Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/03/2024, 08:08
Behavioral task
behavioral1
Sample
b6effd527b53cdea520eb568180e71c0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b6effd527b53cdea520eb568180e71c0.exe
Resource
win10v2004-20240226-en
General
-
Target
b6effd527b53cdea520eb568180e71c0.exe
-
Size
46KB
-
MD5
b6effd527b53cdea520eb568180e71c0
-
SHA1
354b50d9833a3344c4e9b2ee15ef4ea2af37b7b1
-
SHA256
079589aa1f1fedadb65aa037a5c59fb7accef0471a61c3bed04355aa3d45548b
-
SHA512
c032792120375c550d84d8f633a46d3cd1402009e8f51b325d71bfb48fa3c81eedb19073e0860f3265f5b9d61e9d2b697b132b1aa1ab84aac0463f9a73e3cbf9
-
SSDEEP
768:mQxsLTveMukvbY96eIzfEmMEzxm1g/WQxqwdS5PMA97iBthFxLxKiDjq:SuMj065xJeQxqWS5PMSwDV5jq
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1852 rundll32.exe -
Loads dropped DLL 8 IoCs
pid Process 2352 rundll32.exe 1852 rundll32.exe 2352 rundll32.exe 1768 rundll32.exe 1768 rundll32.exe 1768 rundll32.exe 1768 rundll32.exe 1768 rundll32.exe -
resource yara_rule behavioral1/memory/756-0-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral1/memory/756-7-0x0000000000400000-0x000000000061E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\whhfd008.ocx b6effd527b53cdea520eb568180e71c0.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Common Files\whh34001.ocx b6effd527b53cdea520eb568180e71c0.exe File opened for modification C:\Program Files\Common Files\whh34001.ocx b6effd527b53cdea520eb568180e71c0.exe File created C:\Program Files\Common Files\0F761EC7ce.dll b6effd527b53cdea520eb568180e71c0.exe File opened for modification C:\Program Files\Common Files\0F761EC7ce.dll b6effd527b53cdea520eb568180e71c0.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1852 rundll32.exe 1852 rundll32.exe 1852 rundll32.exe 1852 rundll32.exe 1852 rundll32.exe 1852 rundll32.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 1768 rundll32.exe 480 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLoadDriverPrivilege 1768 rundll32.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 756 wrote to memory of 2352 756 b6effd527b53cdea520eb568180e71c0.exe 28 PID 756 wrote to memory of 2352 756 b6effd527b53cdea520eb568180e71c0.exe 28 PID 756 wrote to memory of 2352 756 b6effd527b53cdea520eb568180e71c0.exe 28 PID 756 wrote to memory of 2352 756 b6effd527b53cdea520eb568180e71c0.exe 28 PID 756 wrote to memory of 2352 756 b6effd527b53cdea520eb568180e71c0.exe 28 PID 756 wrote to memory of 2352 756 b6effd527b53cdea520eb568180e71c0.exe 28 PID 756 wrote to memory of 2352 756 b6effd527b53cdea520eb568180e71c0.exe 28 PID 756 wrote to memory of 1768 756 b6effd527b53cdea520eb568180e71c0.exe 29 PID 756 wrote to memory of 1768 756 b6effd527b53cdea520eb568180e71c0.exe 29 PID 756 wrote to memory of 1768 756 b6effd527b53cdea520eb568180e71c0.exe 29 PID 756 wrote to memory of 1768 756 b6effd527b53cdea520eb568180e71c0.exe 29 PID 756 wrote to memory of 1768 756 b6effd527b53cdea520eb568180e71c0.exe 29 PID 756 wrote to memory of 1768 756 b6effd527b53cdea520eb568180e71c0.exe 29 PID 756 wrote to memory of 1768 756 b6effd527b53cdea520eb568180e71c0.exe 29 PID 756 wrote to memory of 1852 756 b6effd527b53cdea520eb568180e71c0.exe 30 PID 756 wrote to memory of 1852 756 b6effd527b53cdea520eb568180e71c0.exe 30 PID 756 wrote to memory of 1852 756 b6effd527b53cdea520eb568180e71c0.exe 30 PID 756 wrote to memory of 1852 756 b6effd527b53cdea520eb568180e71c0.exe 30 PID 756 wrote to memory of 1852 756 b6effd527b53cdea520eb568180e71c0.exe 30 PID 756 wrote to memory of 1852 756 b6effd527b53cdea520eb568180e71c0.exe 30 PID 756 wrote to memory of 1852 756 b6effd527b53cdea520eb568180e71c0.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6effd527b53cdea520eb568180e71c0.exe"C:\Users\Admin\AppData\Local\Temp\b6effd527b53cdea520eb568180e71c0.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\system32\whhfd008.ocx" pfjieaoidjglkajd2⤵
- Loads dropped DLL
PID:2352
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Program Files\Common Files\0F761EC7ce.dll" m32⤵
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Program Files\Common Files\whh34001.ocx" pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\b6effd527b53cdea520eb568180e71c0.exe2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1852
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5f1f49fb85ab029ad86c02ebecb892b12
SHA1664a602f8e843218c1158571714cd0adee1da939
SHA256f8f3abcf8d43377b49d1edce23a667c9efd9cde86e9afee228e8c3b093013f13
SHA512600810f5a23067afb483b2fb5cd980c817d1b79da7fd7c5183a2d76f3546c514256f5536791abd4ed4b949518c63ab7c55df3e9b9109df2681fd3df10dbd2673
-
Filesize
63KB
MD5894cf09341b081609775a57ae205117f
SHA1cf3604eaad83596024536b324cc4f0aef4d0a084
SHA2566a45fb2ba35fa038839996cb6ba47001a1109a9ae1765812003b579bc0c9829d
SHA51280bb45f331586f742b56239695e7e7304647c39cc09339459f2315ff88e05609f27637aea13120b5254b978ef9047513f36d7d2df69d013022d698879bf5bf45
-
Filesize
14KB
MD5731659d09654891912ac223e20cd10ab
SHA113cee04adc7b09ef1c0c6b9abc02d0c7bc02a071
SHA256672639ce00081bdd6b6ee69e1bc816d0b353ed9713b5a21bac6009907daf3d3b
SHA512e2b63a180ff6a9ef523f21a9afe9f71f612f617fbab5b791f763c8bccab14d8cb1986729fadba4bc5f29fe9813766bcb88168018f8c6571ec72efc69639f1116