Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 19:34

General

  • Target

    adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f.dll

  • Size

    23KB

  • MD5

    59856d1926c9f4846cc4efeac492acae

  • SHA1

    1cdc90969c610d9bf036a91e7ebfb878915f2664

  • SHA256

    adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f

  • SHA512

    e40097ec7dd46d404eb333d2d99d74a42a5cf1dd35bd5e4656d8ab4891bd54e7b47d435b18f21ed9108ee61ae9d597bb3e8fcc48088dab78a264e45a53dc784e

  • SSDEEP

    384:pYIp8RA0nHWX2I/LuE1iOLSgHu0OtjryMu2iFoNTlpRSIUtLDRw9s:p5qAEQuE1XLSgHV2jryMCmBpnYL12

Score
8/10

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 2 IoCs
  • Sets service image path in registry 2 TTPs 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
      PID:336
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f.dll,#1
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f.dll,#1
        2⤵
        • Sets DLL path for service in the registry
        • Sets service image path in registry
        • Drops file in System32 directory
        PID:688
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs
      1⤵
      • Sets DLL path for service in the registry
      • Sets service image path in registry
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1108

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \??\c:\windows\SysWOW64\winmide32.dll

      Filesize

      23KB

      MD5

      59856d1926c9f4846cc4efeac492acae

      SHA1

      1cdc90969c610d9bf036a91e7ebfb878915f2664

      SHA256

      adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f

      SHA512

      e40097ec7dd46d404eb333d2d99d74a42a5cf1dd35bd5e4656d8ab4891bd54e7b47d435b18f21ed9108ee61ae9d597bb3e8fcc48088dab78a264e45a53dc784e

    • \Windows\SysWOW64\winmide32.dll

      Filesize

      23KB

      MD5

      59856d1926c9f4846cc4efeac492acae

      SHA1

      1cdc90969c610d9bf036a91e7ebfb878915f2664

      SHA256

      adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f

      SHA512

      e40097ec7dd46d404eb333d2d99d74a42a5cf1dd35bd5e4656d8ab4891bd54e7b47d435b18f21ed9108ee61ae9d597bb3e8fcc48088dab78a264e45a53dc784e

    • memory/336-61-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

      Filesize

      4KB

    • memory/688-55-0x0000000074D61000-0x0000000074D63000-memory.dmp

      Filesize

      8KB

    • memory/688-59-0x0000000010000000-0x000000001001F000-memory.dmp

      Filesize

      124KB

    • memory/1108-60-0x0000000010000000-0x000000001001F000-memory.dmp

      Filesize

      124KB