Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
124s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240708-es -
resource tags
arch:x64arch:x86image:win7-20240708-eslocale:es-esos:windows7-x64systemwindows -
submitted
03/10/2024, 15:21
Static task
static1
Behavioral task
behavioral1
Sample
AppFile.exe
Resource
win10-20240404-es
Behavioral task
behavioral2
Sample
AppFile.exe
Resource
win7-20240903-es
Behavioral task
behavioral3
Sample
AppFile.exe
Resource
win10v2004-20240802-es
Behavioral task
behavioral4
Sample
sqlite.dll
Resource
win10-20240404-es
Behavioral task
behavioral5
Sample
sqlite.dll
Resource
win7-20240708-es
General
-
Target
sqlite.dll
-
Size
5.3MB
-
MD5
b073f1111619c4a7539a0110d2387ff1
-
SHA1
50058b937602e4b14c7e36e7e36c498cd45b10f7
-
SHA256
b105a20ec8cf2aa1868689019cbf76bab597c1ed88082b8481c08090526be633
-
SHA512
23917a90b58faef995f2f5f73e140b8a540fb58f49c88a42d95b94f603b61e7921c8bb6df6170fadb81d33963632b04644f5d48c941fd69914a54db3e3811d83
-
SSDEEP
98304:Q12tW5t8QTrNQrDxJSB695pyYbdwYdP+e7WaTnGSAp9sPrP/nHXOk2:e2Ij8QTrNQrDOEDp+Yd7yaTRPj2X
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" rundll32.exe -
Blocklisted process makes network request 7 IoCs
flow pid Process 2 1284 rundll32.exe 5 1284 rundll32.exe 6 1284 rundll32.exe 8 1284 rundll32.exe 9 1284 rundll32.exe 11 1284 rundll32.exe 13 1284 rundll32.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ipinfo.io 8 ipinfo.io 12 api.myip.com 13 api.myip.com 4 api64.ipify.org 5 api64.ipify.org -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini rundll32.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1284 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1168 wrote to memory of 1284 1168 rundll32.exe 30 PID 1168 wrote to memory of 1284 1168 rundll32.exe 30 PID 1168 wrote to memory of 1284 1168 rundll32.exe 30 PID 1168 wrote to memory of 1284 1168 rundll32.exe 30 PID 1168 wrote to memory of 1284 1168 rundll32.exe 30 PID 1168 wrote to memory of 1284 1168 rundll32.exe 30 PID 1168 wrote to memory of 1284 1168 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite.dll,#12⤵
- Modifies firewall policy service
- Blocklisted process makes network request
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1284
-