Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

5

Static

static

3

54fdc70453...9b.dll

windows7-x64

5

54fdc70453...9b.dll

windows10-2004-x64

5

Analysis

  • max time kernel
    28s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    05/06/2023, 09:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54fdc704535a71d1dc5340153ca96f56d2bddd7a2e781bdb368d2abbfe35959b.dll

  • Size

    952KB

  • MD5

    4d8d1c87b2f891c0c3d3b31fc5affc7a

  • SHA1

    25f2740febbd6356125a83b2368cd32e1117c050

  • SHA256

    54fdc704535a71d1dc5340153ca96f56d2bddd7a2e781bdb368d2abbfe35959b

  • SHA512

    288c0fed22caa009481b79cdc7750bc2bda951174b9e2727cf2c1c3b5f1af6db9cb0ed53165e4ded106cea822b42ed7fb4edc949c262bc0ba1d72824da965a64

  • SSDEEP

    12288:dBGcUENeWpQGdDi3MQwPZs5u5KMsplPIEubW/1rCUX7VNCoQ:dBGcdM6QGd23DwPZs5qKrpBC27VNCX

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 4 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\54fdc704535a71d1dc5340153ca96f56d2bddd7a2e781bdb368d2abbfe35959b.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\54fdc704535a71d1dc5340153ca96f56d2bddd7a2e781bdb368d2abbfe35959b.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Windows\SysWOW64\Restart.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 2
          4⤵
          • Runs ping.exe
          PID:596
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\SysWOW64\rundll32.exe"
          4⤵
            PID:592

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Restart.bat
      Filesize

      99B

      MD5

      8203f62537cc26e47dc61fce77057cea

      SHA1

      8a8bed2b94ae5c3020e636376a109d4e61b9d264

      SHA256

      790b487c98b16a7b1596ec5077862d7d1fcfc4a156fb867373dbd795e84b651c

      SHA512

      6a59f5680dc0c60e8951e48e2c0ede115e5f333e67a1cd5d7d21f897cde1f6ed108f268f1352b96b15220cb7959e1f44786ec74e26bbebdf8dcee21f8eb8a35c

      Download Submit

    • C:\Windows\SysWOW64\Restart.bat
      Filesize

      99B

      MD5

      8203f62537cc26e47dc61fce77057cea

      SHA1

      8a8bed2b94ae5c3020e636376a109d4e61b9d264

      SHA256

      790b487c98b16a7b1596ec5077862d7d1fcfc4a156fb867373dbd795e84b651c

      SHA512

      6a59f5680dc0c60e8951e48e2c0ede115e5f333e67a1cd5d7d21f897cde1f6ed108f268f1352b96b15220cb7959e1f44786ec74e26bbebdf8dcee21f8eb8a35c

      Download Submit