Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 05:11
Static task
static1
Behavioral task
behavioral1
Sample
badd24bd6383a7e823ec812a704a983dbd255c0ec969a2be228b24c27f0ac7dfN.dll
Resource
win7-20241010-en
General
-
Target
badd24bd6383a7e823ec812a704a983dbd255c0ec969a2be228b24c27f0ac7dfN.dll
-
Size
1.2MB
-
MD5
a3b4fca3c9909a13d22aaabc72e62390
-
SHA1
3bd9776dba676d1fa7ea5f5df336293cabea9870
-
SHA256
badd24bd6383a7e823ec812a704a983dbd255c0ec969a2be228b24c27f0ac7df
-
SHA512
ad9022e6a379b3faaa7d4f427cf121e2979607596ad7ce41d4329750a3e3705fee6f3cd0909d17ccedcf4a26a9220448d151d27710943f2561bc9da388b849a1
-
SSDEEP
12288:v9g8GZHpzAac5naAd25L5O+FQ7lW8lZ60ICPxaf6og38BfSH6gqrandxT+is3pjD:v68+O6pvbt/wuzTB2OF8gnf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2384 rundll32mgr.exe -
Loads dropped DLL 9 IoCs
pid Process 2308 rundll32.exe 2308 rundll32.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1104 2384 WerFault.exe 31 3044 2308 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2308 2188 rundll32.exe 30 PID 2188 wrote to memory of 2308 2188 rundll32.exe 30 PID 2188 wrote to memory of 2308 2188 rundll32.exe 30 PID 2188 wrote to memory of 2308 2188 rundll32.exe 30 PID 2188 wrote to memory of 2308 2188 rundll32.exe 30 PID 2188 wrote to memory of 2308 2188 rundll32.exe 30 PID 2188 wrote to memory of 2308 2188 rundll32.exe 30 PID 2308 wrote to memory of 2384 2308 rundll32.exe 31 PID 2308 wrote to memory of 2384 2308 rundll32.exe 31 PID 2308 wrote to memory of 2384 2308 rundll32.exe 31 PID 2308 wrote to memory of 2384 2308 rundll32.exe 31 PID 2384 wrote to memory of 1104 2384 rundll32mgr.exe 32 PID 2384 wrote to memory of 1104 2384 rundll32mgr.exe 32 PID 2384 wrote to memory of 1104 2384 rundll32mgr.exe 32 PID 2384 wrote to memory of 1104 2384 rundll32mgr.exe 32 PID 2308 wrote to memory of 3044 2308 rundll32.exe 33 PID 2308 wrote to memory of 3044 2308 rundll32.exe 33 PID 2308 wrote to memory of 3044 2308 rundll32.exe 33 PID 2308 wrote to memory of 3044 2308 rundll32.exe 33
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\badd24bd6383a7e823ec812a704a983dbd255c0ec969a2be228b24c27f0ac7dfN.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\badd24bd6383a7e823ec812a704a983dbd255c0ec969a2be228b24c27f0ac7dfN.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1004⤵
- Loads dropped DLL
- Program crash
PID:1104
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 2323⤵
- Program crash
PID:3044
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD59da34792f12bfb224d0b0d16f9f62292
SHA1da65efc75ff8be031bac9ba02eda64597f657c52
SHA256a434a29856702b0daa752fac298e3b27e08016ca210e9eefc1431957a9e20334
SHA5126af27047219bf6e0ede8877df56576109e50973f66d704bd1a923a8fde9bc29d7ef929576ad24e19cf82a5ae4a550a36ead42a1e0deb23f41954cbaae2724a9c