Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
02/01/2025, 01:22
Static task
static1
Behavioral task
behavioral1
Sample
4bfb82e4377cef81939ee33f12dbf3e45e8bbdf4fde3966b0576da1712512c0eN.dll
Resource
win7-20241023-en
General
-
Target
4bfb82e4377cef81939ee33f12dbf3e45e8bbdf4fde3966b0576da1712512c0eN.dll
-
Size
1.3MB
-
MD5
a144334228809a0b969104fc9fbcebb0
-
SHA1
3be701d9782bdb34fd324b70c1382ba587040833
-
SHA256
4bfb82e4377cef81939ee33f12dbf3e45e8bbdf4fde3966b0576da1712512c0e
-
SHA512
0562a77168a1d1b7292632c9ec4842adce02fcaf7ce8e34d709bc7dc86702c85574985ff3e78f8d780a0a437e58777c8e4e4af05e2c305403b976547ec107cc1
-
SSDEEP
12288:Y9g8GZHpzAac5naAd25L5O+FQ7lW8lZ60ICPxaf6og38BfSH6gqrandxT+is3pjn:Y68+O6pvbt/wuzTB2OFi1u
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2896 rundll32mgr.exe -
Loads dropped DLL 2 IoCs
pid Process 2680 rundll32.exe 2680 rundll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2084 2680 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2896 rundll32mgr.exe -
Suspicious behavior: MapViewOfSection 26 IoCs
pid Process 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe 2896 rundll32mgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2896 rundll32mgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1972 wrote to memory of 2680 1972 rundll32.exe 30 PID 1972 wrote to memory of 2680 1972 rundll32.exe 30 PID 1972 wrote to memory of 2680 1972 rundll32.exe 30 PID 1972 wrote to memory of 2680 1972 rundll32.exe 30 PID 1972 wrote to memory of 2680 1972 rundll32.exe 30 PID 1972 wrote to memory of 2680 1972 rundll32.exe 30 PID 1972 wrote to memory of 2680 1972 rundll32.exe 30 PID 2680 wrote to memory of 2896 2680 rundll32.exe 31 PID 2680 wrote to memory of 2896 2680 rundll32.exe 31 PID 2680 wrote to memory of 2896 2680 rundll32.exe 31 PID 2680 wrote to memory of 2896 2680 rundll32.exe 31 PID 2680 wrote to memory of 2084 2680 rundll32.exe 32 PID 2680 wrote to memory of 2084 2680 rundll32.exe 32 PID 2680 wrote to memory of 2084 2680 rundll32.exe 32 PID 2680 wrote to memory of 2084 2680 rundll32.exe 32 PID 2896 wrote to memory of 384 2896 rundll32mgr.exe 3 PID 2896 wrote to memory of 384 2896 rundll32mgr.exe 3 PID 2896 wrote to memory of 384 2896 rundll32mgr.exe 3 PID 2896 wrote to memory of 384 2896 rundll32mgr.exe 3 PID 2896 wrote to memory of 384 2896 rundll32mgr.exe 3 PID 2896 wrote to memory of 384 2896 rundll32mgr.exe 3 PID 2896 wrote to memory of 384 2896 rundll32mgr.exe 3 PID 2896 wrote to memory of 396 2896 rundll32mgr.exe 4 PID 2896 wrote to memory of 396 2896 rundll32mgr.exe 4 PID 2896 wrote to memory of 396 2896 rundll32mgr.exe 4 PID 2896 wrote to memory of 396 2896 rundll32mgr.exe 4 PID 2896 wrote to memory of 396 2896 rundll32mgr.exe 4 PID 2896 wrote to memory of 396 2896 rundll32mgr.exe 4 PID 2896 wrote to memory of 396 2896 rundll32mgr.exe 4 PID 2896 wrote to memory of 432 2896 rundll32mgr.exe 5 PID 2896 wrote to memory of 432 2896 rundll32mgr.exe 5 PID 2896 wrote to memory of 432 2896 rundll32mgr.exe 5 PID 2896 wrote to memory of 432 2896 rundll32mgr.exe 5 PID 2896 wrote to memory of 432 2896 rundll32mgr.exe 5 PID 2896 wrote to memory of 432 2896 rundll32mgr.exe 5 PID 2896 wrote to memory of 432 2896 rundll32mgr.exe 5 PID 2896 wrote to memory of 476 2896 rundll32mgr.exe 6 PID 2896 wrote to memory of 476 2896 rundll32mgr.exe 6 PID 2896 wrote to memory of 476 2896 rundll32mgr.exe 6 PID 2896 wrote to memory of 476 2896 rundll32mgr.exe 6 PID 2896 wrote to memory of 476 2896 rundll32mgr.exe 6 PID 2896 wrote to memory of 476 2896 rundll32mgr.exe 6 PID 2896 wrote to memory of 476 2896 rundll32mgr.exe 6 PID 2896 wrote to memory of 492 2896 rundll32mgr.exe 7 PID 2896 wrote to memory of 492 2896 rundll32mgr.exe 7 PID 2896 wrote to memory of 492 2896 rundll32mgr.exe 7 PID 2896 wrote to memory of 492 2896 rundll32mgr.exe 7 PID 2896 wrote to memory of 492 2896 rundll32mgr.exe 7 PID 2896 wrote to memory of 492 2896 rundll32mgr.exe 7 PID 2896 wrote to memory of 492 2896 rundll32mgr.exe 7 PID 2896 wrote to memory of 500 2896 rundll32mgr.exe 8 PID 2896 wrote to memory of 500 2896 rundll32mgr.exe 8 PID 2896 wrote to memory of 500 2896 rundll32mgr.exe 8 PID 2896 wrote to memory of 500 2896 rundll32mgr.exe 8 PID 2896 wrote to memory of 500 2896 rundll32mgr.exe 8 PID 2896 wrote to memory of 500 2896 rundll32mgr.exe 8 PID 2896 wrote to memory of 500 2896 rundll32mgr.exe 8 PID 2896 wrote to memory of 596 2896 rundll32mgr.exe 9 PID 2896 wrote to memory of 596 2896 rundll32mgr.exe 9 PID 2896 wrote to memory of 596 2896 rundll32mgr.exe 9 PID 2896 wrote to memory of 596 2896 rundll32mgr.exe 9 PID 2896 wrote to memory of 596 2896 rundll32mgr.exe 9 PID 2896 wrote to memory of 596 2896 rundll32mgr.exe 9 PID 2896 wrote to memory of 596 2896 rundll32mgr.exe 9
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:2004
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1592
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:676
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:756
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1040
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:852
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:960
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:296
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1064
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1072
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1168
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1408
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2460
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:648
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1128
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4bfb82e4377cef81939ee33f12dbf3e45e8bbdf4fde3966b0576da1712512c0eN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4bfb82e4377cef81939ee33f12dbf3e45e8bbdf4fde3966b0576da1712512c0eN.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 2284⤵
- Program crash
PID:2084
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD5787f5a2f9878eecd525f0ca2f7f71749
SHA1c0da1509885c34f2f40f6f557a366bba00d767b3
SHA256a96ea157adae6d6e44274d0b27a68074e24afd21973123dbacf1e5325aeb4438
SHA512306c9b2ce87ed7e5c8c7dd557927811bfe65dd49ae735a007e8189024376c5192bc5ef879a26d32e718746cc93b8343d05b6515c0a63fc85860a614dbb5b090d