Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
81a3eac5452fb3c51b86bd2375d0e806e4e9a2b9ed11fd33c3f15dc12cf32c9b.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
81a3eac5452fb3c51b86bd2375d0e806e4e9a2b9ed11fd33c3f15dc12cf32c9b.dll
Resource
win10v2004-20221111-en
General
-
Target
81a3eac5452fb3c51b86bd2375d0e806e4e9a2b9ed11fd33c3f15dc12cf32c9b.dll
-
Size
66KB
-
MD5
9665fc0bee2f17c2ac783a63231e9e71
-
SHA1
069e651a0dab5c96dc8d3cdefc0b186fe24cbe73
-
SHA256
81a3eac5452fb3c51b86bd2375d0e806e4e9a2b9ed11fd33c3f15dc12cf32c9b
-
SHA512
85f31bb1ed2a7465bc643d487e95931faebbc73374dbaf3c5c136acddbc4efe61b9df230cdfe7b50f9a1f93de62fb9044383167fcc18c67ce916d6a881d24a35
-
SSDEEP
768:hojY9PAJdMmJyj0Ml+oi/XSpSZbVfD0KoWyHaojY9PoufrNu/1IZoYgoah:0mIJdMmJyDl+tVZpoWyHjmgufyIZoYg
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1128 hrl7946.tmp 300 vcflye.exe -
Loads dropped DLL 3 IoCs
pid Process 604 rundll32.exe 604 rundll32.exe 300 vcflye.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\R: vcflye.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\N: vcflye.exe File opened (read-only) \??\T: vcflye.exe File opened (read-only) \??\X: vcflye.exe File opened (read-only) \??\Y: vcflye.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\E: vcflye.exe File opened (read-only) \??\L: vcflye.exe File opened (read-only) \??\M: vcflye.exe File opened (read-only) \??\S: vcflye.exe File opened (read-only) \??\Q: vcflye.exe File opened (read-only) \??\U: vcflye.exe File opened (read-only) \??\V: vcflye.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\P: vcflye.exe File opened (read-only) \??\Z: vcflye.exe File opened (read-only) \??\F: vcflye.exe File opened (read-only) \??\I: vcflye.exe File opened (read-only) \??\H: vcflye.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\K: vcflye.exe File opened (read-only) \??\O: vcflye.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\W: vcflye.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\G: vcflye.exe File opened (read-only) \??\J: vcflye.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\vcflye.exe hrl7946.tmp File opened for modification C:\Windows\SysWOW64\vcflye.exe hrl7946.tmp File created C:\Windows\SysWOW64\hra33.dll vcflye.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\7-Zip\lpk.dll vcflye.exe File opened for modification C:\Program Files\7-Zip\lpk.dll vcflye.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1128 hrl7946.tmp 300 vcflye.exe -
Suspicious behavior: MapViewOfSection 49 IoCs
pid Process 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 1128 hrl7946.tmp 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe 300 vcflye.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1128 hrl7946.tmp Token: SeDebugPrivilege 300 vcflye.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1128 hrl7946.tmp 1128 hrl7946.tmp 300 vcflye.exe 300 vcflye.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2020 wrote to memory of 604 2020 rundll32.exe 28 PID 2020 wrote to memory of 604 2020 rundll32.exe 28 PID 2020 wrote to memory of 604 2020 rundll32.exe 28 PID 2020 wrote to memory of 604 2020 rundll32.exe 28 PID 2020 wrote to memory of 604 2020 rundll32.exe 28 PID 2020 wrote to memory of 604 2020 rundll32.exe 28 PID 2020 wrote to memory of 604 2020 rundll32.exe 28 PID 604 wrote to memory of 1128 604 rundll32.exe 29 PID 604 wrote to memory of 1128 604 rundll32.exe 29 PID 604 wrote to memory of 1128 604 rundll32.exe 29 PID 604 wrote to memory of 1128 604 rundll32.exe 29 PID 1128 wrote to memory of 368 1128 hrl7946.tmp 5 PID 1128 wrote to memory of 368 1128 hrl7946.tmp 5 PID 1128 wrote to memory of 368 1128 hrl7946.tmp 5 PID 1128 wrote to memory of 368 1128 hrl7946.tmp 5 PID 1128 wrote to memory of 368 1128 hrl7946.tmp 5 PID 1128 wrote to memory of 368 1128 hrl7946.tmp 5 PID 1128 wrote to memory of 368 1128 hrl7946.tmp 5 PID 1128 wrote to memory of 384 1128 hrl7946.tmp 4 PID 1128 wrote to memory of 384 1128 hrl7946.tmp 4 PID 1128 wrote to memory of 384 1128 hrl7946.tmp 4 PID 1128 wrote to memory of 384 1128 hrl7946.tmp 4 PID 1128 wrote to memory of 384 1128 hrl7946.tmp 4 PID 1128 wrote to memory of 384 1128 hrl7946.tmp 4 PID 1128 wrote to memory of 384 1128 hrl7946.tmp 4 PID 1128 wrote to memory of 420 1128 hrl7946.tmp 3 PID 1128 wrote to memory of 420 1128 hrl7946.tmp 3 PID 1128 wrote to memory of 420 1128 hrl7946.tmp 3 PID 1128 wrote to memory of 420 1128 hrl7946.tmp 3 PID 1128 wrote to memory of 420 1128 hrl7946.tmp 3 PID 1128 wrote to memory of 420 1128 hrl7946.tmp 3 PID 1128 wrote to memory of 420 1128 hrl7946.tmp 3 PID 1128 wrote to memory of 472 1128 hrl7946.tmp 2 PID 1128 wrote to memory of 472 1128 hrl7946.tmp 2 PID 1128 wrote to memory of 472 1128 hrl7946.tmp 2 PID 1128 wrote to memory of 472 1128 hrl7946.tmp 2 PID 1128 wrote to memory of 472 1128 hrl7946.tmp 2 PID 1128 wrote to memory of 472 1128 hrl7946.tmp 2 PID 1128 wrote to memory of 472 1128 hrl7946.tmp 2 PID 1128 wrote to memory of 480 1128 hrl7946.tmp 1 PID 1128 wrote to memory of 480 1128 hrl7946.tmp 1 PID 1128 wrote to memory of 480 1128 hrl7946.tmp 1 PID 1128 wrote to memory of 480 1128 hrl7946.tmp 1 PID 1128 wrote to memory of 480 1128 hrl7946.tmp 1 PID 1128 wrote to memory of 480 1128 hrl7946.tmp 1 PID 1128 wrote to memory of 480 1128 hrl7946.tmp 1 PID 1128 wrote to memory of 488 1128 hrl7946.tmp 8 PID 1128 wrote to memory of 488 1128 hrl7946.tmp 8 PID 1128 wrote to memory of 488 1128 hrl7946.tmp 8 PID 1128 wrote to memory of 488 1128 hrl7946.tmp 8 PID 1128 wrote to memory of 488 1128 hrl7946.tmp 8 PID 1128 wrote to memory of 488 1128 hrl7946.tmp 8 PID 1128 wrote to memory of 488 1128 hrl7946.tmp 8 PID 1128 wrote to memory of 576 1128 hrl7946.tmp 26 PID 1128 wrote to memory of 576 1128 hrl7946.tmp 26 PID 1128 wrote to memory of 576 1128 hrl7946.tmp 26 PID 1128 wrote to memory of 576 1128 hrl7946.tmp 26 PID 1128 wrote to memory of 576 1128 hrl7946.tmp 26 PID 1128 wrote to memory of 576 1128 hrl7946.tmp 26 PID 1128 wrote to memory of 576 1128 hrl7946.tmp 26 PID 1128 wrote to memory of 656 1128 hrl7946.tmp 25 PID 1128 wrote to memory of 656 1128 hrl7946.tmp 25 PID 1128 wrote to memory of 656 1128 hrl7946.tmp 25 PID 1128 wrote to memory of 656 1128 hrl7946.tmp 25
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:480
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:472
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:800
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵PID:1200
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1032
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:304
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:1016
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1112
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:328
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:276
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵PID:864
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:836
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:736
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:656
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:576
-
-
C:\Windows\SysWOW64\vcflye.exeC:\Windows\SysWOW64\vcflye.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:300
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:384
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:368
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:488
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵PID:1976
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵PID:1716
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1248
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\81a3eac5452fb3c51b86bd2375d0e806e4e9a2b9ed11fd33c3f15dc12cf32c9b.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\81a3eac5452fb3c51b86bd2375d0e806e4e9a2b9ed11fd33c3f15dc12cf32c9b.dll,#13⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Users\Admin\AppData\Local\Temp\hrl7946.tmpC:\Users\Admin\AppData\Local\Temp\hrl7946.tmp4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
58KB
MD5f38f95243e1761511897c89d8c6dd3ad
SHA1b2ecf1a101c65c070b79a5ee307da34d937a2bfc
SHA256172164eec732a70210edc7c07849fcc193e0849c70e4a9a46a9e66b6579094aa
SHA5129a30bce99c7e00b14abf7e2d9aadb1797e65e0c9a9f42dc58d3aae2481b81c70c50aea67c1a46e0494f660327c4c95172c9e18af79d68b8211b9e23d14ca77bf
-
Filesize
58KB
MD5f38f95243e1761511897c89d8c6dd3ad
SHA1b2ecf1a101c65c070b79a5ee307da34d937a2bfc
SHA256172164eec732a70210edc7c07849fcc193e0849c70e4a9a46a9e66b6579094aa
SHA5129a30bce99c7e00b14abf7e2d9aadb1797e65e0c9a9f42dc58d3aae2481b81c70c50aea67c1a46e0494f660327c4c95172c9e18af79d68b8211b9e23d14ca77bf
-
Filesize
58KB
MD5f38f95243e1761511897c89d8c6dd3ad
SHA1b2ecf1a101c65c070b79a5ee307da34d937a2bfc
SHA256172164eec732a70210edc7c07849fcc193e0849c70e4a9a46a9e66b6579094aa
SHA5129a30bce99c7e00b14abf7e2d9aadb1797e65e0c9a9f42dc58d3aae2481b81c70c50aea67c1a46e0494f660327c4c95172c9e18af79d68b8211b9e23d14ca77bf
-
Filesize
58KB
MD5f38f95243e1761511897c89d8c6dd3ad
SHA1b2ecf1a101c65c070b79a5ee307da34d937a2bfc
SHA256172164eec732a70210edc7c07849fcc193e0849c70e4a9a46a9e66b6579094aa
SHA5129a30bce99c7e00b14abf7e2d9aadb1797e65e0c9a9f42dc58d3aae2481b81c70c50aea67c1a46e0494f660327c4c95172c9e18af79d68b8211b9e23d14ca77bf
-
Filesize
58KB
MD5f38f95243e1761511897c89d8c6dd3ad
SHA1b2ecf1a101c65c070b79a5ee307da34d937a2bfc
SHA256172164eec732a70210edc7c07849fcc193e0849c70e4a9a46a9e66b6579094aa
SHA5129a30bce99c7e00b14abf7e2d9aadb1797e65e0c9a9f42dc58d3aae2481b81c70c50aea67c1a46e0494f660327c4c95172c9e18af79d68b8211b9e23d14ca77bf
-
Filesize
58KB
MD5f38f95243e1761511897c89d8c6dd3ad
SHA1b2ecf1a101c65c070b79a5ee307da34d937a2bfc
SHA256172164eec732a70210edc7c07849fcc193e0849c70e4a9a46a9e66b6579094aa
SHA5129a30bce99c7e00b14abf7e2d9aadb1797e65e0c9a9f42dc58d3aae2481b81c70c50aea67c1a46e0494f660327c4c95172c9e18af79d68b8211b9e23d14ca77bf
-
Filesize
66KB
MD59665fc0bee2f17c2ac783a63231e9e71
SHA1069e651a0dab5c96dc8d3cdefc0b186fe24cbe73
SHA25681a3eac5452fb3c51b86bd2375d0e806e4e9a2b9ed11fd33c3f15dc12cf32c9b
SHA51285f31bb1ed2a7465bc643d487e95931faebbc73374dbaf3c5c136acddbc4efe61b9df230cdfe7b50f9a1f93de62fb9044383167fcc18c67ce916d6a881d24a35