Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3Language/Multi_ch.dll
windows7-x64
1Language/Multi_ch.dll
windows10-2004-x64
1Language/M...G5.dll
windows7-x64
1Language/M...G5.dll
windows10-2004-x64
1Language/M...GB.dll
windows7-x64
1Language/M...GB.dll
windows10-2004-x64
1Language/M...ng.dll
windows7-x64
1Language/M...ng.dll
windows10-2004-x64
1lpk.dll
windows7-x64
7lpk.dll
windows10-2004-x64
7setting.dll
windows7-x64
1setting.dll
windows10-2004-x64
1setup.exe
windows7-x64
4setup.exe
windows10-2004-x64
4Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
14/02/2024, 01:45
Static task
static1
Behavioral task
behavioral1
Sample
Language/Multi_ch.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Language/Multi_ch.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
Language/Multi_ch_BIG5.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
Language/Multi_ch_BIG5.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral5
Sample
Language/Multi_ch_GB.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
Language/Multi_ch_GB.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
Language/Multi_eng.dll
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
Language/Multi_eng.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
lpk.dll
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
lpk.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
setting.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
setting.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
setup.exe
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
setup.exe
Resource
win10v2004-20231222-en
General
-
Target
lpk.dll
-
Size
45KB
-
MD5
253047ba1fb3f5780f656e42468a98b6
-
SHA1
41df12eff92915354f6870ece0fe09c03e96eaa4
-
SHA256
5ab6d1bc176cc636e82dca6c557c49d06f06016d829aca6cec4761624231ce6d
-
SHA512
1866f515851eaa71c4213a4680f239b88b38e88371a3414e3f7079321b740e45fa36c96304eb55e09c16a83532b4fa4c466f5fd3bf947e46cfcd8cb4c96b6dc3
-
SSDEEP
768:tojY9P93amUkTe2uVf8VPZUpRwqK8RPRDUbojyH6ojY9P:Ym1a9iexVfevagojyHDm
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1052 hrl83D0.tmp 1168 rifzsk.exe -
Loads dropped DLL 2 IoCs
pid Process 1276 rundll32.exe 1276 rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\rifzsk.exe hrl83D0.tmp File opened for modification C:\Windows\SysWOW64\rifzsk.exe hrl83D0.tmp -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1168 set thread context of 2740 1168 rifzsk.exe 31 -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1700 wrote to memory of 1276 1700 rundll32.exe 28 PID 1700 wrote to memory of 1276 1700 rundll32.exe 28 PID 1700 wrote to memory of 1276 1700 rundll32.exe 28 PID 1700 wrote to memory of 1276 1700 rundll32.exe 28 PID 1700 wrote to memory of 1276 1700 rundll32.exe 28 PID 1700 wrote to memory of 1276 1700 rundll32.exe 28 PID 1700 wrote to memory of 1276 1700 rundll32.exe 28 PID 1276 wrote to memory of 1052 1276 rundll32.exe 29 PID 1276 wrote to memory of 1052 1276 rundll32.exe 29 PID 1276 wrote to memory of 1052 1276 rundll32.exe 29 PID 1276 wrote to memory of 1052 1276 rundll32.exe 29 PID 1168 wrote to memory of 2740 1168 rifzsk.exe 31 PID 1168 wrote to memory of 2740 1168 rifzsk.exe 31 PID 1168 wrote to memory of 2740 1168 rifzsk.exe 31 PID 1168 wrote to memory of 2740 1168 rifzsk.exe 31 PID 1168 wrote to memory of 2740 1168 rifzsk.exe 31 PID 1168 wrote to memory of 2740 1168 rifzsk.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\lpk.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\lpk.dll,#12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\hrl83D0.tmpC:\Users\Admin\AppData\Local\Temp\hrl83D0.tmp3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1052
-
-
-
C:\Windows\SysWOW64\rifzsk.exeC:\Windows\SysWOW64\rifzsk.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2740
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5e90d8273d9f418adc5c2cb4e1e995559
SHA1e7dff32bc9671d85e347415f5d5011acdd8aa9e6
SHA256514319a4883c27820f1f08581aa3a0853643015ee0f4ec742739c118b327bdb1
SHA5121dbf053d564039ca8c80f7fd6989dbdb42b191da6bbd70c97f81f41567891d6672910dd9c736a32146c896e2159677b41b3e46007ce70d9d4d9ea223a6b8a6d7