Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/02/2024, 09:53
Static task
static1
Behavioral task
behavioral1
Sample
a192b8c5ee93ba20952ed6145cffed29.dll
Resource
win7-20240221-en
General
-
Target
a192b8c5ee93ba20952ed6145cffed29.dll
-
Size
2.0MB
-
MD5
a192b8c5ee93ba20952ed6145cffed29
-
SHA1
b2ca4c66e8e4aab00168a1a9d674c2a511e01084
-
SHA256
74a366103bafcb5151e3296c9aa9e75179e8e7b3f7bc0e9995e94e4f24ac9969
-
SHA512
74c4575331b38c35a707af51d631d561cdcddcbd44d29524bdece5d61b93679e393648502c1727c645b3209070ced2c3b525a7a5c5d00f3b40c698f4a66f6597
-
SSDEEP
12288:RVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1ad:gfP7fWsK5z9A+WGAW+V5SB6Ct4bnbad
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1360-5-0x0000000002740000-0x0000000002741000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 2924 sethc.exe 2784 cmstp.exe 1676 SystemPropertiesDataExecutionPrevention.exe -
Loads dropped DLL 7 IoCs
pid Process 1360 Process not Found 2924 sethc.exe 1360 Process not Found 2784 cmstp.exe 1360 Process not Found 1676 SystemPropertiesDataExecutionPrevention.exe 1360 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dwddifi = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\kdFZ05QaA\\cmstp.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmstp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesDataExecutionPrevention.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sethc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found 1360 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1360 wrote to memory of 2540 1360 Process not Found 28 PID 1360 wrote to memory of 2540 1360 Process not Found 28 PID 1360 wrote to memory of 2540 1360 Process not Found 28 PID 1360 wrote to memory of 2924 1360 Process not Found 29 PID 1360 wrote to memory of 2924 1360 Process not Found 29 PID 1360 wrote to memory of 2924 1360 Process not Found 29 PID 1360 wrote to memory of 2820 1360 Process not Found 30 PID 1360 wrote to memory of 2820 1360 Process not Found 30 PID 1360 wrote to memory of 2820 1360 Process not Found 30 PID 1360 wrote to memory of 2784 1360 Process not Found 31 PID 1360 wrote to memory of 2784 1360 Process not Found 31 PID 1360 wrote to memory of 2784 1360 Process not Found 31 PID 1360 wrote to memory of 876 1360 Process not Found 32 PID 1360 wrote to memory of 876 1360 Process not Found 32 PID 1360 wrote to memory of 876 1360 Process not Found 32 PID 1360 wrote to memory of 1676 1360 Process not Found 33 PID 1360 wrote to memory of 1676 1360 Process not Found 33 PID 1360 wrote to memory of 1676 1360 Process not Found 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\a192b8c5ee93ba20952ed6145cffed29.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:548
-
C:\Windows\system32\sethc.exeC:\Windows\system32\sethc.exe1⤵PID:2540
-
C:\Users\Admin\AppData\Local\r2A\sethc.exeC:\Users\Admin\AppData\Local\r2A\sethc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2924
-
C:\Windows\system32\cmstp.exeC:\Windows\system32\cmstp.exe1⤵PID:2820
-
C:\Users\Admin\AppData\Local\Dg0TRe\cmstp.exeC:\Users\Admin\AppData\Local\Dg0TRe\cmstp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2784
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeC:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe1⤵PID:876
-
C:\Users\Admin\AppData\Local\KQB6mceep\SystemPropertiesDataExecutionPrevention.exeC:\Users\Admin\AppData\Local\KQB6mceep\SystemPropertiesDataExecutionPrevention.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5a0878c3c28a754e12d457597ef7213fd
SHA1ea026682b57ef1aed98ea7c6f6cfe6df77864a4d
SHA256d4940cb75196454ab26f65b6934d403e1e4a12d631677e68ebc96814f735965f
SHA512f3aa593f6603f8f38b03d8932e7912759e53c2381ff3d29f8a2e783d9e0678a77f7a0d0fea09bb036ab1fdad9073068d79389ae6709e2cfb70e7be0677ac86dc
-
Filesize
2.0MB
MD5356aaddfd157f464a5ede10eef406cb2
SHA1bd28dd4f62ac4cc0007e5b211aa25467bf6c308c
SHA256a2f1b8ed8ea402ac7728e280712de3c49f1f8706bd47d46e3c3a6b942b7642e4
SHA51267632205ddaa651ca14c4ac5f019fd01853fa8361a01146dc0cb02b4692cc959919490ff824d9c8dd61acb3fd8a9428b7c4e82e7cb0b2c7a6506880267e2637e
-
Filesize
80KB
MD5e43ff7785fac643093b3b16a9300e133
SHA1a30688e84c0b0a22669148fe87680b34fcca2fba
SHA256c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b
SHA51261260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a
-
Filesize
1.2MB
MD516e6303c160cb3f01850601986de13c1
SHA1259277a4d10af6be982b6f4df69329f101d790ec
SHA25628c7fd7143d7548967fcf4219385f073248445c18b510d6d17df613755b7896a
SHA512c2a7a53cf6dcad394ca7723c1b17a3994aac21663303078c33d122f3bdb79cee787dc3addbfb8ee5cf7c018f799dedb8c2e9301c6b9985451d3f989b9b64fc71
-
Filesize
1KB
MD513d913ea2c05f83a8e605179acf70acf
SHA130e8ac2e847dc865d562a3dd9319ff93866fdcd9
SHA256707f3fc8e4001b0258e1e740902bba7dc2a5539f55f6864ad396bd42124b8db5
SHA512ce99470a212fef34bc1599df02d639d10fc248bbbb2c5a5317c52f4170900ac10a2e6e6c6cd499fc981bcd58ad03b6d999ef8eaf0137601defc72d986f3cc1c1
-
Filesize
2.0MB
MD5402de6586098ffbc59716e77c16708a6
SHA173791c5cc935fb8db7cd4cd996c91af8d26a00ba
SHA2569cf8e267f718873346eaadcf151e362b91959f2d9d8396d483d747ea6dc7feca
SHA51268ef1a0f742eea65759264067974a51f8a1ecd22c3d88bbe2bc9004fa775bea7f27ec7ddd3b4f7fc1b90b95add22f831ccd950d9191d0c3234b8c60691cf2386
-
Filesize
90KB
MD574c6da5522f420c394ae34b2d3d677e3
SHA1ba135738ef1fb2f4c2c6c610be2c4e855a526668
SHA25651d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6
SHA512bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a
-
Filesize
267KB
MD5e83b5471defa325c60bf1a1ef9fa6a49
SHA1b6fbcf31709fb99b4bcefbf2ec3374e635527467
SHA2564bcfb120aa6e4f302738d982b1ab692d88b97c88720226200ddf52db6dae0cab
SHA512bd8c2f887cbd8b3f96ccabac4d165162a2529fb2a531fef3513cf5435f538893e357b95716227a1f2ba36de25819513a75b2cfb5ef25d66ea24ccdc7933e6510
-
Filesize
272KB
MD53bcb70da9b5a2011e01e35ed29a3f3f3
SHA19daecb1ee5d7cbcf46ee154dd642fcd993723a9b
SHA256dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5
SHA51269d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df