Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 16:03
Static task
static1
Behavioral task
behavioral1
Sample
04cc43bb4a21ce1e4970fece41622730.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
04cc43bb4a21ce1e4970fece41622730.dll
Resource
win10v2004-20231215-en
General
-
Target
04cc43bb4a21ce1e4970fece41622730.dll
-
Size
237KB
-
MD5
04cc43bb4a21ce1e4970fece41622730
-
SHA1
534665a7767056ff2c476165fa04afcee8c074c5
-
SHA256
e56b4bd66250725d8eec4a1e2953acb46cdd30c3ba3ad159079f6980554294a0
-
SHA512
d5d006bbadbbe6b9714d205fd16acd74970102e1e1233af42fdb0ddd4abffa40998a91a1056d56888d1d11ae41c411b7f2cbf5c0528f92c5ac20c2100ba98d2f
-
SSDEEP
1536:v62JJyFkQk+oE0XCTsT2xGaPsK/shfHOAP38fgkFRd5vIrfG8GRwk/p:v62HJE0XIGaT/scK32RXvISwkB
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\hucvopeug = "{5023890c-d8ab-2df0-e9bc-d8ab0184047f}" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 2692 rundll32.exe 2692 rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\uhpibcrht.dll rundll32.exe File created C:\Windows\SysWOW64\gtbunodtf.dll rundll32.exe File created C:\Windows\SysWOW64\cpxqjkzpb.dll rundll32.exe File created C:\Windows\SysWOW64\uhpibcrht.dll rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5023890c-d8ab-2df0-e9bc-d8ab0184047f} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5023890c-d8ab-2df0-e9bc-d8ab0184047f}\ rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5023890c-d8ab-2df0-e9bc-d8ab0184047f}\InprocServer32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5023890c-d8ab-2df0-e9bc-d8ab0184047f}\InprocServer32\ = "C:\\Windows\\SysWow64\\cpxqjkzpb.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5023890c-d8ab-2df0-e9bc-d8ab0184047f}\InprocServer32\ThreadingModel = "Apartment" rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2692 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2692 2084 rundll32.exe 17 PID 2084 wrote to memory of 2692 2084 rundll32.exe 17 PID 2084 wrote to memory of 2692 2084 rundll32.exe 17 PID 2084 wrote to memory of 2692 2084 rundll32.exe 17 PID 2084 wrote to memory of 2692 2084 rundll32.exe 17 PID 2084 wrote to memory of 2692 2084 rundll32.exe 17 PID 2084 wrote to memory of 2692 2084 rundll32.exe 17
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\04cc43bb4a21ce1e4970fece41622730.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\04cc43bb4a21ce1e4970fece41622730.dll,#12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2692
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD55e3e2561c0198c8658b5a0d1b2ae8fd3
SHA1a488b546babe221864f25d655e3a0fd1d90f4dcc
SHA256b20193b5695a6395ed55b1f84757e8b972635963185cf28fe6a063acdf3df3a1
SHA512242b50d680738cd8c78c1022722e0d6afb83e0309fb76a20972fc0433e5ada1eb454c17a6a347ca3a6fe80c6a0f4f812fc95520dac81c0cb8342eed5db6a71f7
-
Filesize
231KB
MD58cc6c9908be7863e29511654a08c87ed
SHA13e655a8a8d46f699e465ab7c04f93024bbf591c6
SHA2560f5890f2ccf8bba7293c21b69809822f6b210289b9719b0be7eccbe4cc3c44c3
SHA5120d6a35981d2deaf7b8550e46390a2e8264d362b86029fd4c5d123960a16d0a3ea9923a91657b9a327e8dbb6fb818247a1f2ac538716c3d4d9ad0b68bd234bf76