Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
08/12/2023, 11:29
231208-nlsgwsbd65 1008/12/2023, 11:20
231208-nfveasbc54 1031/10/2020, 11:20
201031-z3tgqqzt76 10Analysis
-
max time kernel
1074s -
max time network
1076s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
08/12/2023, 11:29
Static task
static1
Behavioral task
behavioral1
Sample
spam20.dll
Resource
win7-20231020-en
General
-
Target
spam20.dll
-
Size
358KB
-
MD5
6501006a6d47bc73976db9f3385c3c46
-
SHA1
53082a7fa62dc4fe54586df6a6e481fe8beca1aa
-
SHA256
c55e3938e9c2c9d00235d8ed87a55adc18fa1c6377a9ee0fd6212916c67d0020
-
SHA512
df63e60f12d153e16b78464162dbd5d052192a1e09814eb91e21d28256a652ae04eb7ccdaf4022c95c9779edfbe15df7a708717a1c247cfe2d16e8d9f911bf0c
-
SSDEEP
6144:091kAIgU+wK4UrePimd2jGZFakdU8fLx1tK7IwyBfb7T0Y:090gUQe6dUFHU8pi6xb7T
Malware Config
Extracted
zloader
crypto1
crypto
http://wmwifbajxxbcxmucxmlc.com/post.php
http://ojnxjgfjlftfkkuxxiqd.com/post.php
http://pwkqhdgytsshkoibaake.com/post.php
http://snnmnkxdhflwgthqismb.com/post.php
http://iawfqecrwohcxnhwtofa.com/post.php
http://nlbmfsyplohyaicmxhum.com/post.php
http://fvqlkgedqjiqgapudkgq.com/post.php
http://cmmxhurildiigqghlryq.com/post.php
http://nmqsmbiabjdnuushksas.com/post.php
http://fyratyubvflktyyjiqgq.com/post.php
-
build_id
110
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1112 set thread context of 2680 1112 rundll32.exe 31 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 2680 msiexec.exe Token: SeSecurityPrivilege 2680 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1112 2016 rundll32.exe 28 PID 2016 wrote to memory of 1112 2016 rundll32.exe 28 PID 2016 wrote to memory of 1112 2016 rundll32.exe 28 PID 2016 wrote to memory of 1112 2016 rundll32.exe 28 PID 2016 wrote to memory of 1112 2016 rundll32.exe 28 PID 2016 wrote to memory of 1112 2016 rundll32.exe 28 PID 2016 wrote to memory of 1112 2016 rundll32.exe 28 PID 1112 wrote to memory of 2680 1112 rundll32.exe 31 PID 1112 wrote to memory of 2680 1112 rundll32.exe 31 PID 1112 wrote to memory of 2680 1112 rundll32.exe 31 PID 1112 wrote to memory of 2680 1112 rundll32.exe 31 PID 1112 wrote to memory of 2680 1112 rundll32.exe 31 PID 1112 wrote to memory of 2680 1112 rundll32.exe 31 PID 1112 wrote to memory of 2680 1112 rundll32.exe 31 PID 1112 wrote to memory of 2680 1112 rundll32.exe 31 PID 1112 wrote to memory of 2680 1112 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\spam20.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\spam20.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-