Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 12:33
Static task
static1
Behavioral task
behavioral1
Sample
18a425f00e8d1e1084a42e80b6ab7113.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
18a425f00e8d1e1084a42e80b6ab7113.exe
Resource
win10v2004-20231222-en
General
-
Target
18a425f00e8d1e1084a42e80b6ab7113.exe
-
Size
76KB
-
MD5
18a425f00e8d1e1084a42e80b6ab7113
-
SHA1
9c8ff0bc7935d50d669e31b3cb6623a23e7f443d
-
SHA256
bddc212ad99db3b5c9b67a014a76614a7239a19ec3d6764afeae3b5ceeb497c4
-
SHA512
449538087a36fd52fe5f349ebe2acdf15cd41d7a3736c13b513fec8924729e6b70cc5b179d6dc804a2794c32b24c7f1504821e9ed8ccbbccc1bd047c0c77bd72
-
SSDEEP
1536:5kp50xHYeGh8wD04WMvsJSDq+JlNkrAaDEIo2m28fUbBHtGmF0W:s0xHYeGh8ww4WMvmSDX3AmA88bBZ/
Malware Config
Signatures
-
Loads dropped DLL 8 IoCs
pid Process 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2584 rundll32.exe 2584 rundll32.exe 2584 rundll32.exe 2584 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uzohagasut = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\asypren.dll\",Startup" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2428 3016 18a425f00e8d1e1084a42e80b6ab7113.exe 28 PID 3016 wrote to memory of 2428 3016 18a425f00e8d1e1084a42e80b6ab7113.exe 28 PID 3016 wrote to memory of 2428 3016 18a425f00e8d1e1084a42e80b6ab7113.exe 28 PID 3016 wrote to memory of 2428 3016 18a425f00e8d1e1084a42e80b6ab7113.exe 28 PID 3016 wrote to memory of 2428 3016 18a425f00e8d1e1084a42e80b6ab7113.exe 28 PID 3016 wrote to memory of 2428 3016 18a425f00e8d1e1084a42e80b6ab7113.exe 28 PID 3016 wrote to memory of 2428 3016 18a425f00e8d1e1084a42e80b6ab7113.exe 28 PID 2428 wrote to memory of 2584 2428 rundll32.exe 29 PID 2428 wrote to memory of 2584 2428 rundll32.exe 29 PID 2428 wrote to memory of 2584 2428 rundll32.exe 29 PID 2428 wrote to memory of 2584 2428 rundll32.exe 29 PID 2428 wrote to memory of 2584 2428 rundll32.exe 29 PID 2428 wrote to memory of 2584 2428 rundll32.exe 29 PID 2428 wrote to memory of 2584 2428 rundll32.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\18a425f00e8d1e1084a42e80b6ab7113.exe"C:\Users\Admin\AppData\Local\Temp\18a425f00e8d1e1084a42e80b6ab7113.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\asypren.dll",Startup2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\asypren.dll",iep3⤵
- Loads dropped DLL
PID:2584
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD51bda70e5cb2b14465c56af28bf061845
SHA1bd8c4cb2681ddba508ff375fecc8ea3f0fffa01c
SHA256e13349dd9a62b2740088024cd7e1af19a643e0d04843563b83270a747519718f
SHA512df22237a7148cd03e796940131e53a15986778cccceb5f587a30c3c16f91f286cd0cbe2584a58e591c89dcf56ed02dbf95a2e1e6e2e2c26c2b3441637f012fbd
-
Filesize
57KB
MD55d667fd0948b8dfaad6c2ca674bb4eec
SHA171ab4c54c50d6c60f271522676810efebcbb60bc
SHA256543958a0985a4c32adf5b8e8a16a674e38c16c57bddb421971c9d758b09883e8
SHA512abcd0dede35dc94c3eefa8d434115a150b36996b8390b9bdb4e0fc26b2452754afe43857dfc49a3d3dcd0a3c83b8b8a8e09b75945279384f5fa6539ac6f13811