Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
9s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01/01/2024, 11:40
Static task
static1
Behavioral task
behavioral1
Sample
3479e7ee256673ba85659b732500c026cd218f3d79e5596e1605660208d7faa0.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
3479e7ee256673ba85659b732500c026cd218f3d79e5596e1605660208d7faa0.dll
Resource
win10v2004-20231215-en
General
-
Target
3479e7ee256673ba85659b732500c026cd218f3d79e5596e1605660208d7faa0.dll
-
Size
2.6MB
-
MD5
c032571b2c494c02194f05e7f476e997
-
SHA1
0b524906ed83ec66969257393f0feaeb52048544
-
SHA256
3479e7ee256673ba85659b732500c026cd218f3d79e5596e1605660208d7faa0
-
SHA512
84df1b59e895b7127d398b7b96034821bc33d8247e7f7d4731815473a1463708be71ff2be5a292f62298ad46540c463e39e541762fb1569e19a1c82ead9b2197
-
SSDEEP
49152:PRP/ddeBQy1lPe22pKpUmmWmFekXPyZ7wlX7zSLxC2X6MYhRcdVhlC4JX4:J/ddeBQy1l2cUmmpFPPy+lrzSLU2X6bW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1916 kss.ini -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2128 rundll32.exe Token: SeIncBasePriorityPrivilege 2128 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2128 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 952 wrote to memory of 2128 952 rundll32.exe 28 PID 952 wrote to memory of 2128 952 rundll32.exe 28 PID 952 wrote to memory of 2128 952 rundll32.exe 28 PID 952 wrote to memory of 2128 952 rundll32.exe 28 PID 952 wrote to memory of 2128 952 rundll32.exe 28 PID 952 wrote to memory of 2128 952 rundll32.exe 28 PID 952 wrote to memory of 2128 952 rundll32.exe 28 PID 2128 wrote to memory of 1916 2128 rundll32.exe 29 PID 2128 wrote to memory of 1916 2128 rundll32.exe 29 PID 2128 wrote to memory of 1916 2128 rundll32.exe 29 PID 2128 wrote to memory of 1916 2128 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3479e7ee256673ba85659b732500c026cd218f3d79e5596e1605660208d7faa0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3479e7ee256673ba85659b732500c026cd218f3d79e5596e1605660208d7faa0.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\kss.inic:\kss.ini3⤵
- Executes dropped EXE
PID:1916 -
C:\Program Files\QQExternal.exe"C:\Program Files\QQExternal.exe"4⤵PID:1768
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD571cfcf952ad41f15a365cca8be58a838
SHA1d21497c79e730e821153c82335f28d1478266ce5
SHA256b61336362a736e46b43512995acffb95b0937907cfc24170671a2dbcd25e49e7
SHA512c4b80d80a532e75899dc886292d6f86a097ca2bf647aeba8687a5f5c9f7e87f9280ba7075314a42165886cc9cead552949271452bd7db42f5575ec59f2db578d