Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1.dll
Resource
win10v2004-20240226-en
General
-
Target
65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1.dll
-
Size
1.1MB
-
MD5
f165e88e25102d19f8f2c955686ce88d
-
SHA1
cd678ad3cd82144c5861470abf4cc40820a0d831
-
SHA256
65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1
-
SHA512
26c3f6e797b8cc9ff0a3b9c8031d67a0e0d70b76c23da452ca92824ca0bee552b83abcc69738759d5e88f0a218d9426206e390e5a9d5e385bb165712c6de3e2e
-
SSDEEP
6144:Ni05kH9OyU2uv5SRf/FWgFgt0gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:4rHGPv5SmptZDmUWuVZkxikdXcq
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1176 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Javhf = "\"C:\\Users\\Admin\\AppData\\Roaming\\u6mF4h\\dwm.exe\"" Process not Found -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\6834\wscript.exe cmd.exe File opened for modification C:\Windows\system32\6834\wscript.exe cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1368 schtasks.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\MSCFile\shell\open Process not Found Key deleted \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\MSCFile Process not Found Key deleted \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\MSCFile\shell\open\command Process not Found Key deleted \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\MSCFile\shell\open Process not Found Key deleted \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\MSCFile\shell Process not Found Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\MSCFile\shell\open\command Process not Found Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\MSCFile Process not Found Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\MSCFile\shell Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\CAkcF.cmd" Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1920 rundll32.exe 1920 rundll32.exe 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found 1176 Process not Found -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1176 wrote to memory of 2520 1176 Process not Found 28 PID 1176 wrote to memory of 2520 1176 Process not Found 28 PID 1176 wrote to memory of 2520 1176 Process not Found 28 PID 1176 wrote to memory of 2412 1176 Process not Found 29 PID 1176 wrote to memory of 2412 1176 Process not Found 29 PID 1176 wrote to memory of 2412 1176 Process not Found 29 PID 1176 wrote to memory of 2440 1176 Process not Found 30 PID 1176 wrote to memory of 2440 1176 Process not Found 30 PID 1176 wrote to memory of 2440 1176 Process not Found 30 PID 1176 wrote to memory of 1516 1176 Process not Found 32 PID 1176 wrote to memory of 1516 1176 Process not Found 32 PID 1176 wrote to memory of 1516 1176 Process not Found 32 PID 1516 wrote to memory of 2584 1516 cmd.exe 34 PID 1516 wrote to memory of 2584 1516 cmd.exe 34 PID 1516 wrote to memory of 2584 1516 cmd.exe 34 PID 1176 wrote to memory of 2708 1176 Process not Found 35 PID 1176 wrote to memory of 2708 1176 Process not Found 35 PID 1176 wrote to memory of 2708 1176 Process not Found 35 PID 1176 wrote to memory of 2728 1176 Process not Found 36 PID 1176 wrote to memory of 2728 1176 Process not Found 36 PID 1176 wrote to memory of 2728 1176 Process not Found 36 PID 1176 wrote to memory of 2836 1176 Process not Found 38 PID 1176 wrote to memory of 2836 1176 Process not Found 38 PID 1176 wrote to memory of 2836 1176 Process not Found 38 PID 2836 wrote to memory of 2296 2836 eventvwr.exe 39 PID 2836 wrote to memory of 2296 2836 eventvwr.exe 39 PID 2836 wrote to memory of 2296 2836 eventvwr.exe 39 PID 2296 wrote to memory of 1368 2296 cmd.exe 41 PID 2296 wrote to memory of 1368 2296 cmd.exe 41 PID 2296 wrote to memory of 1368 2296 cmd.exe 41 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1920
-
C:\Windows\system32\BdeUnlockWizard.exeC:\Windows\system32\BdeUnlockWizard.exe1⤵PID:2520
-
C:\Windows\system32\dwm.exeC:\Windows\system32\dwm.exe1⤵PID:2412
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\x70FRY.cmd1⤵PID:2440
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{0f3f26ce-e23a-888f-036b-ddb6939885d4}"1⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\system32\schtasks.exeschtasks.exe /Delete /F /TN "User_Feed_Synchronization-{0f3f26ce-e23a-888f-036b-ddb6939885d4}"2⤵PID:2584
-
-
C:\Windows\system32\wscript.exeC:\Windows\system32\wscript.exe1⤵PID:2708
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\lndL.cmd1⤵
- Drops file in System32 directory
PID:2728
-
C:\Windows\System32\eventvwr.exe"C:\Windows\System32\eventvwr.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\CAkcF.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\system32\schtasks.exeschtasks.exe /Create /F /TN "Lizdxxpaecrde" /SC minute /MO 60 /TR "C:\Windows\system32\6834\wscript.exe" /RL highest3⤵
- Creates scheduled task(s)
PID:1368
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD54fd7662cb85daf9fbc0121c453bbd03e
SHA1e7b6417d15d85b77e253f2b668cc4328f774908c
SHA2568121911e37ae2e6153af15ea17595f439cbcfdb0accc4575c3002bbca54d35bf
SHA512481adb6cee402be77574eeaacd123194e308d005b6439187579b7ebc3a917813859c888e52c7cb713c4258845348927a078439607ed83842c45df624d3f5a7b1
-
Filesize
131B
MD5c13e85d7b344eceb218f596bf58ec52e
SHA113570e0643abc4bd4e03389ea983d4ebe529edb9
SHA2561565a8d7d94d5865a7d0766a5c921b353693b018eeda9bc91e4447ccf6fdc7d6
SHA512fc023a3f266b7f349af4e734911a81f231743183dbc588034526d55bc39079a77a7e3e7cf3bcaf1a4ca7f65dc9eefa674f169a981fec6210d65f58b10e543f6b
-
Filesize
194B
MD55704a39aa7d3e1ee7811d866a93ded45
SHA1af719e297a2e82c9711ec115ab53060d938e6baa
SHA2568a1becfbab731a8ea7ebd903797dfd313316cd9abbfd447f204bb52c6d7be54f
SHA512cee897a9a2e5ec2c7ad5e81cd69397010b4861ecfe87daaedfef48dca6c7dc32d23704e3056574394f839ab1735b9bec18f3f8ff060893468cfaeac50495e279
-
Filesize
1.1MB
MD5a973fff335939f75f282533bc1fd24ab
SHA1aecdc2f586cbf922a5a74dea91d6e75bf6f2f712
SHA256470f51fc83e423ccb69f4726fc63f8d06baea814971929c6b43cebbef6710e0d
SHA5122ad121bf6ee15136916e90e1fc5519fb9c22cf35ddcea3895d02280962195531bfde3eb8fa7f94a71462f13d8925e45cdb23c81aa413e4f928a00beefcd1a939
-
Filesize
227B
MD5377d6a8e4506542c4ff30aa96baffddb
SHA1cbad4f5e41e38a66a187951539e2634a373a376d
SHA256fada4bf0d8001d2c3ebd9554ea0c0f1e1b4630b3dd0ed6692c30b647bb787758
SHA5126f2ad7d4abcd14c94eb826f920037d1b939a467653c8c186a75fe09291a3a33d9ccd4318ab381c4ec0c6a4b3645dc6f4702f208d2852404dd3830843f48e2e5b
-
Filesize
864B
MD51d1c354a99589e646f82b9e6bb7e26f0
SHA1dc008bd81cd27bbee4bc2d90741e58934c43c53b
SHA256d509cb3009937d040fc07d5c16e66dfd8adc95dfef4b1ac5637db0a57e1513bf
SHA5122aa37aca069cd10bd1f52bd217c49cafd8d5965effcfa8013fa4c3a5dd2ece68be1fc3b1f280c2ec1c0da215fa3d0238eea58f3f756ad2dcbf42acc1ddc37891
-
Filesize
117KB
MD5f162d5f5e845b9dc352dd1bad8cef1bc
SHA135bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2
SHA2568a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7
SHA5127077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851