3a1580a21fc025

  • SSDEEP

    3072:G3huG90E7NOkdvaURX0iyUhfImen+ELTD2qnFkscO8Nw0r8usH3:euG9nN91R0iHFI1LTDpeK8Os

Score
8/10
persistence

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b589b79d19de9389c621142fc05f9bd180a1c84f7d2ee701d6f8ace9e0ccab25.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:992
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\b589b79d19de9389c621142fc05f9bd180a1c84f7d2ee701d6f8ace9e0ccab25.dll,#1
      2⤵
      • Sets DLL path for service in the registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:928
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c net start COMSysApp
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1392
        • C:\Windows\SysWOW64\net.exe
          net start COMSysApp
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:804
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start COMSysApp
            5⤵
              PID:536
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c net start SENS
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1844
          • C:\Windows\SysWOW64\net.exe
            net start SENS
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1696
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 start SENS
              5⤵
                PID:1668
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch
        1⤵
          PID:596
        • C:\Windows\system32\dllhost.exe
          C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
          1⤵
          • Drops file in Windows directory
          PID:1028

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/928-55-0x0000000076561000-0x0000000076563000-memory.dmp

          Filesize

          8KB

          Download

        • memory/928-58-0x00000000001F0000-0x000000000021D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/928-61-0x0000000000320000-0x0000000000346000-memory.dmp

          Filesize

          152KB

          Download