Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
37s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 22:22
Static task
static1
Behavioral task
behavioral1
Sample
85e1ecc1992015d6f946a183ceaaf9e022fbcc36bdb2a7fa13bf2337f9c60c38.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
85e1ecc1992015d6f946a183ceaaf9e022fbcc36bdb2a7fa13bf2337f9c60c38.dll
Resource
win10v2004-20220812-en
General
-
Target
85e1ecc1992015d6f946a183ceaaf9e022fbcc36bdb2a7fa13bf2337f9c60c38.dll
-
Size
998KB
-
MD5
fd4fa44ae6b548123f7b136fb1811be9
-
SHA1
426fe9207035c449b6fbd9e25bfeed5550e2bf94
-
SHA256
85e1ecc1992015d6f946a183ceaaf9e022fbcc36bdb2a7fa13bf2337f9c60c38
-
SHA512
457ba7a8acb1c0fd28bf143aa548dc8fb918d7edcf44ef83946e63a7ef95d3ba6a85caa49f80028e9f43522b8f62699c2af9794909e63f4391d95607cc70208f
-
SSDEEP
24576:UeVlmJUzOLgGGDu/DtJvTyHOeF/l43kdz5oy1p:UriSLgPDQDtJvaOeY3kdz5
Malware Config
Signatures
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Wine rundll32.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1892 rundll32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\install07185.log rundll32.exe -
Modifies registry class 8 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA205D65-8B22-3E73-ADE5-A35F99E4}\ProdID = 571817289797e6d7 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B45784DD-AD9E-22E1-FC63-7593D685} rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B45784DD-AD9E-22E1-FC63-7593D685}\ProdID = 546b3e81546b3e81 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FE08F25-5BEA-FE82-285D-25F4D60A} rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FE08F25-5BEA-FE82-285D-25F4D60A}\ProdID = e719172a8795e6d5 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9277DAF2-0800-B9F8-FD79-D1A5AB1E} rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9277DAF2-0800-B9F8-FD79-D1A5AB1E}\ProdID = 84060fde84060fde rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA205D65-8B22-3E73-ADE5-A35F99E4} rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1892 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2028 wrote to memory of 1892 2028 rundll32.exe 28 PID 2028 wrote to memory of 1892 2028 rundll32.exe 28 PID 2028 wrote to memory of 1892 2028 rundll32.exe 28 PID 2028 wrote to memory of 1892 2028 rundll32.exe 28 PID 2028 wrote to memory of 1892 2028 rundll32.exe 28 PID 2028 wrote to memory of 1892 2028 rundll32.exe 28 PID 2028 wrote to memory of 1892 2028 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\85e1ecc1992015d6f946a183ceaaf9e022fbcc36bdb2a7fa13bf2337f9c60c38.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\85e1ecc1992015d6f946a183ceaaf9e022fbcc36bdb2a7fa13bf2337f9c60c38.dll,#12⤵
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1892
-