Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/04/2024, 14:07
Static task
static1
Behavioral task
behavioral1
Sample
Attachments.lnk
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Attachments.lnk
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
DumpStack.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
DumpStack.dll
Resource
win10v2004-20240226-en
General
-
Target
Attachments.lnk
-
Size
1KB
-
MD5
e87e52db1aa360baf8444c5524dd2b26
-
SHA1
b89d0c4568c74f03ec3e1917c22a83c37409b10a
-
SHA256
6497223d35530f2e510382aa1866b83ffaf215213b8080b7ecb299b6e7e3e6b1
-
SHA512
e93d7808c29ec45569382ee5bd2f50a41c0cf1c1d2cbb909d5aec2abf166f0ad87b672eaa4a1c00b28eb31faf55f1a254d8ab842bcb4d22dd750b26926e7c64a
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
resource yara_rule behavioral1/memory/2576-41-0x0000000180000000-0x000000018003D000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 8 IoCs
flow pid Process 3 2576 rundll32.exe 5 2576 rundll32.exe 6 2576 rundll32.exe 9 2576 rundll32.exe 10 2576 rundll32.exe 11 2576 rundll32.exe 13 2576 rundll32.exe 14 2576 rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 2576 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1628 wrote to memory of 2764 1628 cmd.exe 29 PID 1628 wrote to memory of 2764 1628 cmd.exe 29 PID 1628 wrote to memory of 2764 1628 cmd.exe 29 PID 2764 wrote to memory of 2528 2764 cmd.exe 30 PID 2764 wrote to memory of 2528 2764 cmd.exe 30 PID 2764 wrote to memory of 2528 2764 cmd.exe 30 PID 2764 wrote to memory of 2576 2764 cmd.exe 31 PID 2764 wrote to memory of 2576 2764 cmd.exe 31 PID 2764 wrote to memory of 2576 2764 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Attachments.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c xcopy /y DumpStack.log c:\programdata\ && C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\system32\xcopy.exexcopy /y DumpStack.log c:\programdata\3⤵PID:2528
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2576
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5f948fe3f01333c0326d4dd598e4945c0
SHA170a619d1b2acbf969b44aded654d6a9257465e2b
SHA256f2a957f609ec57b8cbc6035629b249edc288bca6025a1e1a7c83a8ce20f7ebdb
SHA5129406184548f174839dc1634b13018375afd9a34305a0810fbf18f32da44d0e77f887b192ad8c570700d94383df2d2bf3f120adf09073f3378e030bda3892f651