Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    132s
  • max time network
    173s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 20:03

General

  • Target

    81a3eac5452fb3c51b86bd2375d0e806e4e9a2b9ed11fd33c3f15dc12cf32c9b.dll

  • Size

    66KB

  • MD5

    9665fc0bee2f17c2ac783a63231e9e71

  • SHA1

    069e651a0dab5c96dc8d3cdefc0b186fe24cbe73

  • SHA256

    81a3eac5452fb3c51b86bd2375d0e806e4e9a2b9ed11fd33c3f15dc12cf32c9b

  • SHA512

    85f31bb1ed2a7465bc643d487e95931faebbc73374dbaf3c5c136acddbc4efe61b9df230cdfe7b50f9a1f93de62fb9044383167fcc18c67ce916d6a881d24a35

  • SSDEEP

    768:hojY9PAJdMmJyj0Ml+oi/XSpSZbVfD0KoWyHaojY9PoufrNu/1IZoYgoah:0mIJdMmJyDl+tVZpoWyHjmgufyIZoYg

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:480
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:472
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
          2⤵
            PID:800
            • C:\Windows\system32\Dwm.exe
              "C:\Windows\system32\Dwm.exe"
              3⤵
                PID:1200
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
              2⤵
                PID:1032
              • C:\Windows\system32\sppsvc.exe
                C:\Windows\system32\sppsvc.exe
                2⤵
                  PID:304
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                  2⤵
                    PID:1016
                  • C:\Windows\system32\taskhost.exe
                    "taskhost.exe"
                    2⤵
                      PID:1112
                    • C:\Windows\System32\spoolsv.exe
                      C:\Windows\System32\spoolsv.exe
                      2⤵
                        PID:328
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k NetworkService
                        2⤵
                          PID:276
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs
                          2⤵
                            PID:864
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService
                            2⤵
                              PID:836
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                              2⤵
                                PID:736
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k RPCSS
                                2⤵
                                  PID:656
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k DcomLaunch
                                  2⤵
                                    PID:576
                                  • C:\Windows\SysWOW64\vcflye.exe
                                    C:\Windows\SysWOW64\vcflye.exe
                                    2⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Enumerates connected drives
                                    • Drops file in System32 directory
                                    • Drops file in Program Files directory
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious behavior: MapViewOfSection
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of SetWindowsHookEx
                                    PID:300
                                • C:\Windows\system32\winlogon.exe
                                  winlogon.exe
                                  1⤵
                                    PID:420
                                  • C:\Windows\system32\csrss.exe
                                    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                    1⤵
                                      PID:384
                                    • C:\Windows\system32\wininit.exe
                                      wininit.exe
                                      1⤵
                                        PID:368
                                        • C:\Windows\system32\lsm.exe
                                          C:\Windows\system32\lsm.exe
                                          2⤵
                                            PID:488
                                        • C:\Windows\system32\wbem\wmiprvse.exe
                                          C:\Windows\system32\wbem\wmiprvse.exe
                                          1⤵
                                            PID:1976
                                          • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                                            wmiadap.exe /F /T /R
                                            1⤵
                                              PID:1716
                                            • C:\Windows\Explorer.EXE
                                              C:\Windows\Explorer.EXE
                                              1⤵
                                                PID:1248
                                                • C:\Windows\system32\rundll32.exe
                                                  rundll32.exe C:\Users\Admin\AppData\Local\Temp\81a3eac5452fb3c51b86bd2375d0e806e4e9a2b9ed11fd33c3f15dc12cf32c9b.dll,#1
                                                  2⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2020
                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                    rundll32.exe C:\Users\Admin\AppData\Local\Temp\81a3eac5452fb3c51b86bd2375d0e806e4e9a2b9ed11fd33c3f15dc12cf32c9b.dll,#1
                                                    3⤵
                                                    • Loads dropped DLL
                                                    • Enumerates connected drives
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:604
                                                    • C:\Users\Admin\AppData\Local\Temp\hrl7946.tmp
                                                      C:\Users\Admin\AppData\Local\Temp\hrl7946.tmp
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious behavior: MapViewOfSection
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of SetWindowsHookEx
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:1128

                                              Network

                                              MITRE ATT&CK Enterprise v6

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Temp\hrl7946.tmp

                                                Filesize

                                                58KB

                                                MD5

                                                f38f95243e1761511897c89d8c6dd3ad

                                                SHA1

                                                b2ecf1a101c65c070b79a5ee307da34d937a2bfc

                                                SHA256

                                                172164eec732a70210edc7c07849fcc193e0849c70e4a9a46a9e66b6579094aa

                                                SHA512

                                                9a30bce99c7e00b14abf7e2d9aadb1797e65e0c9a9f42dc58d3aae2481b81c70c50aea67c1a46e0494f660327c4c95172c9e18af79d68b8211b9e23d14ca77bf

                                              • C:\Users\Admin\AppData\Local\Temp\hrl7946.tmp

                                                Filesize

                                                58KB

                                                MD5

                                                f38f95243e1761511897c89d8c6dd3ad

                                                SHA1

                                                b2ecf1a101c65c070b79a5ee307da34d937a2bfc

                                                SHA256

                                                172164eec732a70210edc7c07849fcc193e0849c70e4a9a46a9e66b6579094aa

                                                SHA512

                                                9a30bce99c7e00b14abf7e2d9aadb1797e65e0c9a9f42dc58d3aae2481b81c70c50aea67c1a46e0494f660327c4c95172c9e18af79d68b8211b9e23d14ca77bf

                                              • C:\WINDOWS\SysWOW64\VCFLYE.EXE

                                                Filesize

                                                58KB

                                                MD5

                                                f38f95243e1761511897c89d8c6dd3ad

                                                SHA1

                                                b2ecf1a101c65c070b79a5ee307da34d937a2bfc

                                                SHA256

                                                172164eec732a70210edc7c07849fcc193e0849c70e4a9a46a9e66b6579094aa

                                                SHA512

                                                9a30bce99c7e00b14abf7e2d9aadb1797e65e0c9a9f42dc58d3aae2481b81c70c50aea67c1a46e0494f660327c4c95172c9e18af79d68b8211b9e23d14ca77bf

                                              • C:\Windows\SysWOW64\vcflye.exe

                                                Filesize

                                                58KB

                                                MD5

                                                f38f95243e1761511897c89d8c6dd3ad

                                                SHA1

                                                b2ecf1a101c65c070b79a5ee307da34d937a2bfc

                                                SHA256

                                                172164eec732a70210edc7c07849fcc193e0849c70e4a9a46a9e66b6579094aa

                                                SHA512

                                                9a30bce99c7e00b14abf7e2d9aadb1797e65e0c9a9f42dc58d3aae2481b81c70c50aea67c1a46e0494f660327c4c95172c9e18af79d68b8211b9e23d14ca77bf

                                              • \Users\Admin\AppData\Local\Temp\hrl7946.tmp

                                                Filesize

                                                58KB

                                                MD5

                                                f38f95243e1761511897c89d8c6dd3ad

                                                SHA1

                                                b2ecf1a101c65c070b79a5ee307da34d937a2bfc

                                                SHA256

                                                172164eec732a70210edc7c07849fcc193e0849c70e4a9a46a9e66b6579094aa

                                                SHA512

                                                9a30bce99c7e00b14abf7e2d9aadb1797e65e0c9a9f42dc58d3aae2481b81c70c50aea67c1a46e0494f660327c4c95172c9e18af79d68b8211b9e23d14ca77bf

                                              • \Users\Admin\AppData\Local\Temp\hrl7946.tmp

                                                Filesize

                                                58KB

                                                MD5

                                                f38f95243e1761511897c89d8c6dd3ad

                                                SHA1

                                                b2ecf1a101c65c070b79a5ee307da34d937a2bfc

                                                SHA256

                                                172164eec732a70210edc7c07849fcc193e0849c70e4a9a46a9e66b6579094aa

                                                SHA512

                                                9a30bce99c7e00b14abf7e2d9aadb1797e65e0c9a9f42dc58d3aae2481b81c70c50aea67c1a46e0494f660327c4c95172c9e18af79d68b8211b9e23d14ca77bf

                                              • \Windows\SysWOW64\hra33.dll

                                                Filesize

                                                66KB

                                                MD5

                                                9665fc0bee2f17c2ac783a63231e9e71

                                                SHA1

                                                069e651a0dab5c96dc8d3cdefc0b186fe24cbe73

                                                SHA256

                                                81a3eac5452fb3c51b86bd2375d0e806e4e9a2b9ed11fd33c3f15dc12cf32c9b

                                                SHA512

                                                85f31bb1ed2a7465bc643d487e95931faebbc73374dbaf3c5c136acddbc4efe61b9df230cdfe7b50f9a1f93de62fb9044383167fcc18c67ce916d6a881d24a35

                                              • memory/300-72-0x0000000000400000-0x0000000000412000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/300-68-0x0000000000400000-0x0000000000412000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/604-62-0x0000000000160000-0x0000000000172000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/604-64-0x0000000000160000-0x0000000000172000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/604-61-0x0000000000160000-0x0000000000172000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/604-55-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

                                                Filesize

                                                8KB

                                              • memory/1128-63-0x0000000000400000-0x0000000000412000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/1128-66-0x0000000000400000-0x0000000000412000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/1128-67-0x000000007EF90000-0x000000007EF9A000-memory.dmp

                                                Filesize

                                                40KB