Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30/10/2022, 11:44
Static task
static1
Behavioral task
behavioral1
Sample
f191664e09320044aea809e4972e61cbdd25de7c7d96c22b1ac843933309b928.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
f191664e09320044aea809e4972e61cbdd25de7c7d96c22b1ac843933309b928.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
General
-
Target
f191664e09320044aea809e4972e61cbdd25de7c7d96c22b1ac843933309b928.dll
-
Size
71KB
-
MD5
9340fa9e8a2c8eb8566a700001a39087
-
SHA1
4b457daf14d5029a53b7f2696afbb1651df12554
-
SHA256
f191664e09320044aea809e4972e61cbdd25de7c7d96c22b1ac843933309b928
-
SHA512
57d6b7adb40274b1b98f1d2204d8415cd22fda01026688ce6b09e4a242b7ecb06a347bfb866eba41f45456549c195b882a32422431dfb431a6a8d51fbcef2537
-
SSDEEP
768:0kSpisvuzgdwMG9hl7c1M5uEcnZ99AO3z9p38MpMXTnkx+UZJnbkpHx4Bn4LZ7:9SplSbm1rtAO3zfMMpwD4nJnbhBn49
Malware Config
Signatures
-
Blocklisted process makes network request 7 IoCs
flow pid Process 4 1508 rundll32.exe 8 1508 rundll32.exe 10 1508 rundll32.exe 11 1508 rundll32.exe 12 1508 rundll32.exe 15 1508 rundll32.exe 16 1508 rundll32.exe -
Loads dropped DLL 4 IoCs
pid Process 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\bjhgf.dll rundll32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\bjhgf.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs .reg file with regedit 1 IoCs
pid Process 1756 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe 1508 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe Token: SeDebugPrivilege 1508 rundll32.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1808 wrote to memory of 1988 1808 rundll32.exe 27 PID 1808 wrote to memory of 1988 1808 rundll32.exe 27 PID 1808 wrote to memory of 1988 1808 rundll32.exe 27 PID 1808 wrote to memory of 1988 1808 rundll32.exe 27 PID 1808 wrote to memory of 1988 1808 rundll32.exe 27 PID 1808 wrote to memory of 1988 1808 rundll32.exe 27 PID 1808 wrote to memory of 1988 1808 rundll32.exe 27 PID 1988 wrote to memory of 1756 1988 rundll32.exe 28 PID 1988 wrote to memory of 1756 1988 rundll32.exe 28 PID 1988 wrote to memory of 1756 1988 rundll32.exe 28 PID 1988 wrote to memory of 1756 1988 rundll32.exe 28 PID 1988 wrote to memory of 1508 1988 rundll32.exe 29 PID 1988 wrote to memory of 1508 1988 rundll32.exe 29 PID 1988 wrote to memory of 1508 1988 rundll32.exe 29 PID 1988 wrote to memory of 1508 1988 rundll32.exe 29 PID 1988 wrote to memory of 1508 1988 rundll32.exe 29 PID 1988 wrote to memory of 1508 1988 rundll32.exe 29 PID 1988 wrote to memory of 1508 1988 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f191664e09320044aea809e4972e61cbdd25de7c7d96c22b1ac843933309b928.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f191664e09320044aea809e4972e61cbdd25de7c7d96c22b1ac843933309b928.dll,#12⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\regedit.exeregedit.exe -s "C:\Users\Admin\AppData\Local\Temp\bjhgfreg.reg"3⤵
- Runs .reg file with regedit
PID:1756
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\Common Files\Microsoft Shared\bjhgf.dll",polmxhat3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD59340fa9e8a2c8eb8566a700001a39087
SHA14b457daf14d5029a53b7f2696afbb1651df12554
SHA256f191664e09320044aea809e4972e61cbdd25de7c7d96c22b1ac843933309b928
SHA51257d6b7adb40274b1b98f1d2204d8415cd22fda01026688ce6b09e4a242b7ecb06a347bfb866eba41f45456549c195b882a32422431dfb431a6a8d51fbcef2537
-
Filesize
71KB
MD59340fa9e8a2c8eb8566a700001a39087
SHA14b457daf14d5029a53b7f2696afbb1651df12554
SHA256f191664e09320044aea809e4972e61cbdd25de7c7d96c22b1ac843933309b928
SHA51257d6b7adb40274b1b98f1d2204d8415cd22fda01026688ce6b09e4a242b7ecb06a347bfb866eba41f45456549c195b882a32422431dfb431a6a8d51fbcef2537
-
Filesize
71KB
MD59340fa9e8a2c8eb8566a700001a39087
SHA14b457daf14d5029a53b7f2696afbb1651df12554
SHA256f191664e09320044aea809e4972e61cbdd25de7c7d96c22b1ac843933309b928
SHA51257d6b7adb40274b1b98f1d2204d8415cd22fda01026688ce6b09e4a242b7ecb06a347bfb866eba41f45456549c195b882a32422431dfb431a6a8d51fbcef2537
-
Filesize
71KB
MD59340fa9e8a2c8eb8566a700001a39087
SHA14b457daf14d5029a53b7f2696afbb1651df12554
SHA256f191664e09320044aea809e4972e61cbdd25de7c7d96c22b1ac843933309b928
SHA51257d6b7adb40274b1b98f1d2204d8415cd22fda01026688ce6b09e4a242b7ecb06a347bfb866eba41f45456549c195b882a32422431dfb431a6a8d51fbcef2537
-
Filesize
71KB
MD59340fa9e8a2c8eb8566a700001a39087
SHA14b457daf14d5029a53b7f2696afbb1651df12554
SHA256f191664e09320044aea809e4972e61cbdd25de7c7d96c22b1ac843933309b928
SHA51257d6b7adb40274b1b98f1d2204d8415cd22fda01026688ce6b09e4a242b7ecb06a347bfb866eba41f45456549c195b882a32422431dfb431a6a8d51fbcef2537