Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 11:34
Behavioral task
behavioral1
Sample
7965701c18b0d1a5025cd2f0b3bbe480232074c82b946ce95e78fe544747a01bN.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
7965701c18b0d1a5025cd2f0b3bbe480232074c82b946ce95e78fe544747a01bN.dll
Resource
win10v2004-20241007-en
General
-
Target
7965701c18b0d1a5025cd2f0b3bbe480232074c82b946ce95e78fe544747a01bN.dll
-
Size
76KB
-
MD5
23b127414d0a13c6c6a8b9c1ed0a3820
-
SHA1
7e98521502a744af8e3d7e5567ebd7eed1df193d
-
SHA256
7965701c18b0d1a5025cd2f0b3bbe480232074c82b946ce95e78fe544747a01b
-
SHA512
42c8e1297e1e22494d71d7b7630d07c8d686b41addac2dd18b64c036a341e4169bdee9dd259686f81dcb1be428d4d4066a4baa6854cb26e6f3f3594292bc717d
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7Zb1Xh4v/:c8y93KQjy7G55riF1cMo03jXg/
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
resource yara_rule behavioral1/memory/1628-3-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1628-2-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1628-1-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1628-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1628-4-0x0000000010000000-0x0000000010030000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1628 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1628 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2520 wrote to memory of 1628 2520 rundll32.exe 30 PID 2520 wrote to memory of 1628 2520 rundll32.exe 30 PID 2520 wrote to memory of 1628 2520 rundll32.exe 30 PID 2520 wrote to memory of 1628 2520 rundll32.exe 30 PID 2520 wrote to memory of 1628 2520 rundll32.exe 30 PID 2520 wrote to memory of 1628 2520 rundll32.exe 30 PID 2520 wrote to memory of 1628 2520 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7965701c18b0d1a5025cd2f0b3bbe480232074c82b946ce95e78fe544747a01bN.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7965701c18b0d1a5025cd2f0b3bbe480232074c82b946ce95e78fe544747a01bN.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-