Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2024, 11:38

General

  • Target

    c9e6f90c75bd7ad50d2a8ffd3c60a0a7f0d9005b4daeb1c1fb8991f4dac614b7.dll

  • Size

    5.0MB

  • MD5

    e2f6cd5e295645e69b6f1e5e0fc56964

  • SHA1

    2ca110489fd022d3312df57ee8560eb1330d2f9c

  • SHA256

    c9e6f90c75bd7ad50d2a8ffd3c60a0a7f0d9005b4daeb1c1fb8991f4dac614b7

  • SHA512

    3b71f2b8e9b1a8ad60e13955abd8bfd0ca7e1cb6a41adf859fc68d65cc0c3e39c88dfb101302c6980e0fa381c0aff45a7a234884c66d6ee82687a48083cda166

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdh:+DqPoBhz1aRxcSUDk36SAEdh

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3308) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c9e6f90c75bd7ad50d2a8ffd3c60a0a7f0d9005b4daeb1c1fb8991f4dac614b7.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c9e6f90c75bd7ad50d2a8ffd3c60a0a7f0d9005b4daeb1c1fb8991f4dac614b7.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2288
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2860
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    0cd8635d3cf091c6778373e4883a7acf

    SHA1

    dbc02a965e5ceb512d1ca5240cb974756b55dd0f

    SHA256

    92ae1eb9c83b64d781a69edee4a270a2ab7c7ad642282aa13ed4466ca9c2278a

    SHA512

    5bf40b5f632517a58e9529556cfc035290f2b1b6eeb0901584307388612cfcad708d1b61b972f31dca09f30818820bdc0746a6c44c510aba0feb71251833e0db

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    0c50237e95985d1b5fc293ffbfdb1e31

    SHA1

    c4c5c1007dfd61382e1030b3c5dc8623440ff8f3

    SHA256

    47870a5ebf14d5ba8bd9a0b189e8245963c04cb0dc7e4b2cb294075434af6af4

    SHA512

    16bf5cb4f04feb328a1d5ae3e87648d7301ec5edecfe7512b054e1ebd237883c93f8952b10aacdf09c8881bf45898617895cb0abad11796a45b0ffea257119d4