Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 05:46

General

  • Target

    f4a29c49f51c7fbcd76718566d33ee9b6b0a43c0eff1e9e8396fa0f278b9d731N.dll

  • Size

    56KB

  • MD5

    3164b48da7b98c1acc2c2ff32bf25590

  • SHA1

    d99a46a16214594ad6decbc22ef3002b53307443

  • SHA256

    f4a29c49f51c7fbcd76718566d33ee9b6b0a43c0eff1e9e8396fa0f278b9d731

  • SHA512

    4de4e788abbfd85671fae80e0f4861f72e55f11c895cdfb1b3904a1c08943d7d57ce5288804e2fa04a375d33ae6220ddc6bbad8a776c28baa4eab15d08eadf55

  • SSDEEP

    1536:1mv1kzwz1Bp27GjV3P1YI3oyzfmgszyq1d:1Pcz1j4yzf9sWkd

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\wininit.exe
    wininit.exe
    1⤵
      PID:380
      • C:\Windows\system32\services.exe
        C:\Windows\system32\services.exe
        2⤵
          PID:472
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch
            3⤵
              PID:608
              • C:\Windows\system32\wbem\wmiprvse.exe
                C:\Windows\system32\wbem\wmiprvse.exe
                4⤵
                  PID:1616
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                  4⤵
                    PID:112
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k RPCSS
                  3⤵
                    PID:688
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                    3⤵
                      PID:776
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                      3⤵
                        PID:824
                        • C:\Windows\system32\Dwm.exe
                          "C:\Windows\system32\Dwm.exe"
                          4⤵
                            PID:1180
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs
                          3⤵
                            PID:864
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService
                            3⤵
                              PID:984
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k NetworkService
                              3⤵
                                PID:296
                              • C:\Windows\System32\spoolsv.exe
                                C:\Windows\System32\spoolsv.exe
                                3⤵
                                  PID:860
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                  3⤵
                                    PID:1068
                                  • C:\Windows\system32\taskhost.exe
                                    "taskhost.exe"
                                    3⤵
                                      PID:1124
                                    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                                      "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                                      3⤵
                                        PID:1420
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                        3⤵
                                          PID:2012
                                        • C:\Windows\system32\sppsvc.exe
                                          C:\Windows\system32\sppsvc.exe
                                          3⤵
                                            PID:2280
                                          • C:\Windows\SysWOW64\gkmiuy.exe
                                            C:\Windows\SysWOW64\gkmiuy.exe
                                            3⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of SetWindowsHookEx
                                            PID:2416
                                        • C:\Windows\system32\lsass.exe
                                          C:\Windows\system32\lsass.exe
                                          2⤵
                                            PID:488
                                          • C:\Windows\system32\lsm.exe
                                            C:\Windows\system32\lsm.exe
                                            2⤵
                                              PID:496
                                          • C:\Windows\system32\csrss.exe
                                            %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                            1⤵
                                              PID:388
                                            • C:\Windows\system32\winlogon.exe
                                              winlogon.exe
                                              1⤵
                                                PID:428
                                              • C:\Windows\Explorer.EXE
                                                C:\Windows\Explorer.EXE
                                                1⤵
                                                  PID:1244
                                                  • C:\Windows\system32\rundll32.exe
                                                    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4a29c49f51c7fbcd76718566d33ee9b6b0a43c0eff1e9e8396fa0f278b9d731N.dll,#1
                                                    2⤵
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:1992
                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4a29c49f51c7fbcd76718566d33ee9b6b0a43c0eff1e9e8396fa0f278b9d731N.dll,#1
                                                      3⤵
                                                      • Loads dropped DLL
                                                      • Enumerates connected drives
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:1952
                                                      • C:\Users\Admin\AppData\Local\Temp\hrlA479.tmp
                                                        C:\Users\Admin\AppData\Local\Temp\hrlA479.tmp
                                                        4⤵
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious behavior: MapViewOfSection
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • Suspicious use of SetWindowsHookEx
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:2360

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\Temp\hrlA479.tmp

                                                  Filesize

                                                  49KB

                                                  MD5

                                                  0429f3eae2d5db826955e38a715d4c5e

                                                  SHA1

                                                  92017b72ec3af3758768022e7879ca2802b03a22

                                                  SHA256

                                                  fc501e0e0bb0ec3a21867ff5055db3b1a3b7347cf131451a760f2a2df264fa81

                                                  SHA512

                                                  bf9724969fc79e913e2390f1ae2a6c6606b465dede20b4cf6c2c3c4a5da48c2e2f9403a3152eaa4539f89cea0ea62184c1f79e1e83047a91774de31522c25338

                                                • \Windows\SysWOW64\hra33.dll

                                                  Filesize

                                                  7KB

                                                  MD5

                                                  7147ff24579a477a1a34696926e573f1

                                                  SHA1

                                                  9127ea8d813ecd5788b3f97777931ec79b7760e9

                                                  SHA256

                                                  fd08dcb016611316c849d48312ba6dc7d4de75d1a81c1d475a13bb5a1ba07267

                                                  SHA512

                                                  077b68376679c30d2dbae460ed59f5131c177bdd7574af1c2660ed97ae242b1401816d012af321c278be065b49bc9eab395e008b1b9a2447aa27b694bbed1d5d

                                                • memory/1952-2-0x0000000000400000-0x0000000000415000-memory.dmp

                                                  Filesize

                                                  84KB

                                                • memory/1952-25-0x0000000000400000-0x0000000000415000-memory.dmp

                                                  Filesize

                                                  84KB

                                                • memory/2360-9-0x0000000077050000-0x0000000077051000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/2360-10-0x000000007704F000-0x0000000077050000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/2360-15-0x0000000000400000-0x0000000000415000-memory.dmp

                                                  Filesize

                                                  84KB

                                                • memory/2416-26-0x0000000000400000-0x0000000000415000-memory.dmp

                                                  Filesize

                                                  84KB