Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3DEMANDA LA...61.zip
windows7-x64
7DEMANDA LA...61.zip
windows10-2004-x64
10DEMANDA LA...21.exe
windows7-x64
4DEMANDA LA...21.exe
windows10-2004-x64
10DEMANDA LA...er.dll
windows7-x64
4DEMANDA LA...er.dll
windows10-2004-x64
10DEMANDA LA...ON.dll
windows7-x64
1DEMANDA LA...ON.dll
windows10-2004-x64
1Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/12/2024, 15:34
Static task
static1
Behavioral task
behavioral1
Sample
DEMANDA LABORAL JURIDICA 165161.zip
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
DEMANDA LABORAL JURIDICA 165161.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
DEMANDA LABORAL JURIDICA 165161/1 DEMANDA LABORAL JURIDICA 321321.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
DEMANDA LABORAL JURIDICA 165161/1 DEMANDA LABORAL JURIDICA 321321.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
DEMANDA LABORAL JURIDICA 165161/CiscoSparkLauncher.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
DEMANDA LABORAL JURIDICA 165161/CiscoSparkLauncher.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
DEMANDA LABORAL JURIDICA 165161/VERSION.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
DEMANDA LABORAL JURIDICA 165161/VERSION.dll
Resource
win10v2004-20241007-en
General
-
Target
DEMANDA LABORAL JURIDICA 165161/CiscoSparkLauncher.dll
-
Size
2.6MB
-
MD5
e2e01305e938ea378a88658d81c0917f
-
SHA1
6b3dc7e13347f6fadadc2dbac7d3a3927d9e2aa6
-
SHA256
29c3c48f4dc84e7179881bc3767546878b2db89d418372f687edbd4a72ef0989
-
SHA512
5620ea58d2a7da0fe5d352ea1fe82e76ed84c31b2ae97b28a3ab3b25268f21c0a8eef8ca7baa05ab0f2c80a8125fc7e2441065eda11259b1f636be7b3d6c202d
-
SSDEEP
49152:aGtlqOIU6iJVwASOcO81WPz3qjFr6t1Dt+w+PpmtsHcFhKgwzfQHdPWkpRs6:m+18rcDINHAhKQH8S
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1928 svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1752 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 476 Process not Found 476 Process not Found -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2364 wrote to memory of 3008 2364 rundll32.exe 31 PID 2364 wrote to memory of 3008 2364 rundll32.exe 31 PID 2364 wrote to memory of 3008 2364 rundll32.exe 31 PID 3008 wrote to memory of 1752 3008 cmd.exe 33 PID 3008 wrote to memory of 1752 3008 cmd.exe 33 PID 3008 wrote to memory of 1752 3008 cmd.exe 33 PID 2364 wrote to memory of 1928 2364 rundll32.exe 34 PID 2364 wrote to memory of 1928 2364 rundll32.exe 34 PID 2364 wrote to memory of 1928 2364 rundll32.exe 34 PID 2364 wrote to memory of 1928 2364 rundll32.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL JURIDICA 165161\CiscoSparkLauncher.dll",#11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn "G7EJdZoaViCVgUwk" /tr "C:\Users\Admin\AppData\Roaming\rundll32.exe" /sc onlogon /rl highest /f2⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\system32\schtasks.exeschtasks /create /tn "G7EJdZoaViCVgUwk" /tr "C:\Users\Admin\AppData\Roaming\rundll32.exe" /sc onlogon /rl highest /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1752
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
481KB
MD534e7858467bd37a5fe1b75dcd73bdf19
SHA160677610b2c666cca1c212b66441231cea964434
SHA25611cdb65e5b007e249a51a7410da0653ec6c6b28f68b33e1de88ac3989dd745d6
SHA512bb6ea5a30f6060dd68ef51a3cfcff76a20337155eb3ac95a0fdd19240782d07d947046788833983483908728f7f119fc858930ba9d80b823f7e3582054824ac9