Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/04/2024, 03:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0e095c3092315573dfadd39e8ca0d7f4d300f207837b8ae5f6e5412f906fbdd9.exe
Resource
win7-20240221-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
0e095c3092315573dfadd39e8ca0d7f4d300f207837b8ae5f6e5412f906fbdd9.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
0e095c3092315573dfadd39e8ca0d7f4d300f207837b8ae5f6e5412f906fbdd9.exe
-
Size
403KB
-
MD5
425368e2d60f948abb74bb3cc93140da
-
SHA1
786a4092d9c50c39d28d30587ac62c9959c426e0
-
SHA256
0e095c3092315573dfadd39e8ca0d7f4d300f207837b8ae5f6e5412f906fbdd9
-
SHA512
0b7eff963a9c9ef76f300167c6abf4108cdbe25a7456fbcabce51912f26ad68c16304a00e3cf24cec9198a631f3acfeb69f482ad881c4e817f9b389ebee84196
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4g:gtRfJcNYFNm8UhlZGseg
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 10 IoCs
flow pid Process 3 2928 rundll32.exe 5 2928 rundll32.exe 6 2928 rundll32.exe 7 2928 rundll32.exe 8 2928 rundll32.exe 9 2928 rundll32.exe 10 2928 rundll32.exe 11 2928 rundll32.exe 13 2928 rundll32.exe 14 2928 rundll32.exe -
Deletes itself 1 IoCs
pid Process 2972 rllcd.exe -
Executes dropped EXE 1 IoCs
pid Process 2972 rllcd.exe -
Loads dropped DLL 6 IoCs
pid Process 1852 cmd.exe 1852 cmd.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\hnesk\\zbjuw.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\v: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2928 rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification \??\c:\Program Files\hnesk rllcd.exe File created \??\c:\Program Files\hnesk\zbjuw.dll rllcd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1068 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2928 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2176 0e095c3092315573dfadd39e8ca0d7f4d300f207837b8ae5f6e5412f906fbdd9.exe 2972 rllcd.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2176 wrote to memory of 1852 2176 0e095c3092315573dfadd39e8ca0d7f4d300f207837b8ae5f6e5412f906fbdd9.exe 28 PID 2176 wrote to memory of 1852 2176 0e095c3092315573dfadd39e8ca0d7f4d300f207837b8ae5f6e5412f906fbdd9.exe 28 PID 2176 wrote to memory of 1852 2176 0e095c3092315573dfadd39e8ca0d7f4d300f207837b8ae5f6e5412f906fbdd9.exe 28 PID 2176 wrote to memory of 1852 2176 0e095c3092315573dfadd39e8ca0d7f4d300f207837b8ae5f6e5412f906fbdd9.exe 28 PID 1852 wrote to memory of 1068 1852 cmd.exe 30 PID 1852 wrote to memory of 1068 1852 cmd.exe 30 PID 1852 wrote to memory of 1068 1852 cmd.exe 30 PID 1852 wrote to memory of 1068 1852 cmd.exe 30 PID 1852 wrote to memory of 2972 1852 cmd.exe 31 PID 1852 wrote to memory of 2972 1852 cmd.exe 31 PID 1852 wrote to memory of 2972 1852 cmd.exe 31 PID 1852 wrote to memory of 2972 1852 cmd.exe 31 PID 2972 wrote to memory of 2928 2972 rllcd.exe 32 PID 2972 wrote to memory of 2928 2972 rllcd.exe 32 PID 2972 wrote to memory of 2928 2972 rllcd.exe 32 PID 2972 wrote to memory of 2928 2972 rllcd.exe 32 PID 2972 wrote to memory of 2928 2972 rllcd.exe 32 PID 2972 wrote to memory of 2928 2972 rllcd.exe 32 PID 2972 wrote to memory of 2928 2972 rllcd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e095c3092315573dfadd39e8ca0d7f4d300f207837b8ae5f6e5412f906fbdd9.exe"C:\Users\Admin\AppData\Local\Temp\0e095c3092315573dfadd39e8ca0d7f4d300f207837b8ae5f6e5412f906fbdd9.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\rllcd.exe "C:\Users\Admin\AppData\Local\Temp\0e095c3092315573dfadd39e8ca0d7f4d300f207837b8ae5f6e5412f906fbdd9.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:1068
-
-
C:\Users\Admin\AppData\Local\Temp\rllcd.exeC:\Users\Admin\AppData\Local\Temp\\rllcd.exe "C:\Users\Admin\AppData\Local\Temp\0e095c3092315573dfadd39e8ca0d7f4d300f207837b8ae5f6e5412f906fbdd9.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\hnesk\zbjuw.dll",Verify C:\Users\Admin\AppData\Local\Temp\rllcd.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD512573400aae9283aaf7c3febb1ac3165
SHA1b6ab29be3d227d37b7fa28be8d0109ba2a7ec83b
SHA2562827e8a81701372e69e9a0c88379c6802762e95496b1cd6eed1a0a322c780f64
SHA5121149677f1300e339c5892804c799b385c0fc4bccaf1b143d49bbb26d2bcd4f37b74d949135d047ae8830149a3445ba4786125c3859b1226d24dad4bef2b3855e
-
Filesize
404KB
MD59065e5b12fbfedc6dcc1d3462f225c8a
SHA1c8668eef0b07ff0cedf58e5e2707d7d9a608486b
SHA256d59c9559cd46d919727b47deb5277a0f45a4aa659234d101d0f641fa023f5c84
SHA512cf120d5312e5d69a0a0cf9f1bc3e3b943f2a65f8be169242cd294edd672fa2e9d89b65c08c5c566b03b2d2ac4348f04961f8b392ccd3616544f4011d8384cab6