Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 22:01
Static task
static1
Behavioral task
behavioral1
Sample
1ddec479b1a7579fc52c734510473aa3.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1ddec479b1a7579fc52c734510473aa3.dll
Resource
win10v2004-20231222-en
General
-
Target
1ddec479b1a7579fc52c734510473aa3.dll
-
Size
137KB
-
MD5
1ddec479b1a7579fc52c734510473aa3
-
SHA1
960b1b4292c2a73fbe3c04a1ff938ffd76981620
-
SHA256
087153ed5bb9bb9807e37a8fd745a16a634497a842896f232ab4cfb54197ba00
-
SHA512
02c67f543a9ec456679e5fa30f9a2ea453bed95393d96de5f409605626cf9d968b50ad27151fb925253029d20a43507020bc6adf20b2ae037471ea2fe46177de
-
SSDEEP
3072:wUJ9sXDS+LpeJ+zbCWS6FFswY0uYGpCM:ZsXDNBzbC76FFsjE
Malware Config
Extracted
cobaltstrike
http://162.244.80.46:80/components/mt.ico
-
user_agent
Host: loikdo.com Connection: close Accept-Encoding: br User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2740 wrote to memory of 2376 2740 regsvr32.exe 27 PID 2740 wrote to memory of 2376 2740 regsvr32.exe 27 PID 2740 wrote to memory of 2376 2740 regsvr32.exe 27
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1ddec479b1a7579fc52c734510473aa3.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\system32\cmd.execmd.exe /c echo FAOqxPwqZlkwNsCeERGZufOugRshkCoFLY>"C:\Users\Admin\AppData\Local\Temp\DEM8B8D.tmp"&exit2⤵PID:2376
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36B
MD507624cd821003a28a77adcb159242c3e
SHA1c1226a35672387b6c82335efcbf6b7c44737f1d8
SHA25678453f7d45b69b7be3fa921c36f6098fdfd36429aa279aca32504bbdf33ddbdb
SHA5121fb7317b8c26ef0b0b105fc9a84597bed74cfbc3e9e3a0632c93ab0627f03fe52431b9ed45c08812b7c485081a5882550e557a503c4e126d32c8adde375f4464