Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 05:46
Static task
static1
Behavioral task
behavioral1
Sample
f4a29c49f51c7fbcd76718566d33ee9b6b0a43c0eff1e9e8396fa0f278b9d731N.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f4a29c49f51c7fbcd76718566d33ee9b6b0a43c0eff1e9e8396fa0f278b9d731N.dll
Resource
win10v2004-20240802-en
General
-
Target
f4a29c49f51c7fbcd76718566d33ee9b6b0a43c0eff1e9e8396fa0f278b9d731N.dll
-
Size
56KB
-
MD5
3164b48da7b98c1acc2c2ff32bf25590
-
SHA1
d99a46a16214594ad6decbc22ef3002b53307443
-
SHA256
f4a29c49f51c7fbcd76718566d33ee9b6b0a43c0eff1e9e8396fa0f278b9d731
-
SHA512
4de4e788abbfd85671fae80e0f4861f72e55f11c895cdfb1b3904a1c08943d7d57ce5288804e2fa04a375d33ae6220ddc6bbad8a776c28baa4eab15d08eadf55
-
SSDEEP
1536:1mv1kzwz1Bp27GjV3P1YI3oyzfmgszyq1d:1Pcz1j4yzf9sWkd
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2360 hrlA479.tmp 2416 gkmiuy.exe -
Loads dropped DLL 3 IoCs
pid Process 1952 rundll32.exe 1952 rundll32.exe 2416 gkmiuy.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\V: rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\gkmiuy.exe hrlA479.tmp File opened for modification C:\WINDOWS\SysWOW64\GKMIUY.EXE hrlA479.tmp File opened for modification C:\Windows\SysWOW64\gkmiuy.exe hrlA479.tmp File created C:\Windows\SysWOW64\hra33.dll gkmiuy.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hrlA479.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gkmiuy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2360 hrlA479.tmp -
Suspicious behavior: MapViewOfSection 25 IoCs
pid Process 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp 2360 hrlA479.tmp -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2360 hrlA479.tmp Token: SeTakeOwnershipPrivilege 2360 hrlA479.tmp Token: SeRestorePrivilege 2360 hrlA479.tmp Token: SeBackupPrivilege 2360 hrlA479.tmp Token: SeChangeNotifyPrivilege 2360 hrlA479.tmp Token: SeTakeOwnershipPrivilege 2360 hrlA479.tmp Token: SeRestorePrivilege 2360 hrlA479.tmp Token: SeBackupPrivilege 2360 hrlA479.tmp Token: SeChangeNotifyPrivilege 2360 hrlA479.tmp -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2360 hrlA479.tmp 2360 hrlA479.tmp 2416 gkmiuy.exe 2416 gkmiuy.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1992 wrote to memory of 1952 1992 rundll32.exe 30 PID 1992 wrote to memory of 1952 1992 rundll32.exe 30 PID 1992 wrote to memory of 1952 1992 rundll32.exe 30 PID 1992 wrote to memory of 1952 1992 rundll32.exe 30 PID 1992 wrote to memory of 1952 1992 rundll32.exe 30 PID 1992 wrote to memory of 1952 1992 rundll32.exe 30 PID 1992 wrote to memory of 1952 1992 rundll32.exe 30 PID 1952 wrote to memory of 2360 1952 rundll32.exe 31 PID 1952 wrote to memory of 2360 1952 rundll32.exe 31 PID 1952 wrote to memory of 2360 1952 rundll32.exe 31 PID 1952 wrote to memory of 2360 1952 rundll32.exe 31 PID 2360 wrote to memory of 380 2360 hrlA479.tmp 3 PID 2360 wrote to memory of 380 2360 hrlA479.tmp 3 PID 2360 wrote to memory of 380 2360 hrlA479.tmp 3 PID 2360 wrote to memory of 380 2360 hrlA479.tmp 3 PID 2360 wrote to memory of 380 2360 hrlA479.tmp 3 PID 2360 wrote to memory of 388 2360 hrlA479.tmp 4 PID 2360 wrote to memory of 388 2360 hrlA479.tmp 4 PID 2360 wrote to memory of 388 2360 hrlA479.tmp 4 PID 2360 wrote to memory of 388 2360 hrlA479.tmp 4 PID 2360 wrote to memory of 388 2360 hrlA479.tmp 4 PID 2360 wrote to memory of 428 2360 hrlA479.tmp 5 PID 2360 wrote to memory of 428 2360 hrlA479.tmp 5 PID 2360 wrote to memory of 428 2360 hrlA479.tmp 5 PID 2360 wrote to memory of 428 2360 hrlA479.tmp 5 PID 2360 wrote to memory of 428 2360 hrlA479.tmp 5 PID 2360 wrote to memory of 472 2360 hrlA479.tmp 6 PID 2360 wrote to memory of 472 2360 hrlA479.tmp 6 PID 2360 wrote to memory of 472 2360 hrlA479.tmp 6 PID 2360 wrote to memory of 472 2360 hrlA479.tmp 6 PID 2360 wrote to memory of 472 2360 hrlA479.tmp 6 PID 2360 wrote to memory of 488 2360 hrlA479.tmp 7 PID 2360 wrote to memory of 488 2360 hrlA479.tmp 7 PID 2360 wrote to memory of 488 2360 hrlA479.tmp 7 PID 2360 wrote to memory of 488 2360 hrlA479.tmp 7 PID 2360 wrote to memory of 488 2360 hrlA479.tmp 7 PID 2360 wrote to memory of 496 2360 hrlA479.tmp 8 PID 2360 wrote to memory of 496 2360 hrlA479.tmp 8 PID 2360 wrote to memory of 496 2360 hrlA479.tmp 8 PID 2360 wrote to memory of 496 2360 hrlA479.tmp 8 PID 2360 wrote to memory of 496 2360 hrlA479.tmp 8 PID 2360 wrote to memory of 608 2360 hrlA479.tmp 9 PID 2360 wrote to memory of 608 2360 hrlA479.tmp 9 PID 2360 wrote to memory of 608 2360 hrlA479.tmp 9 PID 2360 wrote to memory of 608 2360 hrlA479.tmp 9 PID 2360 wrote to memory of 608 2360 hrlA479.tmp 9 PID 2360 wrote to memory of 688 2360 hrlA479.tmp 10 PID 2360 wrote to memory of 688 2360 hrlA479.tmp 10 PID 2360 wrote to memory of 688 2360 hrlA479.tmp 10 PID 2360 wrote to memory of 688 2360 hrlA479.tmp 10 PID 2360 wrote to memory of 688 2360 hrlA479.tmp 10 PID 2360 wrote to memory of 776 2360 hrlA479.tmp 11 PID 2360 wrote to memory of 776 2360 hrlA479.tmp 11 PID 2360 wrote to memory of 776 2360 hrlA479.tmp 11 PID 2360 wrote to memory of 776 2360 hrlA479.tmp 11 PID 2360 wrote to memory of 776 2360 hrlA479.tmp 11 PID 2360 wrote to memory of 824 2360 hrlA479.tmp 12 PID 2360 wrote to memory of 824 2360 hrlA479.tmp 12 PID 2360 wrote to memory of 824 2360 hrlA479.tmp 12 PID 2360 wrote to memory of 824 2360 hrlA479.tmp 12 PID 2360 wrote to memory of 824 2360 hrlA479.tmp 12 PID 2360 wrote to memory of 864 2360 hrlA479.tmp 13 PID 2360 wrote to memory of 864 2360 hrlA479.tmp 13 PID 2360 wrote to memory of 864 2360 hrlA479.tmp 13
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:608
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1616
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:112
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:688
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:776
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:824
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1180
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:864
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:984
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:296
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:860
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1068
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1124
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1420
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2012
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2280
-
-
C:\Windows\SysWOW64\gkmiuy.exeC:\Windows\SysWOW64\gkmiuy.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2416
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:488
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:496
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:388
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:428
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1244
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f4a29c49f51c7fbcd76718566d33ee9b6b0a43c0eff1e9e8396fa0f278b9d731N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f4a29c49f51c7fbcd76718566d33ee9b6b0a43c0eff1e9e8396fa0f278b9d731N.dll,#13⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\hrlA479.tmpC:\Users\Admin\AppData\Local\Temp\hrlA479.tmp4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD50429f3eae2d5db826955e38a715d4c5e
SHA192017b72ec3af3758768022e7879ca2802b03a22
SHA256fc501e0e0bb0ec3a21867ff5055db3b1a3b7347cf131451a760f2a2df264fa81
SHA512bf9724969fc79e913e2390f1ae2a6c6606b465dede20b4cf6c2c3c4a5da48c2e2f9403a3152eaa4539f89cea0ea62184c1f79e1e83047a91774de31522c25338
-
Filesize
7KB
MD57147ff24579a477a1a34696926e573f1
SHA19127ea8d813ecd5788b3f97777931ec79b7760e9
SHA256fd08dcb016611316c849d48312ba6dc7d4de75d1a81c1d475a13bb5a1ba07267
SHA512077b68376679c30d2dbae460ed59f5131c177bdd7574af1c2660ed97ae242b1401816d012af321c278be065b49bc9eab395e008b1b9a2447aa27b694bbed1d5d