Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01/02/2024, 03:45
Static task
static1
Behavioral task
behavioral1
Sample
85d77c6d6cbda81201974986ad9b957d.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
85d77c6d6cbda81201974986ad9b957d.dll
Resource
win10v2004-20231222-en
General
-
Target
85d77c6d6cbda81201974986ad9b957d.dll
-
Size
18KB
-
MD5
85d77c6d6cbda81201974986ad9b957d
-
SHA1
2af04537c01d6f0feb2fcb6f008098a1e4523083
-
SHA256
78523af787241792dd13a765472b439a0a3ba048f5bd7c8597ef55a721dba324
-
SHA512
e5414f624f3138dd8da01a924987a73a46ecac9e1d45d29f6c1c5b3f486db5a357acfa91a7f7c624d4ea6803e7e662f351360d4d5f5e3f6037291e2775a3e4f4
-
SSDEEP
384:3/Ypt5KK/DXKgzu6Df6K/fIXg9eVFau58usyrzsbZ:v45KCD6gzdpgw9e7auyusyrzsl
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: regsvr32.exe File opened (read-only) \??\U: regsvr32.exe File opened (read-only) \??\G: regsvr32.exe File opened (read-only) \??\I: regsvr32.exe File opened (read-only) \??\J: regsvr32.exe File opened (read-only) \??\K: regsvr32.exe File opened (read-only) \??\L: regsvr32.exe File opened (read-only) \??\M: regsvr32.exe File opened (read-only) \??\W: regsvr32.exe File opened (read-only) \??\Q: regsvr32.exe File opened (read-only) \??\Z: regsvr32.exe File opened (read-only) \??\X: regsvr32.exe File opened (read-only) \??\Y: regsvr32.exe File opened (read-only) \??\E: regsvr32.exe File opened (read-only) \??\N: regsvr32.exe File opened (read-only) \??\O: regsvr32.exe File opened (read-only) \??\P: regsvr32.exe File opened (read-only) \??\T: regsvr32.exe File opened (read-only) \??\V: regsvr32.exe File opened (read-only) \??\H: regsvr32.exe File opened (read-only) \??\S: regsvr32.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf regsvr32.exe File opened for modification F:\autorun.inf regsvr32.exe File created C:\autorun.inf regsvr32.exe File opened for modification C:\autorun.inf regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2992 2936 regsvr32.exe 16 PID 2936 wrote to memory of 2992 2936 regsvr32.exe 16 PID 2936 wrote to memory of 2992 2936 regsvr32.exe 16 PID 2936 wrote to memory of 2992 2936 regsvr32.exe 16 PID 2936 wrote to memory of 2992 2936 regsvr32.exe 16 PID 2936 wrote to memory of 2992 2936 regsvr32.exe 16 PID 2936 wrote to memory of 2992 2936 regsvr32.exe 16
Processes
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\85d77c6d6cbda81201974986ad9b957d.dll1⤵
- Enumerates connected drives
- Drops autorun.inf file
PID:2992
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\85d77c6d6cbda81201974986ad9b957d.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2936