Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 04:26
Static task
static1
Behavioral task
behavioral1
Sample
0e6d9b5e4df3607811a555d4fafa2768.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0e6d9b5e4df3607811a555d4fafa2768.exe
Resource
win10v2004-20231215-en
General
-
Target
0e6d9b5e4df3607811a555d4fafa2768.exe
-
Size
64KB
-
MD5
0e6d9b5e4df3607811a555d4fafa2768
-
SHA1
d09b3bac7d74843b746099a040ad7ebebd6444f4
-
SHA256
da2c871c43c9170d90191f4b952d2dfb0d2def9aabe8d4792b10c0f1dad1327d
-
SHA512
7a64ed610ca5d78fee218d72edc46d28e168fd2b635e972036ad821f3a10e9d402572ee133e2d752144d2791c5db8a5387e11d465acaa8b34edea75a3ebf98d6
-
SSDEEP
1536:5FpJ5FRZYNf2eUAkrilPFI+bgfaSJzc1wVAoqbJ8QqdM:5FpJVZ42fANlPFIagZJQ1wqXbJ8bM
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Loads dropped DLL 1 IoCs
pid Process 2500 0e6d9b5e4df3607811a555d4fafa2768.exe -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 77.74.48.110 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tanusafope = "Rundll32.exe \"C:\\Windows\\system32\\lomerezu.dll\",s" 0e6d9b5e4df3607811a555d4fafa2768.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8815f4c-5b54-4a05-8a7a-016f80cf89ce} 0e6d9b5e4df3607811a555d4fafa2768.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\devebibo.dll 0e6d9b5e4df3607811a555d4fafa2768.exe File opened for modification C:\Windows\SysWOW64\mivizomi 0e6d9b5e4df3607811a555d4fafa2768.exe File opened for modification C:\Windows\SysWOW64\mofehibe.dll 0e6d9b5e4df3607811a555d4fafa2768.exe File opened for modification C:\Windows\SysWOW64\sonumina.dll 0e6d9b5e4df3607811a555d4fafa2768.exe File opened for modification C:\Windows\SysWOW64\felukoza.dll 0e6d9b5e4df3607811a555d4fafa2768.exe File opened for modification C:\Windows\SysWOW64\lomerezu.dll 0e6d9b5e4df3607811a555d4fafa2768.exe File opened for modification C:\Windows\SysWOW64\wabuheni.dll 0e6d9b5e4df3607811a555d4fafa2768.exe File opened for modification C:\Windows\SysWOW64\webuzufa.dll 0e6d9b5e4df3607811a555d4fafa2768.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{b8815f4c-5b54-4a05-8a7a-016f80cf89ce} 0e6d9b5e4df3607811a555d4fafa2768.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{b8815f4c-5b54-4a05-8a7a-016f80cf89ce}\InprocServer32 0e6d9b5e4df3607811a555d4fafa2768.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{b8815f4c-5b54-4a05-8a7a-016f80cf89ce}\InprocServer32\ = "C:\\Windows\\SysWow64\\webuzufa.dll" 0e6d9b5e4df3607811a555d4fafa2768.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{b8815f4c-5b54-4a05-8a7a-016f80cf89ce}\InprocServer32\ThreadingModel = "Both" 0e6d9b5e4df3607811a555d4fafa2768.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2500 0e6d9b5e4df3607811a555d4fafa2768.exe 2500 0e6d9b5e4df3607811a555d4fafa2768.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2500 0e6d9b5e4df3607811a555d4fafa2768.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2500 0e6d9b5e4df3607811a555d4fafa2768.exe 2500 0e6d9b5e4df3607811a555d4fafa2768.exe -
Suspicious use of WriteProcessMemory 1 IoCs
description pid Process procid_target PID 2500 wrote to memory of 1276 2500 0e6d9b5e4df3607811a555d4fafa2768.exe 20
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e6d9b5e4df3607811a555d4fafa2768.exe"C:\Users\Admin\AppData\Local\Temp\0e6d9b5e4df3607811a555d4fafa2768.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1276
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD563455d1d1b1b9ff698ddfe6cf5b0ece4
SHA1fc6e291916cdcbcbefb8959e5444cc3fe4a75560
SHA25632eab7de5c3caa95de4e8ea2ca8ca1008edb0c11dc8c23f630e4b79a4b679f08
SHA512dc79a21fecf54ed01c530bb8a83e5e300804f132849d18cf68c9bee59a8ec9e3fb86209301fc08e4a22e199d2da30bb44c226416edb32a815612f976d8885207
-
Filesize
64KB
MD56b5dfe653cfe0590771564a89e8eac4c
SHA106999c2ce79f499997249017b3bb0d4c0905c5fa
SHA25652ba4ff79cbcb941882de54ff6a143d0e13209e98c27b17b2b10b543c1b5e15f
SHA5129de8cd609aa9ffa8cd5869e6817fd2ddd19d28ff9de784137fd32d4804552bec978a1760b0030473d1f4f47d1ca43d128e6c374ad2abafc5493bdcf8186855a9