Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2024, 05:11

General

  • Target

    badd24bd6383a7e823ec812a704a983dbd255c0ec969a2be228b24c27f0ac7dfN.dll

  • Size

    1.2MB

  • MD5

    a3b4fca3c9909a13d22aaabc72e62390

  • SHA1

    3bd9776dba676d1fa7ea5f5df336293cabea9870

  • SHA256

    badd24bd6383a7e823ec812a704a983dbd255c0ec969a2be228b24c27f0ac7df

  • SHA512

    ad9022e6a379b3faaa7d4f427cf121e2979607596ad7ce41d4329750a3e3705fee6f3cd0909d17ccedcf4a26a9220448d151d27710943f2561bc9da388b849a1

  • SSDEEP

    12288:v9g8GZHpzAac5naAd25L5O+FQ7lW8lZ60ICPxaf6og38BfSH6gqrandxT+is3pjD:v68+O6pvbt/wuzTB2OF8gnf

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Drops file in System32 directory 1 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\badd24bd6383a7e823ec812a704a983dbd255c0ec969a2be228b24c27f0ac7dfN.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\badd24bd6383a7e823ec812a704a983dbd255c0ec969a2be228b24c27f0ac7dfN.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2384
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 100
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1104
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 232
        3⤵
        • Program crash
        PID:3044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\rundll32mgr.exe

    Filesize

    60KB

    MD5

    9da34792f12bfb224d0b0d16f9f62292

    SHA1

    da65efc75ff8be031bac9ba02eda64597f657c52

    SHA256

    a434a29856702b0daa752fac298e3b27e08016ca210e9eefc1431957a9e20334

    SHA512

    6af27047219bf6e0ede8877df56576109e50973f66d704bd1a923a8fde9bc29d7ef929576ad24e19cf82a5ae4a550a36ead42a1e0deb23f41954cbaae2724a9c

  • memory/2308-9-0x0000000010000000-0x000000001013A000-memory.dmp

    Filesize

    1.2MB

  • memory/2308-5-0x0000000010000000-0x000000001013A000-memory.dmp

    Filesize

    1.2MB