Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
25s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
27/11/2022, 02:33
General
-
Target
e43ccac45e02c58d44c1a33d5f00e3bb7f5c09ed795bd5b1c49fad31dd87d39d.dll
-
Size
778KB
-
MD5
3974164c07298d7dd19484092c261aa9
-
SHA1
a759c23af5c9fe9b6e9cf1ba79ddf0ae58078622
-
SHA256
e43ccac45e02c58d44c1a33d5f00e3bb7f5c09ed795bd5b1c49fad31dd87d39d
-
SHA512
7ce7e147b38fe9f20c0b5c3da28a1de3fcbb79b64b4ba92fefb8e73c25e437decbaa8ed5b88120500ef0f6e1d3d2507c05cadb54fcb1d1baba40d5a5ddc53a1e
-
SSDEEP
24576:4zb1MlCKUQyUmjtczu6Prs9pgWoopooK9kwPMLt8F:4zbKsUmjtcdPGgIwPMLyF
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: MapViewOfSection 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e43ccac45e02c58d44c1a33d5f00e3bb7f5c09ed795bd5b1c49fad31dd87d39d.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e43ccac45e02c58d44c1a33d5f00e3bb7f5c09ed795bd5b1c49fad31dd87d39d.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119KB
MD5a979c6f227dcaa8187b48c02ce255991
SHA15a85d6cd0df89994e4e9ba5408f58edaeec0b659
SHA25691743a063518b5311e010124fc67e70907878458a393c48bfa9f56fdbe2edc6c
SHA512c4756abc9c40ee64898bed5e979a7cc91d01d0d574d57051153eab29b03143c63feeeb373794d01ad17810b52f937162dc266f0b4c31cd6dbfed541e1fd4299f
-
Filesize
119KB
MD5a979c6f227dcaa8187b48c02ce255991
SHA15a85d6cd0df89994e4e9ba5408f58edaeec0b659
SHA25691743a063518b5311e010124fc67e70907878458a393c48bfa9f56fdbe2edc6c
SHA512c4756abc9c40ee64898bed5e979a7cc91d01d0d574d57051153eab29b03143c63feeeb373794d01ad17810b52f937162dc266f0b4c31cd6dbfed541e1fd4299f
-
Filesize
119KB
MD5a979c6f227dcaa8187b48c02ce255991
SHA15a85d6cd0df89994e4e9ba5408f58edaeec0b659
SHA25691743a063518b5311e010124fc67e70907878458a393c48bfa9f56fdbe2edc6c
SHA512c4756abc9c40ee64898bed5e979a7cc91d01d0d574d57051153eab29b03143c63feeeb373794d01ad17810b52f937162dc266f0b4c31cd6dbfed541e1fd4299f
-
Filesize
164KB
-
Filesize
8KB
-
Filesize
800KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
48KB
-
Filesize
24KB