Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
02/06/2024, 19:51
General
-
Target
235af3de0ac763c04428d827b5ee59e3f733951050137af6d6b6bba90d338c80.dll
-
Size
568KB
-
MD5
3d366c8734bf744294f50fe9aac17b1b
-
SHA1
e3765ed57be72a40a29d881ace7aaa18a0211b16
-
SHA256
235af3de0ac763c04428d827b5ee59e3f733951050137af6d6b6bba90d338c80
-
SHA512
81903034b3e88613d26807122d52f6a7614ae475ed5310a47d4fc23319adc9311dbd3b649d23b168e35e28f4d7277896beac6b53f8d7337490cb02ae77538b94
-
SSDEEP
6144:ei05kH9OyU2uv5SRf/FWgFgtBgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:xrHGPv5Smpt6DmUWuVZkxikdXcq
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\235af3de0ac763c04428d827b5ee59e3f733951050137af6d6b6bba90d338c80.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\SystemPropertiesHardware.exeC:\Windows\system32\SystemPropertiesHardware.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\ApT.cmd1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{33819f3b-2f8d-cfcb-0a23-a942879f9636}"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Delete /F /TN "User_Feed_Synchronization-{33819f3b-2f8d-cfcb-0a23-a942879f9636}"2⤵
-
-
C:\Windows\system32\Eap3Host.exeC:\Windows\system32\Eap3Host.exe1⤵
-
C:\Windows\system32\cleanmgr.exeC:\Windows\system32\cleanmgr.exe1⤵
-
C:\Windows\system32\dinotify.exeC:\Windows\system32\dinotify.exe1⤵
-
C:\Windows\system32\mblctr.exeC:\Windows\system32\mblctr.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\gUmd.cmd1⤵
- Drops file in System32 directory
-
C:\Windows\System32\eventvwr.exe"C:\Windows\System32\eventvwr.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\ajoFVk.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Create /F /TN "Vmvmshnity" /SC minute /MO 60 /TR "C:\Windows\system32\9420\mblctr.exe" /RL highest3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
246B
MD51a86633896574e3958f8e3915a7eafa5
SHA1a8adea8aa8d1485141463518637637f7179e1f52
SHA256d7f5dfaaf0bff0288436a368f9470201e8510230a36ea5217300af49a84d65d1
SHA5126c6966a981725c8328aea5fea8213de55d05b2b783d5e19d7f3925d156514cfcd18fb6e4f0c32472e3cd113ad5a28f65ca9ed1869c9b0d627d18fc1b3ed99269
-
Filesize
572KB
MD5cd1b6dc75a07f13c5ae9dfd70252f457
SHA1f580a983d99c64169e9193e6b357fa55056cb41b
SHA2567853d6041db3aaf540fe03eee3b947805283ddfd8229345109aca9ac761750d3
SHA5129650e9aea6ba6c39fdc9c4f52680755192ab212bbc3a67f2de79b5f9b95b030f0961dc0c6f3b34378a52b15bbc5328424a7edb766fc90262e076c201f002d015
-
Filesize
127B
MD57f0aafe4727c9906f2190cbcfef9ac1f
SHA11d179a585e97e038a5c3d6d143ee62a4a7f2d852
SHA2563172ba7aa9ea51ec397809714ee2712c2421138f286c83d0204bc7e959714739
SHA512e8d62ba260a663b70dd415d92b80e75850b6b566b46994f67f2b600a96404c5e3eece4fbaa2eb6fceb6cb795102ef1d8955b2d1e453846df255adc1fe33de7be
-
Filesize
189B
MD5f78f42b6ccee105c3d2cd40f890be476
SHA1699ea35440f1ea0b59a36624cb6c1e5a4ca9bb60
SHA2560546ef899a0bd82fb615c7b4d99f2ecd278a9d8172b95eda371b669cd1dbc4ae
SHA51213edfca0ecb455f31f3ca03f3c20aeb27b6c9aaff20fc8526ce9fa67ed7e52b8836d9709104fb9f517b8c2e419bbb2b4cc53a70bf6b2c594d8ceae471bc2453c
-
Filesize
572KB
MD58ef5cd6fa68231a966d8ac87c27519c5
SHA1813bb9d6fd9fbbbcce4ed06310f1b2d26d31a8c5
SHA256026a1456a73232263a4abd028c7d8aef21117551ed1006cbd0c9faabde39ddbe
SHA512397d3c227444a2cd58706375835a847a23616bb15c64cc5f25542e018c9b0f25e5dd3797a607ea2531ab20653196a89517696da6faf27c440825effcc8921df1
-
Filesize
966B
MD5f010b4c892fa05c19220297eff279fbd
SHA1746c7791210d1e9bded31624bd803d0c3c454b98
SHA256b29aa4d17d38fe312f7fa81ddca953b20c31da7df8dfae428edd4ba6a17e8c7c
SHA51247605911a84a199436889c69ff570bcffe221be27b9ddb5f165989dd8a3582130d9fca4419e48491a664a48f445849d143809c5ad341c604a3877fb1a36a2bc9
-
Filesize
80KB
MD5c63d722641c417764247f683f9fb43be
SHA1948ec61ebf241c4d80efca3efdfc33fe746e3b98
SHA2564759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2
SHA5127223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
4KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
28KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
4KB
-
Filesize
568KB
-
Filesize
8KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
568KB
-
Filesize
28KB
-
Filesize
568KB