Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/12/2024, 15:34

General

  • Target

    DEMANDA LABORAL JURIDICA 165161/CiscoSparkLauncher.dll

  • Size

    2.6MB

  • MD5

    e2e01305e938ea378a88658d81c0917f

  • SHA1

    6b3dc7e13347f6fadadc2dbac7d3a3927d9e2aa6

  • SHA256

    29c3c48f4dc84e7179881bc3767546878b2db89d418372f687edbd4a72ef0989

  • SHA512

    5620ea58d2a7da0fe5d352ea1fe82e76ed84c31b2ae97b28a3ab3b25268f21c0a8eef8ca7baa05ab0f2c80a8125fc7e2441065eda11259b1f636be7b3d6c202d

  • SSDEEP

    49152:aGtlqOIU6iJVwASOcO81WPz3qjFr6t1Dt+w+PpmtsHcFhKgwzfQHdPWkpRs6:m+18rcDINHAhKQH8S

Score
4/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL JURIDICA 165161\CiscoSparkLauncher.dll",#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn "G7EJdZoaViCVgUwk" /tr "C:\Users\Admin\AppData\Roaming\rundll32.exe" /sc onlogon /rl highest /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\system32\schtasks.exe
        schtasks /create /tn "G7EJdZoaViCVgUwk" /tr "C:\Users\Admin\AppData\Roaming\rundll32.exe" /sc onlogon /rl highest /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1752
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe

    Filesize

    481KB

    MD5

    34e7858467bd37a5fe1b75dcd73bdf19

    SHA1

    60677610b2c666cca1c212b66441231cea964434

    SHA256

    11cdb65e5b007e249a51a7410da0653ec6c6b28f68b33e1de88ac3989dd745d6

    SHA512

    bb6ea5a30f6060dd68ef51a3cfcff76a20337155eb3ac95a0fdd19240782d07d947046788833983483908728f7f119fc858930ba9d80b823f7e3582054824ac9

  • memory/2364-0-0x00000000026F0000-0x0000000002CFB000-memory.dmp

    Filesize

    6.0MB

  • memory/2364-21-0x0000000068840000-0x0000000068F17000-memory.dmp

    Filesize

    6.8MB