Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
02/09/2023, 08:32
Static task
static1
Behavioral task
behavioral1
Sample
fd8f87b0b7d9a02fc7afe9a0a3dff67a8f0306e241046bdda8ecca1294e400eb.dll
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
fd8f87b0b7d9a02fc7afe9a0a3dff67a8f0306e241046bdda8ecca1294e400eb.dll
Resource
win10v2004-20230831-en
General
-
Target
fd8f87b0b7d9a02fc7afe9a0a3dff67a8f0306e241046bdda8ecca1294e400eb.dll
-
Size
4.5MB
-
MD5
5d537254370fb7f3256524e6e74743d0
-
SHA1
e931de448f728bc9910dbb85e91e74e05e7ead0e
-
SHA256
fd8f87b0b7d9a02fc7afe9a0a3dff67a8f0306e241046bdda8ecca1294e400eb
-
SHA512
c0389f2af34f8f2b95d0c6bfd91e1a53c7e90186c19b15d67571a7cabe76b5a3ddc8cad02ca2354a0d29742fc643b9c90243605ae359ad013dfd486da5beaf15
-
SSDEEP
98304:JAZdwZomsjDGwYYtQddncl5oVb/lbGWRB2A:OQmMYedFcl5oVb/R7B2A
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 1860 rundll32.exe 1860 rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\ rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2996 wrote to memory of 1860 2996 rundll32.exe 28 PID 2996 wrote to memory of 1860 2996 rundll32.exe 28 PID 2996 wrote to memory of 1860 2996 rundll32.exe 28 PID 2996 wrote to memory of 1860 2996 rundll32.exe 28 PID 2996 wrote to memory of 1860 2996 rundll32.exe 28 PID 2996 wrote to memory of 1860 2996 rundll32.exe 28 PID 2996 wrote to memory of 1860 2996 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fd8f87b0b7d9a02fc7afe9a0a3dff67a8f0306e241046bdda8ecca1294e400eb.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fd8f87b0b7d9a02fc7afe9a0a3dff67a8f0306e241046bdda8ecca1294e400eb.dll,#12⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
PID:1860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD57dadf54b11a68b3efd5d19338b960036
SHA1986bd5df5f365c34728095fa655261b055396622
SHA256a30676bcfebde05da262ac222e1a4250ca7e8d9ee5958f3d23af0e854f63dd45
SHA51276ae75f6329973c6772e43d16fcc0d4c2739f7f40f62429a98ec0dd91a2bc472e28cb98dc3af74995a81b7f2c493253d7529f67a2ad003a6777ad89998670e20
-
Filesize
1.1MB
MD56abb7f08afe440d408cfb44d7f3ddc54
SHA19b37119ad5f575b732f4b1816f9f15ac54f8eb8a
SHA2560e0021d348ba56d3e24d30382a453f95cc609750ea3552cfda37acb53befcdc3
SHA512f3d70e5e5f0fbddcdd19f8c058db6f4cefaaa58473e575fb1f9b563334d6505fae79a03c10b6eb1628c8a63766c13c1255939ac40c7d88567aacc28ca6d3c2e2
-
Filesize
1.9MB
MD57dadf54b11a68b3efd5d19338b960036
SHA1986bd5df5f365c34728095fa655261b055396622
SHA256a30676bcfebde05da262ac222e1a4250ca7e8d9ee5958f3d23af0e854f63dd45
SHA51276ae75f6329973c6772e43d16fcc0d4c2739f7f40f62429a98ec0dd91a2bc472e28cb98dc3af74995a81b7f2c493253d7529f67a2ad003a6777ad89998670e20