Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/01/2025, 05:57
Behavioral task
behavioral1
Sample
2b5884ce35c0d37aef1faef9e9230130d6e1cec2c5099ca7de3e08c01c16d817N.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2b5884ce35c0d37aef1faef9e9230130d6e1cec2c5099ca7de3e08c01c16d817N.dll
Resource
win10v2004-20241007-en
General
-
Target
2b5884ce35c0d37aef1faef9e9230130d6e1cec2c5099ca7de3e08c01c16d817N.dll
-
Size
76KB
-
MD5
11f19d70a7cb1522e1fed32e71eb1ca0
-
SHA1
9775509e496a77a803b3871d951e75a984389399
-
SHA256
2b5884ce35c0d37aef1faef9e9230130d6e1cec2c5099ca7de3e08c01c16d817
-
SHA512
5273ab4c030958a69c86705c9b72901dc571cf6e866b347a7cac7f71b5992c34e3af32fa9f5f9f56d4331c4ca766d4095c85df03a7050542117c9fb575ae7e9b
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZX48T:c8y93KQjy7G55riF1cMo03148T
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
resource yara_rule behavioral1/memory/708-3-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/708-2-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/708-1-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/708-4-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/708-5-0x0000000010000000-0x0000000010030000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 708 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 708 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2520 wrote to memory of 708 2520 rundll32.exe 30 PID 2520 wrote to memory of 708 2520 rundll32.exe 30 PID 2520 wrote to memory of 708 2520 rundll32.exe 30 PID 2520 wrote to memory of 708 2520 rundll32.exe 30 PID 2520 wrote to memory of 708 2520 rundll32.exe 30 PID 2520 wrote to memory of 708 2520 rundll32.exe 30 PID 2520 wrote to memory of 708 2520 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2b5884ce35c0d37aef1faef9e9230130d6e1cec2c5099ca7de3e08c01c16d817N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2b5884ce35c0d37aef1faef9e9230130d6e1cec2c5099ca7de3e08c01c16d817N.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:708
-