Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
183s -
max time network
189s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 06:21
Static task
static1
Behavioral task
behavioral1
Sample
c6a6e8fb770c9d9ba417208c828873fb74170417d18d5e15c4b37792a344e812.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c6a6e8fb770c9d9ba417208c828873fb74170417d18d5e15c4b37792a344e812.dll
Resource
win10v2004-20220812-en
General
-
Target
c6a6e8fb770c9d9ba417208c828873fb74170417d18d5e15c4b37792a344e812.dll
-
Size
435KB
-
MD5
09400ce5661a66203f972b62f555d38b
-
SHA1
baeff48d5b45fa207079a23a6425f4d956731b2e
-
SHA256
c6a6e8fb770c9d9ba417208c828873fb74170417d18d5e15c4b37792a344e812
-
SHA512
8469c11f811bb97b9c85ba1e4edfc464db8842205b00cff7249cbb39a8c73c7af0825f7fe75a4c58f43bed1f653d9331b71a6101f102989e9f5bc5a6b33c65e7
-
SSDEEP
12288:rXVQ5IHfzePx36jh7d60KzHBJ8If3qNctO3CwZXhhzVwvl:rC5enZQ4IfjtiC2hhid
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
flow pid Process 7 932 rundll32.exe 9 932 rundll32.exe 10 932 rundll32.exe 11 932 rundll32.exe 12 932 rundll32.exe 13 932 rundll32.exe 14 932 rundll32.exe 15 932 rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\-5990-11979 rundll32.exe File created C:\Windows\SysWOW64\278 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 976 wrote to memory of 932 976 rundll32.exe 28 PID 976 wrote to memory of 932 976 rundll32.exe 28 PID 976 wrote to memory of 932 976 rundll32.exe 28 PID 976 wrote to memory of 932 976 rundll32.exe 28 PID 976 wrote to memory of 932 976 rundll32.exe 28 PID 976 wrote to memory of 932 976 rundll32.exe 28 PID 976 wrote to memory of 932 976 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c6a6e8fb770c9d9ba417208c828873fb74170417d18d5e15c4b37792a344e812.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c6a6e8fb770c9d9ba417208c828873fb74170417d18d5e15c4b37792a344e812.dll,#12⤵
- Blocklisted process makes network request
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:932
-