Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    05/02/2025, 00:45

General

  • Target

    d29c5e424a41063b6cd023cac203b190dec79838693acb78c02a922be684467eN.dll

  • Size

    1.3MB

  • MD5

    bc2e593d06093206b2b0e1d2f56f9da0

  • SHA1

    9c86d7e4c68ea776cc8773328f8d5887a110285a

  • SHA256

    d29c5e424a41063b6cd023cac203b190dec79838693acb78c02a922be684467e

  • SHA512

    c710971d7cd89529b157d30904f9f3d98fb6a080486988ac412e1cf55f8dd6d53c50d5e71e9fc888d08efb9567a2ac6ca4abec0907f6a170560c010ea7e8496b

  • SSDEEP

    24576:knCumpWmiJEtMMPk/bqfDYhgI2qpmiQYbvRdsQGLAT1Lv1Tqhy/NQIFDh:knCuAk/bjgITpm7YbXsQdT1Dl

Score
10/10

Malware Config

Extracted

Family

latrodectus

Version

1.4

C2

https://vivaforevew.com/test/

https://wersogkiwgow.com/test/

Attributes
  • group

    Omega

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)

aes.hex

Extracted

Family

latrodectus

aes.hex

Signatures

  • Latrodectus family
  • Latrodectus loader

    Latrodectus is a loader written in C++.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d29c5e424a41063b6cd023cac203b190dec79838693acb78c02a922be684467eN.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1512 -s 128
      2⤵
        PID:2420

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1512-0-0x0000000180000000-0x0000000181CB2000-memory.dmp

      Filesize

      28.7MB

    • memory/1512-4-0x0000000001F90000-0x0000000003C40000-memory.dmp

      Filesize

      28.7MB