Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 18:04
Static task
static1
Behavioral task
behavioral1
Sample
269d6a38de8ff33cb033509ef49dd7d2.dll
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
269d6a38de8ff33cb033509ef49dd7d2.dll
Resource
win10v2004-20241007-en
General
-
Target
269d6a38de8ff33cb033509ef49dd7d2.dll
-
Size
5.0MB
-
MD5
269d6a38de8ff33cb033509ef49dd7d2
-
SHA1
f5c2049a17b5c3b6d3ba93f06a61ad8ae264fb60
-
SHA256
62e9391e7aada2e5c0ee36f418c78da93bafc6db05fc05ca8a7dce824ced2e62
-
SHA512
857270c1bfd4a770b41518275c57cea2f6444b09e63b7bfd557d8ecb8ef29e358078975ef24ede10771ac0510a09146b7fa51a2ef65ce74d51a72ab3787c228c
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWas593R8yAVp2H:+DqPe1Cxcxk3ZAEUaszR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Contacts a large (3310) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2304 mssecsvc.exe 1440 mssecsvc.exe 2848 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f016e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{27E472E0-130D-4C47-87DC-2734C99DC3F4} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-d4-57-5c-e3-b0\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{27E472E0-130D-4C47-87DC-2734C99DC3F4}\36-d4-57-5c-e3-b0 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{27E472E0-130D-4C47-87DC-2734C99DC3F4}\WpadDecisionTime = a0f545e07767db01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{27E472E0-130D-4C47-87DC-2734C99DC3F4}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-d4-57-5c-e3-b0 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-d4-57-5c-e3-b0\WpadDecisionTime = a0f545e07767db01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{27E472E0-130D-4C47-87DC-2734C99DC3F4}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{27E472E0-130D-4C47-87DC-2734C99DC3F4}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-d4-57-5c-e3-b0\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3068 wrote to memory of 2196 3068 rundll32.exe 31 PID 3068 wrote to memory of 2196 3068 rundll32.exe 31 PID 3068 wrote to memory of 2196 3068 rundll32.exe 31 PID 3068 wrote to memory of 2196 3068 rundll32.exe 31 PID 3068 wrote to memory of 2196 3068 rundll32.exe 31 PID 3068 wrote to memory of 2196 3068 rundll32.exe 31 PID 3068 wrote to memory of 2196 3068 rundll32.exe 31 PID 2196 wrote to memory of 2304 2196 rundll32.exe 32 PID 2196 wrote to memory of 2304 2196 rundll32.exe 32 PID 2196 wrote to memory of 2304 2196 rundll32.exe 32 PID 2196 wrote to memory of 2304 2196 rundll32.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\269d6a38de8ff33cb033509ef49dd7d2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\269d6a38de8ff33cb033509ef49dd7d2.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2304 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2848
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a7def9bf7875f39bf0aa1c76bbe3d4f6
SHA11e7502154af9d2817e1849b254e8b2c9207b7b34
SHA25697f25b04eff5cd567480b67a38a48279f5ccd2256842dd772f5e5e807022282f
SHA512176f1a203522d763236547f56cdf0e0dfdcf2d8d4ea0b218d15d65b38d9d922d416d34516dd7fb43dfa46b8f41d837836a5bb91e4fbf4a326df5debfcfa5c5de
-
Filesize
3.4MB
MD5fcbc058eeab7fd8c9b6fe129eeff2c88
SHA1101102dfea60d85d5f650d45ef17ab5f02ada179
SHA256b4c9512ea0d78f7e41fa3b585484d080026a3599e931a4ce4939ea890cf5d411
SHA5126f1a484d71cf9c1113c5d5e400d02f83b695076954d7e0b70630751a8e04d3672b0ef905baeb3a932f3288c88bdd425b5ed8679608e97e30b20ed6ca27820834