Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2025, 18:04

General

  • Target

    269d6a38de8ff33cb033509ef49dd7d2.dll

  • Size

    5.0MB

  • MD5

    269d6a38de8ff33cb033509ef49dd7d2

  • SHA1

    f5c2049a17b5c3b6d3ba93f06a61ad8ae264fb60

  • SHA256

    62e9391e7aada2e5c0ee36f418c78da93bafc6db05fc05ca8a7dce824ced2e62

  • SHA512

    857270c1bfd4a770b41518275c57cea2f6444b09e63b7bfd557d8ecb8ef29e358078975ef24ede10771ac0510a09146b7fa51a2ef65ce74d51a72ab3787c228c

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAEdhvxWas593R8yAVp2H:+DqPe1Cxcxk3ZAEUaszR8yc4H

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Wannacry family
  • Contacts a large (3310) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\269d6a38de8ff33cb033509ef49dd7d2.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\269d6a38de8ff33cb033509ef49dd7d2.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2304
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2848
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    a7def9bf7875f39bf0aa1c76bbe3d4f6

    SHA1

    1e7502154af9d2817e1849b254e8b2c9207b7b34

    SHA256

    97f25b04eff5cd567480b67a38a48279f5ccd2256842dd772f5e5e807022282f

    SHA512

    176f1a203522d763236547f56cdf0e0dfdcf2d8d4ea0b218d15d65b38d9d922d416d34516dd7fb43dfa46b8f41d837836a5bb91e4fbf4a326df5debfcfa5c5de

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    fcbc058eeab7fd8c9b6fe129eeff2c88

    SHA1

    101102dfea60d85d5f650d45ef17ab5f02ada179

    SHA256

    b4c9512ea0d78f7e41fa3b585484d080026a3599e931a4ce4939ea890cf5d411

    SHA512

    6f1a484d71cf9c1113c5d5e400d02f83b695076954d7e0b70630751a8e04d3672b0ef905baeb3a932f3288c88bdd425b5ed8679608e97e30b20ed6ca27820834