Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/03/2024, 05:05

General

  • Target

    d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe

  • Size

    3.0MB

  • MD5

    27135a6db76ba20123d58fb984693e58

  • SHA1

    11393be585455865658a742fe2b5e0667a555cef

  • SHA256

    d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c

  • SHA512

    9e54b8326e69b40b33bed740ad78dc85bb457f432ea2f07cb279bfc4f73942de777e1a1709e0cdc18faef2fcea90cf1e54235049215e2ee950e8ad1d72dc5627

  • SSDEEP

    49152:anGImUDdO7RNgwAFpg3eWE7dHAzXBI6+ZEfs5fHpmXCUArYsxxrguA0BwJpwP0ep:aGIDdaRNgwAuH076mEfGp3xrYMxrguRZ

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe
    "C:\Users\Admin\AppData\Local\Temp\d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\EPGv1V5L.cPL",
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\EPGv1V5L.cPL",
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3068
        • C:\Windows\system32\RunDll32.exe
          C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\EPGv1V5L.cPL",
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1140
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\EPGv1V5L.cPL",
            5⤵
            • Loads dropped DLL
            PID:1920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\EPGv1V5L.cPL

    Filesize

    2.8MB

    MD5

    d3f45a11db0366d9983929c1940bc5f6

    SHA1

    a53a7a65351701477fae66013bdcc86ab600a0b1

    SHA256

    21e2e0ae114c5303beea700aacba6699be358ba6411ad0649e13090390f03cb2

    SHA512

    9d60a027abc35fa1cc5a62c4622d855c0565b1c1766b768dd681356406dcac1576aabaca4a80fb38a0c3e9727a815c01b0c80c74caa5e4c4d05cda7e3a3395e3

  • memory/1920-25-0x0000000000180000-0x0000000000186000-memory.dmp

    Filesize

    24KB

  • memory/1920-36-0x00000000027A0000-0x00000000028A8000-memory.dmp

    Filesize

    1.0MB

  • memory/1920-35-0x00000000027A0000-0x00000000028A8000-memory.dmp

    Filesize

    1.0MB

  • memory/1920-33-0x00000000027A0000-0x00000000028A8000-memory.dmp

    Filesize

    1.0MB

  • memory/1920-31-0x0000000002670000-0x0000000002794000-memory.dmp

    Filesize

    1.1MB

  • memory/3068-14-0x00000000025D0000-0x00000000026F4000-memory.dmp

    Filesize

    1.1MB

  • memory/3068-19-0x0000000002700000-0x0000000002808000-memory.dmp

    Filesize

    1.0MB

  • memory/3068-18-0x0000000002700000-0x0000000002808000-memory.dmp

    Filesize

    1.0MB

  • memory/3068-16-0x0000000002700000-0x0000000002808000-memory.dmp

    Filesize

    1.0MB

  • memory/3068-15-0x0000000002700000-0x0000000002808000-memory.dmp

    Filesize

    1.0MB

  • memory/3068-9-0x0000000010000000-0x00000000102CA000-memory.dmp

    Filesize

    2.8MB

  • memory/3068-8-0x0000000000110000-0x0000000000116000-memory.dmp

    Filesize

    24KB