Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04/02/2024, 16:04

General

  • Target

    VirusShare_64f26f341dc59ee8c340fcae3ed2b4d5.dll

  • Size

    2.1MB

  • MD5

    64f26f341dc59ee8c340fcae3ed2b4d5

  • SHA1

    5bf2a4d34959007c1d7d85b45f8a2c5801636cb6

  • SHA256

    4fb409b42ecc1d03c557e804df5aba0ba721fc885e8b3e5b7032a2551275d4e0

  • SHA512

    b54bafc839e722e79e213d4babc303b9b123dfa78a7f622864058a2e0f58cc81b360db22eea67ba843397599a43b630218543d758dd2afbf070f96453eef579e

  • SSDEEP

    3072:da/fT8nSPDyBL4ORnMAhr1yw649iS3BAarBQ/sVsVuSOUwQka/:WT8nftDD/i+Aa1csmYSNp

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1240
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_64f26f341dc59ee8c340fcae3ed2b4d5.dll,#1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2180
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_64f26f341dc59ee8c340fcae3ed2b4d5.dll,#1
          3⤵
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies Internet Explorer Protected Mode
          • Modifies Internet Explorer Protected Mode Banner
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2172

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PROGRA~3\asoor32ni.dat

      Filesize

      4.0MB

      MD5

      6be2c685798c55551dec6f94077659e2

      SHA1

      a4c4a1ee8c5ddcc9aaae6b4bf0f8b8be1db52374

      SHA256

      27c83bececa6498510568e7d848891b071374f362637d38825549527aa68ceb9

      SHA512

      a3d2a15dfc43f37c88c2ac4bfc8d84461a461978aec8d2d0fd3e38d47398905094b2f9b5e25df7f21465d4e5006487cd4ba92a2ce63d3b9a4a4d67b121e17a08

    • C:\PROGRA~3\in23roosa.dat

      Filesize

      30.1MB

      MD5

      cfbdf94da04a0a8fa95f39f85b1665e1

      SHA1

      6391c5648d0c16105730f65df5268f20721b9e85

      SHA256

      2e538ff4eb4835b641f15e529433e09fc2cc72f95a77e34330c63d8a12039bff

      SHA512

      1782d00c9a51f7b64a3125640994a367258ad26b70cf3be848a3551daa2374309f71822a1a1433afaece778a098071ea037554922717c6e9e72b6d8a4ad60d14

    • memory/1240-15-0x0000000002A50000-0x0000000002A51000-memory.dmp

      Filesize

      4KB

    • memory/2172-0-0x0000000000200000-0x000000000024F000-memory.dmp

      Filesize

      316KB

    • memory/2172-1-0x0000000000200000-0x000000000024F000-memory.dmp

      Filesize

      316KB

    • memory/2172-2-0x0000000000200000-0x000000000024F000-memory.dmp

      Filesize

      316KB

    • memory/2172-3-0x00000000006E0000-0x000000000072F000-memory.dmp

      Filesize

      316KB

    • memory/2172-4-0x0000000000200000-0x000000000024F000-memory.dmp

      Filesize

      316KB

    • memory/2172-19-0x0000000000200000-0x000000000024F000-memory.dmp

      Filesize

      316KB

    • memory/2172-21-0x00000000006E0000-0x000000000072F000-memory.dmp

      Filesize

      316KB