Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 22:25

General

  • Target

    65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1.dll

  • Size

    1.1MB

  • MD5

    f165e88e25102d19f8f2c955686ce88d

  • SHA1

    cd678ad3cd82144c5861470abf4cc40820a0d831

  • SHA256

    65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1

  • SHA512

    26c3f6e797b8cc9ff0a3b9c8031d67a0e0d70b76c23da452ca92824ca0bee552b83abcc69738759d5e88f0a218d9426206e390e5a9d5e385bb165712c6de3e2e

  • SSDEEP

    6144:Ni05kH9OyU2uv5SRf/FWgFgt0gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:4rHGPv5SmptZDmUWuVZkxikdXcq

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1920
  • C:\Windows\system32\BdeUnlockWizard.exe
    C:\Windows\system32\BdeUnlockWizard.exe
    1⤵
      PID:2520
    • C:\Windows\system32\dwm.exe
      C:\Windows\system32\dwm.exe
      1⤵
        PID:2412
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\x70FRY.cmd
        1⤵
          PID:2440
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{0f3f26ce-e23a-888f-036b-ddb6939885d4}"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1516
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{0f3f26ce-e23a-888f-036b-ddb6939885d4}"
            2⤵
              PID:2584
          • C:\Windows\system32\wscript.exe
            C:\Windows\system32\wscript.exe
            1⤵
              PID:2708
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\lndL.cmd
              1⤵
              • Drops file in System32 directory
              PID:2728
            • C:\Windows\System32\eventvwr.exe
              "C:\Windows\System32\eventvwr.exe"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2836
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\CAkcF.cmd
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2296
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /Create /F /TN "Lizdxxpaecrde" /SC minute /MO 60 /TR "C:\Windows\system32\6834\wscript.exe" /RL highest
                  3⤵
                  • Creates scheduled task(s)
                  PID:1368

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\93237.tmp

              Filesize

              1.1MB

              MD5

              4fd7662cb85daf9fbc0121c453bbd03e

              SHA1

              e7b6417d15d85b77e253f2b668cc4328f774908c

              SHA256

              8121911e37ae2e6153af15ea17595f439cbcfdb0accc4575c3002bbca54d35bf

              SHA512

              481adb6cee402be77574eeaacd123194e308d005b6439187579b7ebc3a917813859c888e52c7cb713c4258845348927a078439607ed83842c45df624d3f5a7b1

            • C:\Users\Admin\AppData\Local\Temp\CAkcF.cmd

              Filesize

              131B

              MD5

              c13e85d7b344eceb218f596bf58ec52e

              SHA1

              13570e0643abc4bd4e03389ea983d4ebe529edb9

              SHA256

              1565a8d7d94d5865a7d0766a5c921b353693b018eeda9bc91e4447ccf6fdc7d6

              SHA512

              fc023a3f266b7f349af4e734911a81f231743183dbc588034526d55bc39079a77a7e3e7cf3bcaf1a4ca7f65dc9eefa674f169a981fec6210d65f58b10e543f6b

            • C:\Users\Admin\AppData\Local\Temp\lndL.cmd

              Filesize

              194B

              MD5

              5704a39aa7d3e1ee7811d866a93ded45

              SHA1

              af719e297a2e82c9711ec115ab53060d938e6baa

              SHA256

              8a1becfbab731a8ea7ebd903797dfd313316cd9abbfd447f204bb52c6d7be54f

              SHA512

              cee897a9a2e5ec2c7ad5e81cd69397010b4861ecfe87daaedfef48dca6c7dc32d23704e3056574394f839ab1735b9bec18f3f8ff060893468cfaeac50495e279

            • C:\Users\Admin\AppData\Local\Temp\t2y32A5.tmp

              Filesize

              1.1MB

              MD5

              a973fff335939f75f282533bc1fd24ab

              SHA1

              aecdc2f586cbf922a5a74dea91d6e75bf6f2f712

              SHA256

              470f51fc83e423ccb69f4726fc63f8d06baea814971929c6b43cebbef6710e0d

              SHA512

              2ad121bf6ee15136916e90e1fc5519fb9c22cf35ddcea3895d02280962195531bfde3eb8fa7f94a71462f13d8925e45cdb23c81aa413e4f928a00beefcd1a939

            • C:\Users\Admin\AppData\Local\Temp\x70FRY.cmd

              Filesize

              227B

              MD5

              377d6a8e4506542c4ff30aa96baffddb

              SHA1

              cbad4f5e41e38a66a187951539e2634a373a376d

              SHA256

              fada4bf0d8001d2c3ebd9554ea0c0f1e1b4630b3dd0ed6692c30b647bb787758

              SHA512

              6f2ad7d4abcd14c94eb826f920037d1b939a467653c8c186a75fe09291a3a33d9ccd4318ab381c4ec0c6a4b3645dc6f4702f208d2852404dd3830843f48e2e5b

            • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Javhf.lnk

              Filesize

              864B

              MD5

              1d1c354a99589e646f82b9e6bb7e26f0

              SHA1

              dc008bd81cd27bbee4bc2d90741e58934c43c53b

              SHA256

              d509cb3009937d040fc07d5c16e66dfd8adc95dfef4b1ac5637db0a57e1513bf

              SHA512

              2aa37aca069cd10bd1f52bd217c49cafd8d5965effcfa8013fa4c3a5dd2ece68be1fc3b1f280c2ec1c0da215fa3d0238eea58f3f756ad2dcbf42acc1ddc37891

            • \Users\Admin\AppData\Roaming\u6mF4h\dwm.exe

              Filesize

              117KB

              MD5

              f162d5f5e845b9dc352dd1bad8cef1bc

              SHA1

              35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

              SHA256

              8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

              SHA512

              7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

            • memory/1176-19-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-15-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-13-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-16-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-35-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-28-0x0000000002E10000-0x0000000002E17000-memory.dmp

              Filesize

              28KB

            • memory/1176-26-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-25-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-24-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-22-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-21-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-36-0x0000000076EB1000-0x0000000076EB2000-memory.dmp

              Filesize

              4KB

            • memory/1176-20-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-100-0x0000000076DA6000-0x0000000076DA7000-memory.dmp

              Filesize

              4KB

            • memory/1176-18-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-27-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-17-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-12-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-14-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-23-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-11-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-10-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-45-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-52-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-8-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-7-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-9-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1176-47-0x0000000077010000-0x0000000077012000-memory.dmp

              Filesize

              8KB

            • memory/1176-4-0x0000000002E30000-0x0000000002E31000-memory.dmp

              Filesize

              4KB

            • memory/1176-3-0x0000000076DA6000-0x0000000076DA7000-memory.dmp

              Filesize

              4KB

            • memory/1176-51-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1920-6-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB

            • memory/1920-2-0x00000000002A0000-0x00000000002A7000-memory.dmp

              Filesize

              28KB

            • memory/1920-0-0x0000000140000000-0x0000000140112000-memory.dmp

              Filesize

              1.1MB