Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
172s -
max time network
248s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system -
submitted
23/10/2023, 04:59
Static task
static1
Behavioral task
behavioral1
Sample
daa0d349da57f2cedfaed679cd8a56e938003b26b007c965d74058e8f76b26b2.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
daa0d349da57f2cedfaed679cd8a56e938003b26b007c965d74058e8f76b26b2.exe
Resource
win10-20231020-en
General
-
Target
daa0d349da57f2cedfaed679cd8a56e938003b26b007c965d74058e8f76b26b2.exe
-
Size
2.2MB
-
MD5
6ef3fe94170197af18ca9acd9c0ad4c5
-
SHA1
52d0c285354241cc18425f3edd6c8aa99c82248f
-
SHA256
daa0d349da57f2cedfaed679cd8a56e938003b26b007c965d74058e8f76b26b2
-
SHA512
e9b4e63764816948ec659ea135fb960bc8c63625c53f02008a1e4bee071d844599981dd9986d680a6e9713d14f96ac7dde14641521a41a17c6f92cad4d37e42c
-
SSDEEP
49152:WfBYI1X33/19NAVCzO8hrblEDVgPTTvSNf37+35:W/9TAVl8hrigPTzSkp
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 804 rundll32.exe 1588 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1516 wrote to memory of 772 1516 daa0d349da57f2cedfaed679cd8a56e938003b26b007c965d74058e8f76b26b2.exe 70 PID 1516 wrote to memory of 772 1516 daa0d349da57f2cedfaed679cd8a56e938003b26b007c965d74058e8f76b26b2.exe 70 PID 1516 wrote to memory of 772 1516 daa0d349da57f2cedfaed679cd8a56e938003b26b007c965d74058e8f76b26b2.exe 70 PID 772 wrote to memory of 1068 772 cmd.exe 72 PID 772 wrote to memory of 1068 772 cmd.exe 72 PID 772 wrote to memory of 1068 772 cmd.exe 72 PID 1068 wrote to memory of 804 1068 control.exe 73 PID 1068 wrote to memory of 804 1068 control.exe 73 PID 1068 wrote to memory of 804 1068 control.exe 73 PID 804 wrote to memory of 3232 804 rundll32.exe 74 PID 804 wrote to memory of 3232 804 rundll32.exe 74 PID 3232 wrote to memory of 1588 3232 RunDll32.exe 75 PID 3232 wrote to memory of 1588 3232 RunDll32.exe 75 PID 3232 wrote to memory of 1588 3232 RunDll32.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\daa0d349da57f2cedfaed679cd8a56e938003b26b007c965d74058e8f76b26b2.exe"C:\Users\Admin\AppData\Local\Temp\daa0d349da57f2cedfaed679cd8a56e938003b26b007c965d74058e8f76b26b2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c .\DV93~Q.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\control.exeCoNTRol.EXE "C:\Users\Admin\AppData\Local\Temp\7zSCE5E74A7\V.BD"3⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zSCE5E74A7\V.BD"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zSCE5E74A7\V.BD"5⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7zSCE5E74A7\V.BD"6⤵
- Loads dropped DLL
PID:1588
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28B
MD5a538c6aa3704d576f6f7a8871071384d
SHA17d7780f9e4c6cf8ec72257e65c07048f4a468a21
SHA25672fb33fad81cbda9d343cc52bc1141dd45617d5e262ba1dc6350e28b51787b21
SHA512a9893236a0f852e073c661dafdae03237b927929342ce8138064d1eda9081f7bbcdb9055641db0003983d7ecb3d8ac134db31b2812b465506476fabba4bc319f
-
Filesize
2.1MB
MD52b27dc303d7fc40b6d61e3660c71ee19
SHA112f1dac05a03c41ff0bc1ea6e5485d77050414fa
SHA25643c2b74ad3980ab7756202be62f988203583a4bd4c70f132aca85c12152933b9
SHA5122b0e4f6d892b48b347d315ffd0bed9fa3ba7093c8170e451e12bce4a016096bdffb42a506b50d9dbfdc8bd8e356d0b944c995b1a20a5353454e15c3911b8e8a9
-
Filesize
2.1MB
MD52b27dc303d7fc40b6d61e3660c71ee19
SHA112f1dac05a03c41ff0bc1ea6e5485d77050414fa
SHA25643c2b74ad3980ab7756202be62f988203583a4bd4c70f132aca85c12152933b9
SHA5122b0e4f6d892b48b347d315ffd0bed9fa3ba7093c8170e451e12bce4a016096bdffb42a506b50d9dbfdc8bd8e356d0b944c995b1a20a5353454e15c3911b8e8a9
-
Filesize
2.1MB
MD52b27dc303d7fc40b6d61e3660c71ee19
SHA112f1dac05a03c41ff0bc1ea6e5485d77050414fa
SHA25643c2b74ad3980ab7756202be62f988203583a4bd4c70f132aca85c12152933b9
SHA5122b0e4f6d892b48b347d315ffd0bed9fa3ba7093c8170e451e12bce4a016096bdffb42a506b50d9dbfdc8bd8e356d0b944c995b1a20a5353454e15c3911b8e8a9