Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 13:03
Static task
static1
Behavioral task
behavioral1
Sample
123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff.dll
Resource
win10v2004-20241007-en
General
-
Target
123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff.dll
-
Size
984KB
-
MD5
f5e2ec95b6d3d591609351b2c32c15fc
-
SHA1
56ff4415603201d5367280e88348a56f24e4863b
-
SHA256
123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff
-
SHA512
ccd2977e2a21ea3f8c0ca0774f84af450813a9b338dcf31e59ae377f7cca9206e64f7be2e756ead7abcc61114b7d1a20480bec7dca56e6252d264fbc824f6fc0
-
SSDEEP
24576:yWyoHFMVMKkN3ZvxEhb0IsaQ4KriCo0j6Ijgx:1nuVMK6vx2RsIKNrjE
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/1152-5-0x0000000002F20000-0x0000000002F21000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 2996 fveprompt.exe 2632 unregmp2.exe 1224 winlogon.exe -
Loads dropped DLL 7 IoCs
pid Process 1152 Process not Found 2996 fveprompt.exe 1152 Process not Found 2632 unregmp2.exe 1152 Process not Found 1224 winlogon.exe 1152 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gazvzzjnt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\RH\\unregmp2.exe" Process not Found -
Checks whether UAC is enabled 1 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fveprompt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unregmp2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1908 rundll32.exe 1908 rundll32.exe 1908 rundll32.exe 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found 1152 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1152 wrote to memory of 2052 1152 Process not Found 30 PID 1152 wrote to memory of 2052 1152 Process not Found 30 PID 1152 wrote to memory of 2052 1152 Process not Found 30 PID 1152 wrote to memory of 2996 1152 Process not Found 31 PID 1152 wrote to memory of 2996 1152 Process not Found 31 PID 1152 wrote to memory of 2996 1152 Process not Found 31 PID 1152 wrote to memory of 2616 1152 Process not Found 32 PID 1152 wrote to memory of 2616 1152 Process not Found 32 PID 1152 wrote to memory of 2616 1152 Process not Found 32 PID 1152 wrote to memory of 2632 1152 Process not Found 33 PID 1152 wrote to memory of 2632 1152 Process not Found 33 PID 1152 wrote to memory of 2632 1152 Process not Found 33 PID 1152 wrote to memory of 1568 1152 Process not Found 34 PID 1152 wrote to memory of 1568 1152 Process not Found 34 PID 1152 wrote to memory of 1568 1152 Process not Found 34 PID 1152 wrote to memory of 1224 1152 Process not Found 35 PID 1152 wrote to memory of 1224 1152 Process not Found 35 PID 1152 wrote to memory of 1224 1152 Process not Found 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1908
-
C:\Windows\system32\fveprompt.exeC:\Windows\system32\fveprompt.exe1⤵PID:2052
-
C:\Users\Admin\AppData\Local\Eft00lW\fveprompt.exeC:\Users\Admin\AppData\Local\Eft00lW\fveprompt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2996
-
C:\Windows\system32\unregmp2.exeC:\Windows\system32\unregmp2.exe1⤵PID:2616
-
C:\Users\Admin\AppData\Local\25R\unregmp2.exeC:\Users\Admin\AppData\Local\25R\unregmp2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2632
-
C:\Windows\system32\winlogon.exeC:\Windows\system32\winlogon.exe1⤵PID:1568
-
C:\Users\Admin\AppData\Local\1mzZJNf\winlogon.exeC:\Users\Admin\AppData\Local\1mzZJNf\winlogon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
992KB
MD51d03a11e7857b6bd9f4398e6cfde8e2f
SHA1dc664fe7cccff3a9f00cadac5039cf7dbbe3d14a
SHA256ea1bf27a3cb87a2ca3ccec3388aa54fe50c2ce9a75d379bcd66d44c7ca326339
SHA51253cfdabf4ee2cc7f79935c0578ae2bb283ea676ec781c8445399c07bd2a804bc7d239408e2167aabec1603217668e07eaaaf94041972448739bdcfb8ce2c8304
-
Filesize
988KB
MD51740b64714c1f2f9f6c101e156d7e376
SHA1dabf4fb7feec91718ca0a229f7ecced455befaa1
SHA256d837aece213c8150051b005bc87904557b3c75d9482c3573289b406c25e26e85
SHA512ec35a25b96314ab9576cd9fb63edc600337f4e758ef6cfc50e54d06bb726c3265fc32b91f81d0f3c492c166789e7bce6d3c4551d9eb5eea4a190bb917313ec0b
-
Filesize
988KB
MD5b5b24f219764303c782ccf019521c4ac
SHA1c00d7370def3aae41cb4fe7c77bb92f2eaf5d85c
SHA256eed08b9658464c2eaad6ba2918d395bb4e71c2a317260ebdbc8225f13894c54c
SHA51223b166a3a0ca52180655ddb87933d2b43ae620e9bbbe096e20c50a26f7ea4a8be131fc4f5fde24612f2d9f8ea326c9fd132666bd583a0a9028f6f1e5737f83fa
-
Filesize
1KB
MD561fab3a1407f1c6473e1651fb1bfe3d5
SHA13ad07c51ad7fbcd52a7dc5fea7010e698fa51357
SHA256601bd797acc7612aeaf0121aa1e847bea039c2af7cb54da53a4142e28db91f25
SHA5122efd8bfb4db0b31ef948d244a0e724f2284f26a4cc9d59c228394b3063de9180fab5c2f2ba36a0fd5287728bc3f1e0cbf1535c9038573751cbefbb449483d09b
-
Filesize
381KB
MD51151b1baa6f350b1db6598e0fea7c457
SHA1434856b834baf163c5ea4d26434eeae775a507fb
SHA256b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49
SHA512df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab
-
Filesize
316KB
MD564b328d52dfc8cda123093e3f6e4c37c
SHA1f68f45b21b911906f3aa982e64504e662a92e5ab
SHA2567d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1
SHA512e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00
-
Filesize
104KB
MD5dc2c44a23b2cd52bd53accf389ae14b2
SHA1e36c7b6f328aa2ab2f52478169c52c1916f04b5f
SHA2567f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921
SHA512ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc