Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 18:37
Static task
static1
Behavioral task
behavioral1
Sample
00b17447be34416e2e8566169d920e89.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
00b17447be34416e2e8566169d920e89.exe
Resource
win10v2004-20231215-en
General
-
Target
00b17447be34416e2e8566169d920e89.exe
-
Size
46KB
-
MD5
00b17447be34416e2e8566169d920e89
-
SHA1
0f6719653fbb56fc0f0b013bc76bd49374b10ec9
-
SHA256
2999a8e24b20f86c319d5f09556f1bd87d246f4f0bc892695d42b54ed4e9344e
-
SHA512
1ca5af1a64d65ea4341511ce7e4fc34244e30d7a37d0b20928cf0f63f30612663bb78532f163ceedeb4e05b0d9bbb787257fbd7be4e4d07f2b0a3ce7b48a4c67
-
SSDEEP
768:nKUoMx/jQVq0ZLYEzct1kOjTM6f4h6ThrnKBuu9cTbeRC7VXoajHOKXWXuO9afmh:KwrQLZLUTkOX9f4kdTKEJ3eRGXPjHtmh
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1820 rundll23.exe -
Loads dropped DLL 2 IoCs
pid Process 2456 00b17447be34416e2e8566169d920e89.exe 2456 00b17447be34416e2e8566169d920e89.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\rundll23.exe" 00b17447be34416e2e8566169d920e89.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll23.exe 00b17447be34416e2e8566169d920e89.exe File opened for modification C:\Windows\SysWOW64\rundll23.exe 00b17447be34416e2e8566169d920e89.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2456 00b17447be34416e2e8566169d920e89.exe 2456 00b17447be34416e2e8566169d920e89.exe 2456 00b17447be34416e2e8566169d920e89.exe 2456 00b17447be34416e2e8566169d920e89.exe 2456 00b17447be34416e2e8566169d920e89.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1820 rundll23.exe 2456 00b17447be34416e2e8566169d920e89.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2456 wrote to memory of 1820 2456 00b17447be34416e2e8566169d920e89.exe 17 PID 2456 wrote to memory of 1820 2456 00b17447be34416e2e8566169d920e89.exe 17 PID 2456 wrote to memory of 1820 2456 00b17447be34416e2e8566169d920e89.exe 17 PID 2456 wrote to memory of 1820 2456 00b17447be34416e2e8566169d920e89.exe 17
Processes
-
C:\Users\Admin\AppData\Local\Temp\00b17447be34416e2e8566169d920e89.exe"C:\Users\Admin\AppData\Local\Temp\00b17447be34416e2e8566169d920e89.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\rundll23.exeC:\Windows\system32\rundll23.exe2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD500b17447be34416e2e8566169d920e89
SHA10f6719653fbb56fc0f0b013bc76bd49374b10ec9
SHA2562999a8e24b20f86c319d5f09556f1bd87d246f4f0bc892695d42b54ed4e9344e
SHA5121ca5af1a64d65ea4341511ce7e4fc34244e30d7a37d0b20928cf0f63f30612663bb78532f163ceedeb4e05b0d9bbb787257fbd7be4e4d07f2b0a3ce7b48a4c67