Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
02/11/2023, 03:35
Static task
static1
Behavioral task
behavioral1
Sample
ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f.dll
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f.dll
Resource
win10v2004-20231023-en
General
-
Target
ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f.dll
-
Size
82KB
-
MD5
e3571a16f67482e4614ea047b9d7f1e7
-
SHA1
27692eafcf957721e1935f52d23e4a92ff3ebc92
-
SHA256
ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f
-
SHA512
24d0c47e6e5784e5652d37c8f51d7cf2b6f912a626db18ed20dc004f9d4fe8bb8ee538ae66ea9c84a7e87b03668b36b14deeff7972af7e3876b1b7b3ce7f5370
-
SSDEEP
1536:v/aSQsL7NNm1eHeYFKi0BYyFkKp/qUOJ7WSTCsWzD2cdbwpWkr7ePpms:9QqG1geYF56FkBq8gD3bOWkraPpm
Malware Config
Extracted
metasploit
windows/download_exec
http://101.34.222.38:8081/JsFY
- headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; BOIE9;ENUS)
Extracted
cobaltstrike
391144938
http://101.34.222.38:8081/load
-
access_type
512
-
host
101.34.222.38,/load
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
8081
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3NwQWsqvq+XSFe/EjAzMJhY8xqwi14YBYjK+/ja1RTMe1mfTBtCoTyS8zstORfS172w4dWmA+KR7xxEqz1J0ZtIXjGjWtRlQiCIIqPHPAu0mbPckYHwu1xJkKqEaH9XqA5t5ZWgK93jZzFZkNLu7BKusiC9xxspe/QhRY4BvuZQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)
-
watermark
391144938
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request 4 IoCs
flow pid Process 3 2036 rundll32.exe 5 2036 rundll32.exe 6 2036 rundll32.exe 7 2036 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1220 set thread context of 2036 1220 rundll32.exe 29 -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1172 wrote to memory of 1220 1172 rundll32.exe 28 PID 1172 wrote to memory of 1220 1172 rundll32.exe 28 PID 1172 wrote to memory of 1220 1172 rundll32.exe 28 PID 1172 wrote to memory of 1220 1172 rundll32.exe 28 PID 1172 wrote to memory of 1220 1172 rundll32.exe 28 PID 1172 wrote to memory of 1220 1172 rundll32.exe 28 PID 1172 wrote to memory of 1220 1172 rundll32.exe 28 PID 1220 wrote to memory of 2036 1220 rundll32.exe 29 PID 1220 wrote to memory of 2036 1220 rundll32.exe 29 PID 1220 wrote to memory of 2036 1220 rundll32.exe 29 PID 1220 wrote to memory of 2036 1220 rundll32.exe 29 PID 1220 wrote to memory of 2036 1220 rundll32.exe 29 PID 1220 wrote to memory of 2036 1220 rundll32.exe 29 PID 1220 wrote to memory of 2036 1220 rundll32.exe 29 PID 1220 wrote to memory of 2036 1220 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe3⤵
- Blocklisted process makes network request
PID:2036
-
-