Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
105s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/01/2025, 07:11
Static task
static1
Behavioral task
behavioral1
Sample
f91ec0b7844995cf71c92ac16afafd45cca77bc74c4394e7f5119a9b7f0b1532N.dll
Resource
win7-20240903-en
General
-
Target
f91ec0b7844995cf71c92ac16afafd45cca77bc74c4394e7f5119a9b7f0b1532N.dll
-
Size
504KB
-
MD5
a750fe49a05a90b4daa897a0d65a70a0
-
SHA1
3df4421793e529abf8f0402f56a3098ff8fe0b73
-
SHA256
f91ec0b7844995cf71c92ac16afafd45cca77bc74c4394e7f5119a9b7f0b1532
-
SHA512
ba64d42a5492e15a470d6ab55dd693276ca9b5e5a29f3d1871737980d7614bde256f91a3704b32a8df4916714e94ba12737c4982f52613dce7af2d51beee0aab
-
SSDEEP
12288:/h8fZLyb9PzVMBC/HVMOp4PkxHLCYwZckMQMNM3I9zjz:/8F+Pzr/Hfp4MIYwZckMQmMsXz
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1736 rundll32mgr.exe -
Loads dropped DLL 9 IoCs
pid Process 2064 rundll32.exe 2064 rundll32.exe 2420 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2420 1736 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2064 2336 rundll32.exe 31 PID 2336 wrote to memory of 2064 2336 rundll32.exe 31 PID 2336 wrote to memory of 2064 2336 rundll32.exe 31 PID 2336 wrote to memory of 2064 2336 rundll32.exe 31 PID 2336 wrote to memory of 2064 2336 rundll32.exe 31 PID 2336 wrote to memory of 2064 2336 rundll32.exe 31 PID 2336 wrote to memory of 2064 2336 rundll32.exe 31 PID 2064 wrote to memory of 1736 2064 rundll32.exe 32 PID 2064 wrote to memory of 1736 2064 rundll32.exe 32 PID 2064 wrote to memory of 1736 2064 rundll32.exe 32 PID 2064 wrote to memory of 1736 2064 rundll32.exe 32 PID 1736 wrote to memory of 2420 1736 rundll32mgr.exe 33 PID 1736 wrote to memory of 2420 1736 rundll32mgr.exe 33 PID 1736 wrote to memory of 2420 1736 rundll32mgr.exe 33 PID 1736 wrote to memory of 2420 1736 rundll32mgr.exe 33
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f91ec0b7844995cf71c92ac16afafd45cca77bc74c4394e7f5119a9b7f0b1532N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f91ec0b7844995cf71c92ac16afafd45cca77bc74c4394e7f5119a9b7f0b1532N.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 1004⤵
- Loads dropped DLL
- Program crash
PID:2420
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD503a048104272c7aabc167e893cc6d3cd
SHA1304fdf6a45f2e4e422365f836ae526af3cd72af6
SHA256cc3aa2d0788746f8e848b6e59142502ca61afe72c380c6f44b353064567b33d5
SHA5120989ecced26ca343f2924b6407299886fe47b59e00ac9e9f51c0e4145d06f64d6aa0db1c2e28a0fcba343609aef39682916a809b786139c45bcc4adb28ec5df1