Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 16:04
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_64f26f341dc59ee8c340fcae3ed2b4d5.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
VirusShare_64f26f341dc59ee8c340fcae3ed2b4d5.dll
Resource
win10v2004-20231215-en
General
-
Target
VirusShare_64f26f341dc59ee8c340fcae3ed2b4d5.dll
-
Size
2.1MB
-
MD5
64f26f341dc59ee8c340fcae3ed2b4d5
-
SHA1
5bf2a4d34959007c1d7d85b45f8a2c5801636cb6
-
SHA256
4fb409b42ecc1d03c557e804df5aba0ba721fc885e8b3e5b7032a2551275d4e0
-
SHA512
b54bafc839e722e79e213d4babc303b9b123dfa78a7f622864058a2e0f58cc81b360db22eea67ba843397599a43b630218543d758dd2afbf070f96453eef579e
-
SSDEEP
3072:da/fT8nSPDyBL4ORnMAhr1yw649iS3BAarBQ/sVsVuSOUwQka/:WT8nftDD/i+Aa1csmYSNp
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~3\\asoor32ni.dat,StartAs" rundll32.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\PROGRA~3\in23roosa.dat rundll32.exe File created C:\PROGRA~3\asoor32ni.dat rundll32.exe File opened for modification C:\PROGRA~3\asoor32ni.dat rundll32.exe File created C:\PROGRA~3\in23roosa.dat rundll32.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" rundll32.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" rundll32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2172 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2172 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2172 rundll32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2172 2180 rundll32.exe 28 PID 2180 wrote to memory of 2172 2180 rundll32.exe 28 PID 2180 wrote to memory of 2172 2180 rundll32.exe 28 PID 2180 wrote to memory of 2172 2180 rundll32.exe 28 PID 2180 wrote to memory of 2172 2180 rundll32.exe 28 PID 2180 wrote to memory of 2172 2180 rundll32.exe 28 PID 2180 wrote to memory of 2172 2180 rundll32.exe 28 PID 2172 wrote to memory of 1240 2172 rundll32.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1240
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_64f26f341dc59ee8c340fcae3ed2b4d5.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_64f26f341dc59ee8c340fcae3ed2b4d5.dll,#13⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD56be2c685798c55551dec6f94077659e2
SHA1a4c4a1ee8c5ddcc9aaae6b4bf0f8b8be1db52374
SHA25627c83bececa6498510568e7d848891b071374f362637d38825549527aa68ceb9
SHA512a3d2a15dfc43f37c88c2ac4bfc8d84461a461978aec8d2d0fd3e38d47398905094b2f9b5e25df7f21465d4e5006487cd4ba92a2ce63d3b9a4a4d67b121e17a08
-
Filesize
30.1MB
MD5cfbdf94da04a0a8fa95f39f85b1665e1
SHA16391c5648d0c16105730f65df5268f20721b9e85
SHA2562e538ff4eb4835b641f15e529433e09fc2cc72f95a77e34330c63d8a12039bff
SHA5121782d00c9a51f7b64a3125640994a367258ad26b70cf3be848a3551daa2374309f71822a1a1433afaece778a098071ea037554922717c6e9e72b6d8a4ad60d14