Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02/02/2024, 23:21
Behavioral task
behavioral1
Sample
8aca73a0d688b7c3b555dbb5799dba92.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8aca73a0d688b7c3b555dbb5799dba92.exe
Resource
win10v2004-20231215-en
General
-
Target
8aca73a0d688b7c3b555dbb5799dba92.exe
-
Size
16KB
-
MD5
8aca73a0d688b7c3b555dbb5799dba92
-
SHA1
565bafc4bf770d10c3bcfd1f5ed2b24194b35253
-
SHA256
5d93b84bf2d6519a5b7ba45e27d9d014106f19102df7281fa58a0ee081f68724
-
SHA512
06387990bc2583b9715a0e71d08feffe4db4f81cb984c7262005bce67ea4c0f91c556b533e875906550c6938b07d68c004b543063fe750da4c0b5951fef7fb57
-
SSDEEP
384:gqmhgzhZvetCeBcfWiIrcDxn2RV+kBo6p:gqEeZvetNBcxDI3o6p
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\rpxlvzvs.dll = "{71A78CD4-E470-4a18-8457-E0E0283DD507}" 8aca73a0d688b7c3b555dbb5799dba92.exe -
Deletes itself 1 IoCs
pid Process 2816 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2844 8aca73a0d688b7c3b555dbb5799dba92.exe -
resource yara_rule behavioral1/memory/2844-0-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral1/memory/2844-13-0x0000000000400000-0x000000000040D000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\rpxlvzvs.nls 8aca73a0d688b7c3b555dbb5799dba92.exe File created C:\Windows\SysWOW64\rpxlvzvs.tmp 8aca73a0d688b7c3b555dbb5799dba92.exe File opened for modification C:\Windows\SysWOW64\rpxlvzvs.tmp 8aca73a0d688b7c3b555dbb5799dba92.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507} 8aca73a0d688b7c3b555dbb5799dba92.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32 8aca73a0d688b7c3b555dbb5799dba92.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32\ = "C:\\Windows\\SysWow64\\rpxlvzvs.dll" 8aca73a0d688b7c3b555dbb5799dba92.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32\ThreadingModel = "Apartment" 8aca73a0d688b7c3b555dbb5799dba92.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2844 8aca73a0d688b7c3b555dbb5799dba92.exe 2844 8aca73a0d688b7c3b555dbb5799dba92.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2844 8aca73a0d688b7c3b555dbb5799dba92.exe 2844 8aca73a0d688b7c3b555dbb5799dba92.exe 2844 8aca73a0d688b7c3b555dbb5799dba92.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2844 wrote to memory of 2816 2844 8aca73a0d688b7c3b555dbb5799dba92.exe 28 PID 2844 wrote to memory of 2816 2844 8aca73a0d688b7c3b555dbb5799dba92.exe 28 PID 2844 wrote to memory of 2816 2844 8aca73a0d688b7c3b555dbb5799dba92.exe 28 PID 2844 wrote to memory of 2816 2844 8aca73a0d688b7c3b555dbb5799dba92.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8aca73a0d688b7c3b555dbb5799dba92.exe"C:\Users\Admin\AppData\Local\Temp\8aca73a0d688b7c3b555dbb5799dba92.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\8891.tmp.bat2⤵
- Deletes itself
PID:2816
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
179B
MD56bba2557b229eee6673612d2f56a66c9
SHA12b89d7fefaf165462ebacb3c19bf4815c6d6fe7f
SHA256a687d652b31bda58e11a652f61e09c8c6fc00295e1947fb1e10ad5011dddcf3c
SHA51293436c3568a14f76775626986a154b14da7eef9ef9384a122977e20b16033ddcfd175d0a93fc005435ef8d1b410973697ca5e557f77b000d8137624eef8bcfd2
-
Filesize
2.3MB
MD5f923c1f8835616ed98f0e01ef13dd2ce
SHA13029f2d6ff0713b66e05db313228afa7584271f1
SHA2562bc449c33576e0b044f37a55e10cb504ce428fd3de4e31dac7d7bdc86c4dbf16
SHA5120e43ee260e1cbad41f72b74bc89c23d2b5ec6b085db2879e5cc895afc9695186c4dacaab612b80b00266f2772352e9439ae805d46c134f0bc74baa43faf3b52b