Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/03/2024, 05:05
Static task
static1
Behavioral task
behavioral1
Sample
d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe
Resource
win10-20240221-en
General
-
Target
d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe
-
Size
3.0MB
-
MD5
27135a6db76ba20123d58fb984693e58
-
SHA1
11393be585455865658a742fe2b5e0667a555cef
-
SHA256
d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c
-
SHA512
9e54b8326e69b40b33bed740ad78dc85bb457f432ea2f07cb279bfc4f73942de777e1a1709e0cdc18faef2fcea90cf1e54235049215e2ee950e8ad1d72dc5627
-
SSDEEP
49152:anGImUDdO7RNgwAFpg3eWE7dHAzXBI6+ZEfs5fHpmXCUArYsxxrguA0BwJpwP0ep:aGIDdaRNgwAuH076mEfGp3xrYMxrguRZ
Malware Config
Signatures
-
Loads dropped DLL 8 IoCs
pid Process 3068 rundll32.exe 3068 rundll32.exe 3068 rundll32.exe 3068 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2112 2360 d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe 28 PID 2360 wrote to memory of 2112 2360 d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe 28 PID 2360 wrote to memory of 2112 2360 d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe 28 PID 2360 wrote to memory of 2112 2360 d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe 28 PID 2112 wrote to memory of 3068 2112 control.exe 29 PID 2112 wrote to memory of 3068 2112 control.exe 29 PID 2112 wrote to memory of 3068 2112 control.exe 29 PID 2112 wrote to memory of 3068 2112 control.exe 29 PID 2112 wrote to memory of 3068 2112 control.exe 29 PID 2112 wrote to memory of 3068 2112 control.exe 29 PID 2112 wrote to memory of 3068 2112 control.exe 29 PID 3068 wrote to memory of 1140 3068 rundll32.exe 32 PID 3068 wrote to memory of 1140 3068 rundll32.exe 32 PID 3068 wrote to memory of 1140 3068 rundll32.exe 32 PID 3068 wrote to memory of 1140 3068 rundll32.exe 32 PID 1140 wrote to memory of 1920 1140 RunDll32.exe 33 PID 1140 wrote to memory of 1920 1140 RunDll32.exe 33 PID 1140 wrote to memory of 1920 1140 RunDll32.exe 33 PID 1140 wrote to memory of 1920 1140 RunDll32.exe 33 PID 1140 wrote to memory of 1920 1140 RunDll32.exe 33 PID 1140 wrote to memory of 1920 1140 RunDll32.exe 33 PID 1140 wrote to memory of 1920 1140 RunDll32.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe"C:\Users\Admin\AppData\Local\Temp\d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\EPGv1V5L.cPL",2⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\EPGv1V5L.cPL",3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\EPGv1V5L.cPL",4⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\EPGv1V5L.cPL",5⤵
- Loads dropped DLL
PID:1920
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5d3f45a11db0366d9983929c1940bc5f6
SHA1a53a7a65351701477fae66013bdcc86ab600a0b1
SHA25621e2e0ae114c5303beea700aacba6699be358ba6411ad0649e13090390f03cb2
SHA5129d60a027abc35fa1cc5a62c4622d855c0565b1c1766b768dd681356406dcac1576aabaca4a80fb38a0c3e9727a815c01b0c80c74caa5e4c4d05cda7e3a3395e3