Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
02/06/2024, 22:45
General
-
Target
6210798e6ca0e95300f15c7c12320f40906e2d27a76bc5f566d2023e4d96c3de.dll
-
Size
1.1MB
-
MD5
272c86de56ce13b606e24559924cd686
-
SHA1
74adcabba5d9e796bbd76cf5d986a75f644ce8fc
-
SHA256
6210798e6ca0e95300f15c7c12320f40906e2d27a76bc5f566d2023e4d96c3de
-
SHA512
5a75586c7a22ac1ea249615c9305c90128777ff08e9b2a626da253d946763558ca203a69ed89bb2f69ad50a1aef7206a878f0685d92063213a32348994ad548c
-
SSDEEP
6144:Mi05kH9OyU2uv5SRf/FWgFgtdgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukTV:nrHGPv5SmpteDmUWuVZkxikdXcqNr
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 51 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6210798e6ca0e95300f15c7c12320f40906e2d27a76bc5f566d2023e4d96c3de.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\DeviceDisplayObjectProvider.exeC:\Windows\system32\DeviceDisplayObjectProvider.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\RUx.cmd1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{62baf7d1-2421-76c3-d64f-48bbd6001acb}"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Delete /F /TN "User_Feed_Synchronization-{62baf7d1-2421-76c3-d64f-48bbd6001acb}"2⤵
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe1⤵
-
C:\Windows\system32\PkgMgr.exeC:\Windows\system32\PkgMgr.exe1⤵
-
C:\Windows\system32\AtBroker.exeC:\Windows\system32\AtBroker.exe1⤵
-
C:\Windows\system32\wx6deg.exeC:\Windows\system32\wx6deg.exe1⤵
-
C:\Windows\system32\DFDWiz.exeC:\Windows\system32\DFDWiz.exe1⤵
-
C:\Windows\system32\LogonUI.exeC:\Windows\system32\LogonUI.exe1⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe1⤵
-
C:\Windows\system32\AtBroker.exeC:\Windows\system32\AtBroker.exe1⤵
-
C:\Windows\system32\javaws.exeC:\Windows\system32\javaws.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\x50sw.cmd1⤵
- Drops file in System32 directory
-
C:\Windows\System32\eventvwr.exe"C:\Windows\System32\eventvwr.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\IQ7tXf6.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Create /F /TN "Bygyxkyzdvxj" /SC minute /MO 60 /TR "C:\Windows\system32\8637\javaws.exe" /RL highest3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD50e8b7979c52dbda503e59070ce040eea
SHA1c51ec9e78ddbe45054ef8599727002937009f173
SHA25649c6f7ec8826e23264488630424fe5d9bc7f93973c3f4b720f23d3ec157c4df9
SHA51289df9997a8c2b8d161ee765c1c50c46e29d21de9cff599f5d2c14e9639f0ab2f465b3291f3567ab56da3143f63b0a1532134d201e6cff8e434820929f49b930f
-
Filesize
129B
MD5ce0e7d5c79fc7d25ea70741d8bfe2782
SHA19461f5ac483a1587ac55ce16062e3dc9fd296cba
SHA256bac0c0325a9001820b9ae40959ebf4cc39d8dec273dd0ebfa6f8e79c67583be4
SHA51284b7a23c9943a6838fca579b8f0b874447fd41e1050baa6d47f97fd2d0ac34a53dc131de4dda1c851ac132c9792a2e9906a8f23591417e3a379f8f270ff2718b
-
Filesize
247B
MD560f4eac1d5caf7d7b20b7eb5e2140022
SHA14dfd640208a573349fbebc33661c79c7f80b7720
SHA2564a363b24b63b9b3c6f4e6f2d3e8cda799d7dabbe36152011e3d225570feb94e2
SHA512ee98f5c8095c532e16d380531a6a4985ba76a1c5e8c99a502e8b663533f2a97e625cd892f174bf6756f7367d4fd3bdcba98defdc0801ee227bc70458b248eb01
-
Filesize
1.1MB
MD56c5615d1690cc8b0c1b266958609f189
SHA1becfc2b2a59f2a9765bd4348ddbad406f551de31
SHA2568b176853eb73b0993143e8e22ae003dc9a9033106738c78fd6386547e03ec773
SHA5129c8f09fce85e9abfa690daf245524ce9778e22185abe8731ead9f0454b035d43c446479b0119e3c9db2906e0dbcba1bcd917dd2b3cb2bc9b9992f8ea948a6937
-
Filesize
192B
MD55e0feab5016f212aa20f2095351d9ae2
SHA18bbc1e25fa18578f5bdc03c7d7b5249554d9fee8
SHA2561f5c0561f4226834a491a3712168406006e124182b3f0693e2dffd0800c4b1f9
SHA512a300c97c8262a9b4f9f82408e0cccbfeb6b57f86a2b4faed151c21a804b18c01ba860fd52ebb021988ff363b9efbddb1d5db9f1c19e171d8a54cdd27b073f37c
-
Filesize
970B
MD5a3a3726cba913b0727d38ddc39f8e83e
SHA1b70f9fa9b51e4556c1088385166672d8350b7d26
SHA256c79d52a044ffc5ddd67b85cb54e7cfc04aa4d5a4f910f9167b4916a10ace49ad
SHA512ff4fe77f0e18082adc86803b24b431ce6ff29eed28fd37bbf383cadb6c880b347324bb661e24b037d9fa304a4ffc3c4ab51360a4132c747d55a9456cf8b1fce9
-
Filesize
109KB
MD57e2eb3a4ae11190ef4c8a9b9a9123234
SHA172e98687a8d28614e2131c300403c2822856e865
SHA2568481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0
SHA51218b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
8KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
28KB