Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    139s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    02/11/2023, 03:35

General

  • Target

    ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f.dll

  • Size

    82KB

  • MD5

    e3571a16f67482e4614ea047b9d7f1e7

  • SHA1

    27692eafcf957721e1935f52d23e4a92ff3ebc92

  • SHA256

    ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f

  • SHA512

    24d0c47e6e5784e5652d37c8f51d7cf2b6f912a626db18ed20dc004f9d4fe8bb8ee538ae66ea9c84a7e87b03668b36b14deeff7972af7e3876b1b7b3ce7f5370

  • SSDEEP

    1536:v/aSQsL7NNm1eHeYFKi0BYyFkKp/qUOJ7WSTCsWzD2cdbwpWkr7ePpms:9QqG1geYF56FkBq8gD3bOWkraPpm

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://101.34.222.38:8081/JsFY

Attributes
  • headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; BOIE9;ENUS)

Extracted

Family

cobaltstrike

Botnet

391144938

C2

http://101.34.222.38:8081/load

Attributes
  • access_type

    512

  • host

    101.34.222.38,/load

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    8081

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3NwQWsqvq+XSFe/EjAzMJhY8xqwi14YBYjK+/ja1RTMe1mfTBtCoTyS8zstORfS172w4dWmA+KR7xxEqz1J0ZtIXjGjWtRlQiCIIqPHPAu0mbPckYHwu1xJkKqEaH9XqA5t5ZWgK93jZzFZkNLu7BKusiC9xxspe/QhRY4BvuZQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)

  • watermark

    391144938

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Blocklisted process makes network request 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe
        3⤵
        • Blocklisted process makes network request
        PID:2036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2036-0-0x00000000000D0000-0x00000000000D1000-memory.dmp

    Filesize

    4KB

  • memory/2036-1-0x00000000000D0000-0x00000000000D1000-memory.dmp

    Filesize

    4KB

  • memory/2036-2-0x00000000028B0000-0x0000000002CB0000-memory.dmp

    Filesize

    4.0MB

  • memory/2036-3-0x00000000004D0000-0x0000000000511000-memory.dmp

    Filesize

    260KB

  • memory/2036-4-0x00000000002D0000-0x00000000002D2000-memory.dmp

    Filesize

    8KB