Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18/01/2024, 03:19
Static task
static1
Behavioral task
behavioral1
Sample
64556fba96511df8b7449e7247008886.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
64556fba96511df8b7449e7247008886.exe
Resource
win10v2004-20231215-en
General
-
Target
64556fba96511df8b7449e7247008886.exe
-
Size
34KB
-
MD5
64556fba96511df8b7449e7247008886
-
SHA1
fc9c01795b3badc3d9402034609417a4f59c0e9a
-
SHA256
390b1a58816baeddb270bb8f58e42136f1f4cb0636be5fd5c427e30eac59f9eb
-
SHA512
d4d2338cda5851ee81547f7fda1e8f32b2e42bec5b7835accba42eeebe3826a1d54b9c0d1bc0492785aca8dda1da89ddb52ed14fa02e8dea8dc4eb1f5f4b5bff
-
SSDEEP
384:Z7MO04loobMxJNlf7HG6t1mC8bMWYtwWCnrm0A9EFqGVlz6b1iFOVCYBJPHS/7SC:n0GofNd7XHmC8lpQn+Xy1yOgaH1d0WB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3020 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 3060 rundll32.exe -
Loads dropped DLL 3 IoCs
pid Process 2380 64556fba96511df8b7449e7247008886.exe 2380 64556fba96511df8b7449e7247008886.exe 3060 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rzt = "C:\\Windows\\Intel\\rundll32.exe" 64556fba96511df8b7449e7247008886.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\ztdll.dll rundll32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Intel\rundll32.exe 64556fba96511df8b7449e7247008886.exe File created C:\Windows\Intel\rundll32.exe 64556fba96511df8b7449e7247008886.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2380 64556fba96511df8b7449e7247008886.exe 2380 64556fba96511df8b7449e7247008886.exe 2380 64556fba96511df8b7449e7247008886.exe 2380 64556fba96511df8b7449e7247008886.exe 2380 64556fba96511df8b7449e7247008886.exe 2380 64556fba96511df8b7449e7247008886.exe 2380 64556fba96511df8b7449e7247008886.exe 2380 64556fba96511df8b7449e7247008886.exe 2380 64556fba96511df8b7449e7247008886.exe 2380 64556fba96511df8b7449e7247008886.exe 2380 64556fba96511df8b7449e7247008886.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2380 wrote to memory of 3020 2380 64556fba96511df8b7449e7247008886.exe 28 PID 2380 wrote to memory of 3020 2380 64556fba96511df8b7449e7247008886.exe 28 PID 2380 wrote to memory of 3020 2380 64556fba96511df8b7449e7247008886.exe 28 PID 2380 wrote to memory of 3020 2380 64556fba96511df8b7449e7247008886.exe 28 PID 2380 wrote to memory of 3060 2380 64556fba96511df8b7449e7247008886.exe 30 PID 2380 wrote to memory of 3060 2380 64556fba96511df8b7449e7247008886.exe 30 PID 2380 wrote to memory of 3060 2380 64556fba96511df8b7449e7247008886.exe 30 PID 2380 wrote to memory of 3060 2380 64556fba96511df8b7449e7247008886.exe 30 PID 2380 wrote to memory of 3060 2380 64556fba96511df8b7449e7247008886.exe 30 PID 2380 wrote to memory of 3060 2380 64556fba96511df8b7449e7247008886.exe 30 PID 2380 wrote to memory of 3060 2380 64556fba96511df8b7449e7247008886.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\64556fba96511df8b7449e7247008886.exe"C:\Users\Admin\AppData\Local\Temp\64556fba96511df8b7449e7247008886.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$c18CE.tmp.bat2⤵
- Deletes itself
PID:3020
-
-
C:\Windows\Intel\rundll32.exeC:\Windows\Intel\rundll32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3060
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
233B
MD5465da0b0a2ff80bc878c5250fa10b7e0
SHA19764616a21fbedf0a8ad6e9b4dba9872bbb0757b
SHA25655ba4e33b51ce9b6243987a96b056358e6d6b9d09e09e7c2e8f61189b1b1e51d
SHA5120adc179ace24ec97f9baf03d4c1764c3addedab2924eb4b64fe67579b9391c6ab61de0a6b42787130795788b50f064e8f60a36faf7244241d3fc2f3b01dceed1
-
Filesize
34KB
MD564556fba96511df8b7449e7247008886
SHA1fc9c01795b3badc3d9402034609417a4f59c0e9a
SHA256390b1a58816baeddb270bb8f58e42136f1f4cb0636be5fd5c427e30eac59f9eb
SHA512d4d2338cda5851ee81547f7fda1e8f32b2e42bec5b7835accba42eeebe3826a1d54b9c0d1bc0492785aca8dda1da89ddb52ed14fa02e8dea8dc4eb1f5f4b5bff
-
Filesize
42KB
MD508ff261f78012e5e7e8141f754ad10cc
SHA17fe186485e0f0193494c315e2ca0979a8a6ae069
SHA256edec8b512da71e0ba3ec0404b795cbcb7f674ebd0b820590be77c1cbf1c745c3
SHA51212e58e12a1248c363ae45c78ff2146dfb9b6dbc8022e456b87da35534052ffb14536a751ea78e5f14eec0f461a7bfa90284a8345265cad8f16f87ebe27283283