Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 19:37
Behavioral task
behavioral1
Sample
bnbz.tk/bnbz.tk.url
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
bnbz.tk/bnbz.tk.url
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
bnbz.tk/xtw.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
bnbz.tk/xtw.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
bnbz.tk/xtw.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
bnbz.tk/xtw.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
bnbz.tk/xtw.dll
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
bnbz.tk/xtw.dll
Resource
win10v2004-20231215-en
General
-
Target
bnbz.tk/xtw.dll
-
Size
708KB
-
MD5
ee581add0d7464a5b4669370dc3b6c05
-
SHA1
b6f14f6f80ef64b214f6058763957fbd8179a739
-
SHA256
031ea8eef77d78b8ac2a2c0c9a145ddbf7d5b80bce745f330cd0df2bb5ba9a23
-
SHA512
ea2753f10838e93cb42cc61da1ab3a9676cd240ccc7ceaaa1b69dd1a284a78790a9bf6736707b69cb5287998226f4f4df1dbcf97752674584a783289d7828f84
-
SSDEEP
12288:dIOVtmdEa4678+sGUf0TIU745cDgZ2ohuvbmtEvUmrAujZ35PM+XCJ5:+O/Jw78+j45cDgtAvSivJrLjZ31M+
Malware Config
Signatures
-
resource yara_rule behavioral3/memory/2916-0-0x0000000010000000-0x00000000101BA000-memory.dmp vmprotect behavioral3/memory/2916-1-0x0000000010000000-0x00000000101BA000-memory.dmp vmprotect behavioral3/memory/2916-2-0x0000000010000000-0x00000000101BA000-memory.dmp vmprotect behavioral3/memory/2916-3-0x0000000010000000-0x00000000101BA000-memory.dmp vmprotect behavioral3/memory/2916-4-0x0000000010000000-0x00000000101BA000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2916 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2916 rundll32.exe 2916 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2916 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2916 3048 rundll32.exe 28 PID 3048 wrote to memory of 2916 3048 rundll32.exe 28 PID 3048 wrote to memory of 2916 3048 rundll32.exe 28 PID 3048 wrote to memory of 2916 3048 rundll32.exe 28 PID 3048 wrote to memory of 2916 3048 rundll32.exe 28 PID 3048 wrote to memory of 2916 3048 rundll32.exe 28 PID 3048 wrote to memory of 2916 3048 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bnbz.tk\xtw.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bnbz.tk\xtw.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-