Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 00:37
Static task
static1
Behavioral task
behavioral1
Sample
a6f60e617596fae22bfc758d49593f3a413ffab053d4d37128849496bc82100e.dll
Resource
win7-20240903-en
General
-
Target
a6f60e617596fae22bfc758d49593f3a413ffab053d4d37128849496bc82100e.dll
-
Size
776KB
-
MD5
267ebe7f32597e6cbbd20590a180d77f
-
SHA1
12acab01e939ca2cbd0b2d419a5292127f76f91b
-
SHA256
a6f60e617596fae22bfc758d49593f3a413ffab053d4d37128849496bc82100e
-
SHA512
15d78c31ce57f90230c0a9acac167791197b1178e1a7cb9988f71b953f3c3c3a8ae4d522fe3ec8b4091b99b1e5b98929c46a32f5f3e796e0facf8f35a0557d67
-
SSDEEP
12288:fbP23onr2XO7KrPqgmNiQhDOy4/AT4r/E16K1QS/lsHAGHdDvRQ2sd1gqQg:fbe42XO7KWgmjDR/T4a/MdjmJ
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/1188-5-0x0000000002DC0000-0x0000000002DC1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 2080 Netplwiz.exe 2884 lpksetup.exe 536 DWWIN.EXE -
Loads dropped DLL 7 IoCs
pid Process 1188 Process not Found 2080 Netplwiz.exe 1188 Process not Found 2884 lpksetup.exe 1188 Process not Found 536 DWWIN.EXE 1188 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Auwqk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\5Q\\lpksetup.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Netplwiz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lpksetup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWWIN.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2744 rundll32.exe 2744 rundll32.exe 2744 rundll32.exe 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1188 wrote to memory of 592 1188 Process not Found 31 PID 1188 wrote to memory of 592 1188 Process not Found 31 PID 1188 wrote to memory of 592 1188 Process not Found 31 PID 1188 wrote to memory of 2080 1188 Process not Found 32 PID 1188 wrote to memory of 2080 1188 Process not Found 32 PID 1188 wrote to memory of 2080 1188 Process not Found 32 PID 1188 wrote to memory of 2880 1188 Process not Found 33 PID 1188 wrote to memory of 2880 1188 Process not Found 33 PID 1188 wrote to memory of 2880 1188 Process not Found 33 PID 1188 wrote to memory of 2884 1188 Process not Found 34 PID 1188 wrote to memory of 2884 1188 Process not Found 34 PID 1188 wrote to memory of 2884 1188 Process not Found 34 PID 1188 wrote to memory of 2384 1188 Process not Found 35 PID 1188 wrote to memory of 2384 1188 Process not Found 35 PID 1188 wrote to memory of 2384 1188 Process not Found 35 PID 1188 wrote to memory of 536 1188 Process not Found 36 PID 1188 wrote to memory of 536 1188 Process not Found 36 PID 1188 wrote to memory of 536 1188 Process not Found 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6f60e617596fae22bfc758d49593f3a413ffab053d4d37128849496bc82100e.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2744
-
C:\Windows\system32\Netplwiz.exeC:\Windows\system32\Netplwiz.exe1⤵PID:592
-
C:\Users\Admin\AppData\Local\J4ErA\Netplwiz.exeC:\Users\Admin\AppData\Local\J4ErA\Netplwiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2080
-
C:\Windows\system32\lpksetup.exeC:\Windows\system32\lpksetup.exe1⤵PID:2880
-
C:\Users\Admin\AppData\Local\ZdMB\lpksetup.exeC:\Users\Admin\AppData\Local\ZdMB\lpksetup.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2884
-
C:\Windows\system32\DWWIN.EXEC:\Windows\system32\DWWIN.EXE1⤵PID:2384
-
C:\Users\Admin\AppData\Local\ZirS9lcw\DWWIN.EXEC:\Users\Admin\AppData\Local\ZirS9lcw\DWWIN.EXE1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
776KB
MD5bc57f35184b16923d800668b4bc3cbe9
SHA1db4b7ccd81dc3b5b0b87aa4d816a6b32d525b4e3
SHA2563c1aafb0b3a2ef684bcb102fd05a170d2ae9e5a7a065694ff9a27f8bf12994cf
SHA5123401ac1c2c6020620c580058b2e403d005256c8948ea9b73d1e59e42410a070a3db2d86a102e141999d35f299a8efc44bceda6b53aeea8c878df09cc149cbb7f
-
Filesize
26KB
MD5e43ec3c800d4c0716613392e81fba1d9
SHA137de6a235e978ecf3bb0fc2c864016c5b0134348
SHA256636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c
SHA512176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08
-
Filesize
780KB
MD5008ae6386553f06fcf12d2fa919c3307
SHA15a2955a4aac69da6aeedfb92da2f5bbeeac3495c
SHA2566d020753dc5c1b38717876bae4fa143cf576105c01b053399fd76a375d968d3c
SHA5120400d3a927154da7accc61c52d4b01f570080227b69fd85311613f28121497382c81b54c73505a537829475c4e719056b7e13a580e8f16a0ebe7ef88e297c04b
-
Filesize
780KB
MD599d792a359c054edf22c6bcca9534888
SHA1d729684b33c1a692ccba78fd50fecb313d713290
SHA256bcc525df93bf3ac97e04335860d020b99a5ab666435a7b605a92174f2991b02a
SHA512276558eaf242a7b73f77ac5057f5d34cca87ea11c83c42305c1270a64346e7e92d0678c9abba10421099632d3080571508e7391a03c1344321ecf7af7411e218
-
Filesize
1KB
MD5694e3cd550966ac0d314f088e31f9920
SHA1b9eb322af76a93ae2e2f9cd93db55583f84a2a6f
SHA25603406cd4012dba5a8863b36207e7f367ddb61a778f1a58ef055d42025181a968
SHA51230fcc98daa6b57c9576c3abb91651d023b3c99c45b47ac301f0a5d210a870809a90844243cd3512892326f2c3967e2dfc0c564ef3e0b42744eedaef7896c8ebb
-
Filesize
638KB
MD550d28f3f8b7c17056520c80a29efe17c
SHA11b1e62be0a0bdc9aec2e91842c35381297d8f01e
SHA25671613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f
SHA51292bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861
-
Filesize
149KB
MD525247e3c4e7a7a73baeea6c0008952b1
SHA18087adb7a71a696139ddc5c5abc1a84f817ab688
SHA256c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050
SHA512bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b