Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14/06/2024, 05:15
Static task
static1
Behavioral task
behavioral1
Sample
e3e22619fb9b1a125f140f78fc4921b8d151119e2e0dcab30aa8d9e821c292c3.dll
Resource
win7-20240611-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
e3e22619fb9b1a125f140f78fc4921b8d151119e2e0dcab30aa8d9e821c292c3.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
e3e22619fb9b1a125f140f78fc4921b8d151119e2e0dcab30aa8d9e821c292c3.dll
-
Size
92KB
-
MD5
dbdd2b0113484f4a133ab06051514020
-
SHA1
9f17031d2feb44f00ea0c47e52eaf3938da77f1c
-
SHA256
e3e22619fb9b1a125f140f78fc4921b8d151119e2e0dcab30aa8d9e821c292c3
-
SHA512
ea376766b5744ea1aaf9e7737fa595111e5be10e2481e37fd742e53e544353d1a006fdf04511c6d1db7ea3cd31bb7bb58272696abb0892f6377763eb70fb5c47
-
SSDEEP
1536:fulk/4zdximmy8nQNgdxp+7DwFRFPZsu0TiTuARXsWiHpcdmzkIGd1LKxniPxJSG:uiVyBNgdxYwFmeiWmzkIGd1LK8xDz
Score
1/10
Malware Config
Signatures
-
Modifies registry class 25 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5FFC3D25-AE3B-4811-B964-D992E9ADBFA2}\NumMethods\ = "6" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20CB8E44-1A2F-42C7-9994-D64D3798A14F}\NumMethods\ = "4" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2540627C-4AC1-4B5E-87A8-0522441A9990}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2540627C-4AC1-4B5E-87A8-0522441A9990}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20CB8E44-1A2F-42C7-9994-D64D3798A14F}\ = "IInstHelper" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2540627C-4AC1-4B5E-87A8-0522441A9990}\ = "IInstHelperEx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FFC3D25-AE3B-4811-B964-D992E9ADBFA2}\ = "PSFactoryBuffer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5FFC3D25-AE3B-4811-B964-D992E9ADBFA2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FFC3D25-AE3B-4811-B964-D992E9ADBFA2}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20CB8E44-1A2F-42C7-9994-D64D3798A14F}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FFC3D25-AE3B-4811-B964-D992E9ADBFA2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5FFC3D25-AE3B-4811-B964-D992E9ADBFA2}\ProxyStubClsid32\ = "{5FFC3D25-AE3B-4811-B964-D992E9ADBFA2}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20CB8E44-1A2F-42C7-9994-D64D3798A14F}\ProxyStubClsid32\ = "{5FFC3D25-AE3B-4811-B964-D992E9ADBFA2}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20CB8E44-1A2F-42C7-9994-D64D3798A14F}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2540627C-4AC1-4B5E-87A8-0522441A9990}\ProxyStubClsid32\ = "{5FFC3D25-AE3B-4811-B964-D992E9ADBFA2}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FFC3D25-AE3B-4811-B964-D992E9ADBFA2}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e3e22619fb9b1a125f140f78fc4921b8d151119e2e0dcab30aa8d9e821c292c3.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FFC3D25-AE3B-4811-B964-D992E9ADBFA2}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5FFC3D25-AE3B-4811-B964-D992E9ADBFA2}\ = "IInstHelperEx1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5FFC3D25-AE3B-4811-B964-D992E9ADBFA2}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20CB8E44-1A2F-42C7-9994-D64D3798A14F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5FFC3D25-AE3B-4811-B964-D992E9ADBFA2}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2540627C-4AC1-4B5E-87A8-0522441A9990} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2540627C-4AC1-4B5E-87A8-0522441A9990}\NumMethods\ = "5" regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2144 wrote to memory of 2440 2144 regsvr32.exe 28 PID 2144 wrote to memory of 2440 2144 regsvr32.exe 28 PID 2144 wrote to memory of 2440 2144 regsvr32.exe 28 PID 2144 wrote to memory of 2440 2144 regsvr32.exe 28 PID 2144 wrote to memory of 2440 2144 regsvr32.exe 28 PID 2144 wrote to memory of 2440 2144 regsvr32.exe 28 PID 2144 wrote to memory of 2440 2144 regsvr32.exe 28
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\e3e22619fb9b1a125f140f78fc4921b8d151119e2e0dcab30aa8d9e821c292c3.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\e3e22619fb9b1a125f140f78fc4921b8d151119e2e0dcab30aa8d9e821c292c3.dll2⤵
- Modifies registry class
PID:2440
-