Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 01:10
Static task
static1
Behavioral task
behavioral1
Sample
22978b1dc77585965b8aca1f3882cafc.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
22978b1dc77585965b8aca1f3882cafc.dll
Resource
win10v2004-20231215-en
General
-
Target
22978b1dc77585965b8aca1f3882cafc.dll
-
Size
219KB
-
MD5
22978b1dc77585965b8aca1f3882cafc
-
SHA1
3e1701eb2cacba660176f4837e0196711c26a1fe
-
SHA256
340ab14b5bd0fdcce6adadcaed4f363ad7b77bda3cb72fa31f50df29cf0a8784
-
SHA512
34f19ea66467c16240dc413d4db14ef225eaf814493d11e94ba7f948a6a6a66bb9ada4466df302f02e24a8f6b8828611218c336e6e546b499159f05fa4739f9c
-
SSDEEP
3072:bz++Zp57WfuQtVoH4t7+UIooLafTc2iAprutqTqH965jxkFqatUrFjK:bz+OnutVoYN+dabt3rGX96VxkUJ
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2936 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Cbgv\Gvbaipngp.gif rundll32.exe File created C:\Program Files (x86)\Cbgv\Gvbaipngp.gif rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 1872 rundll32.exe Token: SeRestorePrivilege 1872 rundll32.exe Token: SeBackupPrivilege 1872 rundll32.exe Token: SeRestorePrivilege 1872 rundll32.exe Token: SeBackupPrivilege 1872 rundll32.exe Token: SeRestorePrivilege 1872 rundll32.exe Token: SeBackupPrivilege 1872 rundll32.exe Token: SeRestorePrivilege 1872 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1928 wrote to memory of 1872 1928 rundll32.exe 14 PID 1928 wrote to memory of 1872 1928 rundll32.exe 14 PID 1928 wrote to memory of 1872 1928 rundll32.exe 14 PID 1928 wrote to memory of 1872 1928 rundll32.exe 14 PID 1928 wrote to memory of 1872 1928 rundll32.exe 14 PID 1928 wrote to memory of 1872 1928 rundll32.exe 14 PID 1928 wrote to memory of 1872 1928 rundll32.exe 14
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\22978b1dc77585965b8aca1f3882cafc.dll,#11⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2936
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\22978b1dc77585965b8aca1f3882cafc.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1928
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD51e52b4ec27ff1501ad4e2067285ab051
SHA1b724216cb61bdf9d946fbbda725fa4d9701b9869
SHA256ea7c07befe8b76f4f6ddf0e073c0cdaf88e8980f01b872440ca3b66ae678e8fd
SHA512da3c3dba95b10b38993f764781361a2ddc68cafb664d19ad7acac6fdaadb22a2b5db6127b3d3625cd4f66105cb9a456e5050f6606525e3bcdc8bced7bc85b666