Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 08:22
Static task
static1
Behavioral task
behavioral1
Sample
5b071f9ef45cabd0294a31549339dd55.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5b071f9ef45cabd0294a31549339dd55.exe
Resource
win10v2004-20231215-en
General
-
Target
5b071f9ef45cabd0294a31549339dd55.exe
-
Size
2.2MB
-
MD5
5b071f9ef45cabd0294a31549339dd55
-
SHA1
f9fda92882daaec185b79b05fd840e1525fddab9
-
SHA256
8be250e4e06d0d1d6e51cc2675f4c3639fa52fbc594099df3c0e98635d299188
-
SHA512
2afa20c6f5e2179cdb39fa88b55f8637898387c3294d79718f76af85aee2129b46e9d10f230931cd3da9cb7d4719a3df48ec42bffecee9d80ef1becfa1b2ad55
-
SSDEEP
49152:ufbjKpwf1OdBT+103W8dlcK8999tgstw7ruaLUeu9UdL7:9UOfu03ffcK87IP7ruHN90
Malware Config
Signatures
-
Loads dropped DLL 8 IoCs
pid Process 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2772 2140 5b071f9ef45cabd0294a31549339dd55.exe 28 PID 2140 wrote to memory of 2772 2140 5b071f9ef45cabd0294a31549339dd55.exe 28 PID 2140 wrote to memory of 2772 2140 5b071f9ef45cabd0294a31549339dd55.exe 28 PID 2140 wrote to memory of 2772 2140 5b071f9ef45cabd0294a31549339dd55.exe 28 PID 2772 wrote to memory of 2700 2772 control.exe 29 PID 2772 wrote to memory of 2700 2772 control.exe 29 PID 2772 wrote to memory of 2700 2772 control.exe 29 PID 2772 wrote to memory of 2700 2772 control.exe 29 PID 2772 wrote to memory of 2700 2772 control.exe 29 PID 2772 wrote to memory of 2700 2772 control.exe 29 PID 2772 wrote to memory of 2700 2772 control.exe 29 PID 2700 wrote to memory of 1240 2700 rundll32.exe 30 PID 2700 wrote to memory of 1240 2700 rundll32.exe 30 PID 2700 wrote to memory of 1240 2700 rundll32.exe 30 PID 2700 wrote to memory of 1240 2700 rundll32.exe 30 PID 1240 wrote to memory of 2464 1240 RunDll32.exe 32 PID 1240 wrote to memory of 2464 1240 RunDll32.exe 32 PID 1240 wrote to memory of 2464 1240 RunDll32.exe 32 PID 1240 wrote to memory of 2464 1240 RunDll32.exe 32 PID 1240 wrote to memory of 2464 1240 RunDll32.exe 32 PID 1240 wrote to memory of 2464 1240 RunDll32.exe 32 PID 1240 wrote to memory of 2464 1240 RunDll32.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b071f9ef45cabd0294a31549339dd55.exe"C:\Users\Admin\AppData\Local\Temp\5b071f9ef45cabd0294a31549339dd55.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7zSC58DD576\2.Cpl",2⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zSC58DD576\2.Cpl",3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zSC58DD576\2.Cpl",4⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7zSC58DD576\2.Cpl",5⤵
- Loads dropped DLL
PID:2464
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD50b3a02cb25e6fc8efd73337e64211da3
SHA195270c02e43833898abb6726ef849acb7a795376
SHA256ebe18a6cf799adcc905b28cb725a7f19049a5e3ea9601ced01caea8b2be50eda
SHA5122a17e9beaa7d7d0d8e4ca6c83bd10937bd93d56e152758f8d41b4774fc92f0b8f8a2970df65e64dcf544dc3e46db23c9c5e4415492794646fa0392900f7bb676