Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
05/01/2024, 11:46
Behavioral task
behavioral1
Sample
10d5d1504841417c479d293f23d7841e.exe
Resource
win7-20231215-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
10d5d1504841417c479d293f23d7841e.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
10d5d1504841417c479d293f23d7841e.exe
-
Size
32KB
-
MD5
10d5d1504841417c479d293f23d7841e
-
SHA1
4d00f158ae676df8ce5eb9edb47ebb8934719d56
-
SHA256
cd3e7bc73872f6dc927cb3a9f186a15a4525e9fc989dd03925acd2ecf496e8f5
-
SHA512
54ac6c17ec124f8bd3121472ea8b635da867becdd195157eeeee6f1aca2f38262c3d3ff70601de5bdd4a778032fcaec07f735a0a334107ec36e6063ff6db7439
-
SSDEEP
768:qu5aW2SDT07OTe8//gCSD1MV+qHDVSu5pjJpOOeC:qYRmOTj3ghMVvDVSOpjJG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ThunderAdvise = "{97421D0D-E07F-40DF-8F07-99597B9585AD}" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\259415357ErrorControl\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\dump_wmimmc.sys" 10d5d1504841417c479d293f23d7841e.exe -
Deletes itself 1 IoCs
pid Process 1852 cmd.exe -
Loads dropped DLL 4 IoCs
pid Process 2012 rundll32.exe 2012 rundll32.exe 2012 rundll32.exe 2012 rundll32.exe -
resource yara_rule behavioral1/memory/1708-0-0x0000000000400000-0x000000000040E000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}\ = "ThunderAdvise" rundll32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Downloaded Program Files\ThunderAdvise.dll 10d5d1504841417c479d293f23d7841e.exe -
Modifies registry class 46 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj.1\CLSID rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\ProgID\ = "ThunderAdvise.ThunderHlpObj.1" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\InprocServer32\ = "C:\\Windows\\Downloaded Program Files\\ThunderAdvise.dll" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\TypeLib rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\TypeLib\Version = "1.0" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj\CurVer rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\InprocServer32\ThreadingModel = "Apartment" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\TypeLib\ = "{6D4C7E08-E021-414C-A42D-AB15A2302196}" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0\0\win32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0\0\win32\ = "C:\\Windows\\Downloaded Program Files\\ThunderAdvise.dll" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj.1 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj\CLSID\ = "{97421D0D-E07F-40DF-8F07-99597B9585AD}" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj\CurVer\ = "ThunderAdvise.ThunderHlpObj.1" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\VersionIndependentProgID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\ProxyStubClsid32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\TypeLib\ = "{6D4C7E08-E021-414C-A42D-AB15A2302196}" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\InprocServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0\HELPDIR rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\TypeLib rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\TypeLib rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\VersionIndependentProgID\ = "ThunderAdvise.ThunderHlpObj" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\TypeLib\ = "{6D4C7E08-E021-414C-A42D-AB15A2302196}" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj.1\ = "ThunderHlpObj Class" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\ = "ThunderHlpObj Class" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\ = "IThunderHlpObj" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\TypeLib\Version = "1.0" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\ = "IThunderHlpObj" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\ProgID rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0\ = "ThunderAdvise 1.0 Type Library" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0\FLAGS rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0\HELPDIR\ = "C:\\Windows\\Downloaded Program Files" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\ProxyStubClsid32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj.1\CLSID\ = "{97421D0D-E07F-40DF-8F07-99597B9585AD}" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj\ = "ThunderHlpObj Class" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\Programmable rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0\FLAGS\ = "0" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0\0 rundll32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1708 10d5d1504841417c479d293f23d7841e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLoadDriverPrivilege 1708 10d5d1504841417c479d293f23d7841e.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1708 wrote to memory of 2012 1708 10d5d1504841417c479d293f23d7841e.exe 28 PID 1708 wrote to memory of 2012 1708 10d5d1504841417c479d293f23d7841e.exe 28 PID 1708 wrote to memory of 2012 1708 10d5d1504841417c479d293f23d7841e.exe 28 PID 1708 wrote to memory of 2012 1708 10d5d1504841417c479d293f23d7841e.exe 28 PID 1708 wrote to memory of 2012 1708 10d5d1504841417c479d293f23d7841e.exe 28 PID 1708 wrote to memory of 2012 1708 10d5d1504841417c479d293f23d7841e.exe 28 PID 1708 wrote to memory of 2012 1708 10d5d1504841417c479d293f23d7841e.exe 28 PID 1708 wrote to memory of 1852 1708 10d5d1504841417c479d293f23d7841e.exe 30 PID 1708 wrote to memory of 1852 1708 10d5d1504841417c479d293f23d7841e.exe 30 PID 1708 wrote to memory of 1852 1708 10d5d1504841417c479d293f23d7841e.exe 30 PID 1708 wrote to memory of 1852 1708 10d5d1504841417c479d293f23d7841e.exe 30 PID 1708 wrote to memory of 1852 1708 10d5d1504841417c479d293f23d7841e.exe 30 PID 1708 wrote to memory of 1852 1708 10d5d1504841417c479d293f23d7841e.exe 30 PID 1708 wrote to memory of 1852 1708 10d5d1504841417c479d293f23d7841e.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\10d5d1504841417c479d293f23d7841e.exe"C:\Users\Admin\AppData\Local\Temp\10d5d1504841417c479d293f23d7841e.exe"1⤵
- Sets service image path in registry
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Windows\Downloaded Program Files\ThunderAdvise.dll",MainProc2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2012
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\\uninstall.bat"2⤵
- Deletes itself
PID:1852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231B
MD59a9dba9dd273a2e4a9bd380157f4d960
SHA197a0cd908503c1186d1c90d26b4c32fc9110f9b3
SHA25688b1bb8a1333beda337e84931c068fa447e9593cb6e28a0d8c3acb1e0864a5d9
SHA5121977e8b222b2a23a6dc68e1de407aa920fcc20ac34e5583a305a10db8b274378e28f1d1daa3941ef83c0341240a35230d2260a8e0e19acea157b679537142232
-
Filesize
44KB
MD5cf84d56c3cb3e98e14e296c4c0774392
SHA1b298443fa23e32fcf34fa47ec2176abdca64e09f
SHA256c823e5154b764fd02370d06a4a88538be1e00b419f0bf01eee50cbbf46fdda54
SHA512d8836fe48911d2c3a1835d7bdd0af3f770ca7eeae8df66464a6b0926f36658e38c0c4de6c77efde6f2696895944f6445594f6eb9eb94b7b01d94cf53d9fcb064