Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
162s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 01:10
Static task
static1
Behavioral task
behavioral1
Sample
22978b1dc77585965b8aca1f3882cafc.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
22978b1dc77585965b8aca1f3882cafc.dll
Resource
win10v2004-20231215-en
General
-
Target
22978b1dc77585965b8aca1f3882cafc.dll
-
Size
219KB
-
MD5
22978b1dc77585965b8aca1f3882cafc
-
SHA1
3e1701eb2cacba660176f4837e0196711c26a1fe
-
SHA256
340ab14b5bd0fdcce6adadcaed4f363ad7b77bda3cb72fa31f50df29cf0a8784
-
SHA512
34f19ea66467c16240dc413d4db14ef225eaf814493d11e94ba7f948a6a6a66bb9ada4466df302f02e24a8f6b8828611218c336e6e546b499159f05fa4739f9c
-
SSDEEP
3072:bz++Zp57WfuQtVoH4t7+UIooLafTc2iAprutqTqH965jxkFqatUrFjK:bz+OnutVoYN+dabt3rGX96VxkUJ
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 3736 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Cbgv\Gvbaipngp.gif rundll32.exe File created C:\Program Files (x86)\Cbgv\Gvbaipngp.gif rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe 3736 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 4012 rundll32.exe Token: SeRestorePrivilege 4012 rundll32.exe Token: SeBackupPrivilege 4012 rundll32.exe Token: SeRestorePrivilege 4012 rundll32.exe Token: SeBackupPrivilege 4012 rundll32.exe Token: SeRestorePrivilege 4012 rundll32.exe Token: SeBackupPrivilege 4012 rundll32.exe Token: SeRestorePrivilege 4012 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1544 wrote to memory of 4012 1544 rundll32.exe 90 PID 1544 wrote to memory of 4012 1544 rundll32.exe 90 PID 1544 wrote to memory of 4012 1544 rundll32.exe 90
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\22978b1dc77585965b8aca1f3882cafc.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\22978b1dc77585965b8aca1f3882cafc.dll,#12⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3736
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16.0MB
MD5a5170f7e2bb114d9bc19621eaea9ee1b
SHA17fa9fbcd1e37d12afc9c1b95ec9c851ce5c00f19
SHA256c44841893f19fb73b46ef095450d0a71b57d27564525468f7e342a3235c1a329
SHA512e12e77cadd1fa2e27158e634dd15effb28e8ef8357fb363f5dfabcd3b92c071d8b089659c16c74930f4526d75d2b8a9709b8c3fe21bc0c2b55413a8746560636