Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02/11/2022, 17:53
Static task
static1
Behavioral task
behavioral1
Sample
FH.lnk
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral2
Sample
FH.lnk
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
chastened/imploded.cmd
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral4
Sample
chastened/imploded.cmd
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
chastened/misguide.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
chastened/misguide.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
chastened/unlaundered.bat
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral8
Sample
chastened/unlaundered.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
chastened/misguide.dll
-
Size
347KB
-
MD5
34bbb09aaaf3ab8ecfce01ebc66778c6
-
SHA1
019d75e7bd16d009c9831edfdf15aa8ac9606426
-
SHA256
0a987565d6217b3602c32a4edb56889b4837232a90aa3568063e911ebcb86089
-
SHA512
f724c557e397b66c63b22cc0fbba57a0773c05a0c4d3492299f455bd5f4843e2b6df5d5cbdcd17e1e672d674eda17797a3f14efecb34caf2bf3ba97e5b2617a4
-
SSDEEP
6144:90kc/Pk5/zMNl5VcDQg2Vn9FJzV0hNy/KKfZytKjiQwWsjQo/eWP/qhX7fdIU:903/c/zMdANsn9HzHrx3zsNmA/qN2U
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 872 regsvr32.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe 1448 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 872 regsvr32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 896 wrote to memory of 872 896 regsvr32.exe 27 PID 896 wrote to memory of 872 896 regsvr32.exe 27 PID 896 wrote to memory of 872 896 regsvr32.exe 27 PID 896 wrote to memory of 872 896 regsvr32.exe 27 PID 896 wrote to memory of 872 896 regsvr32.exe 27 PID 896 wrote to memory of 872 896 regsvr32.exe 27 PID 896 wrote to memory of 872 896 regsvr32.exe 27 PID 872 wrote to memory of 1448 872 regsvr32.exe 28 PID 872 wrote to memory of 1448 872 regsvr32.exe 28 PID 872 wrote to memory of 1448 872 regsvr32.exe 28 PID 872 wrote to memory of 1448 872 regsvr32.exe 28 PID 872 wrote to memory of 1448 872 regsvr32.exe 28 PID 872 wrote to memory of 1448 872 regsvr32.exe 28
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\chastened\misguide.dll1⤵
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\chastened\misguide.dll2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1448
-
-