Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 04:45
Static task
static1
Behavioral task
behavioral1
Sample
0eeed44054b5b220fb5954c4b7dceab0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0eeed44054b5b220fb5954c4b7dceab0.exe
Resource
win10v2004-20231215-en
General
-
Target
0eeed44054b5b220fb5954c4b7dceab0.exe
-
Size
136KB
-
MD5
0eeed44054b5b220fb5954c4b7dceab0
-
SHA1
a4f4e3ed6f830b670398e3bfb459b6208e4e11f1
-
SHA256
57bdeafeb3f41622728d124abcf037e3b59cf864b810eb07c8aa0e3283704422
-
SHA512
8025375c9611ed369978df0d0e6cb2ff3385ee5ca603dc219240d25e0dcc9628193ec2821d7753b13c54e50febf794e3057ec27000bac7ddf4c2f57fdac144f9
-
SSDEEP
3072:8Uj3Wn3UqbkzrIE5RMiLdcjd5U+da+IbSudg:8UjjrbrTctdp1uW
Malware Config
Signatures
-
Loads dropped DLL 6 IoCs
pid Process 2576 rundll32.exe 2576 rundll32.exe 2576 rundll32.exe 988 rundll32.exe 988 rundll32.exe 988 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2904 2000 0eeed44054b5b220fb5954c4b7dceab0.exe 28 PID 2000 wrote to memory of 2904 2000 0eeed44054b5b220fb5954c4b7dceab0.exe 28 PID 2000 wrote to memory of 2904 2000 0eeed44054b5b220fb5954c4b7dceab0.exe 28 PID 2000 wrote to memory of 2904 2000 0eeed44054b5b220fb5954c4b7dceab0.exe 28 PID 2904 wrote to memory of 2656 2904 cmd.exe 30 PID 2904 wrote to memory of 2656 2904 cmd.exe 30 PID 2904 wrote to memory of 2656 2904 cmd.exe 30 PID 2904 wrote to memory of 2656 2904 cmd.exe 30 PID 2656 wrote to memory of 2576 2656 control.exe 31 PID 2656 wrote to memory of 2576 2656 control.exe 31 PID 2656 wrote to memory of 2576 2656 control.exe 31 PID 2656 wrote to memory of 2576 2656 control.exe 31 PID 2656 wrote to memory of 2576 2656 control.exe 31 PID 2656 wrote to memory of 2576 2656 control.exe 31 PID 2656 wrote to memory of 2576 2656 control.exe 31 PID 2576 wrote to memory of 620 2576 rundll32.exe 32 PID 2576 wrote to memory of 620 2576 rundll32.exe 32 PID 2576 wrote to memory of 620 2576 rundll32.exe 32 PID 2576 wrote to memory of 620 2576 rundll32.exe 32 PID 620 wrote to memory of 988 620 RunDll32.exe 33 PID 620 wrote to memory of 988 620 RunDll32.exe 33 PID 620 wrote to memory of 988 620 RunDll32.exe 33 PID 620 wrote to memory of 988 620 RunDll32.exe 33 PID 620 wrote to memory of 988 620 RunDll32.exe 33 PID 620 wrote to memory of 988 620 RunDll32.exe 33 PID 620 wrote to memory of 988 620 RunDll32.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\0eeed44054b5b220fb5954c4b7dceab0.exe"C:\Users\Admin\AppData\Local\Temp\0eeed44054b5b220fb5954c4b7dceab0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\0eeed44054b5b220fb5954c4b7dceab0.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\3112232103.cpl",3⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\3112232103.cpl",4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\3112232103.cpl",5⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\3112232103.cpl",6⤵
- Loads dropped DLL
PID:988
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130B
MD51cd35d7979f5c77de29218c310ef311b
SHA1b9f7dfd8d0531edc4224ad4a73d461ed4e6ff0d1
SHA256c236ec365ee462903354232255dc53cb215835fbbad357fbaaa27de41c4b8922
SHA51270a39d76d7759b13faeb525d055cbf22c8b34532e64edfd59ae5961a9d0eaf8a1471fe8da5649a49a488e4d050b358ead7c988e46f4e818063f84046c6c0a401
-
Filesize
85KB
MD53c1fad291b617b00b9d190cdfcc57698
SHA13e1929d373b904d76f6b2fa5f9c50c2e957d1607
SHA2561e5078c275042e6335ab237e181aea1ea4e29538456c4dcfea61702fb4b299ba
SHA5129eb520fea3004b58dd45f69ee4cc44955051b203cd7244cb69fc4bd699eaac0c3f7bb7a5282ac58311212dee805294874f96ea942b679052a2f151afad97c344
-
Filesize
38KB
MD53e323292be5979b4a7427e4d27657233
SHA128919bcc109e671e3c9c5b62cd6439d82e763ed3
SHA256ddd552aaf401e092378a2bf8eb5f7735b2f6cdfb0aaeca86ccd14f1fea1c8c54
SHA5122c2455e47e3e85b59f5c46a4194ba7be55df157aeca2ae49089ed2517372edd418d728172fde627544762e7940d4ad612b7685aea3ee8bba5afaf79681e4ce9b