Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
09/03/2025, 05:11 UTC
General
-
Target
f329ea2c754ab196d15c20fbf9abd722fa63630631144c5a409bd2a20172196b2.dll
-
Size
159KB
-
MD5
7932ee5fa6f83b149569752c47e04b87
-
SHA1
6eb115feadc5808507fb5a666dd18aa89a45616c
-
SHA256
f329ea2c754ab196d15c20fbf9abd722fa63630631144c5a409bd2a20172196b
-
SHA512
17ba26e69f7536f5adaa52454fbd407338be61d97bc396baa591de9fa19aab3e539b4ca32059b2ddb1b901ac7ecd341dff9ead706fc0d058086e6b3795642f58
-
SSDEEP
3072:pusrpo1j49JvKa0ePbh37E6ZO78buZKxrF:ZQcvKpE37E6nmKhF
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
-
Locky family
-
Locky_osiris family
-
Blocklisted process makes network request 6 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f329ea2c754ab196d15c20fbf9abd722fa63630631144c5a409bd2a20172196b2.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f329ea2c754ab196d15c20fbf9abd722fa63630631144c5a409bd2a20172196b2.dll,#12⤵
- Blocklisted process makes network request
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2764 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
-
POSThttp://185.17.120.166/checkupdateRemote address:185.17.120.166:80RequestPOST /checkupdate HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://185.17.120.166/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: 185.17.120.166
Content-Length: 700
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 09 Mar 2025 05:12:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Last-Modified: Fri, 10 Mar 2017 10:27:25 GMT
ETag: W/"429ce-55a-54a5dcec944c2"
Content-Encoding: gzip
-
POSThttp://185.17.120.166/checkupdateRemote address:185.17.120.166:80RequestPOST /checkupdate HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://185.17.120.166/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: 185.17.120.166
Content-Length: 700
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 09 Mar 2025 05:13:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Last-Modified: Fri, 10 Mar 2017 10:27:25 GMT
ETag: W/"429ce-55a-54a5dcec944c2"
Content-Encoding: gzip
-
185.129.148.56:80 -
185.17.120.166:80http://185.17.120.166/checkupdatehttp
HTTP Request
POST http://185.17.120.166/checkupdateHTTP Response
404HTTP Request
POST http://185.17.120.166/checkupdateHTTP Response
404 -
86.110.117.155:80 -
185.129.148.56:80
-
86.110.117.155:80
-
185.129.148.56:80
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD52de8beba2725b510fd686c3adf0f0f6e
SHA15d8df4bb8bd6a9e467dde51137252486dd488a57
SHA2564a2a722e3512ab9453c17b87bce434025bc5edbc0d26db0eb15e470983595d3b
SHA5122b7010bc872235cf29f65bfdde4453220815be53cfd0337d960db98117f8d9814194aa89ce9396ebb1f05ee2bde16607f83c37f39475268a13727b0d2df6f9a2
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
Filesize
344B
MD594089d73496e9ff1f1c308eb72c094c3
SHA12a9b1aed94a45e1396220f2ef51500193c1c1bae
SHA25612540540524a45dbbaac28f252654cf9d4a0bf204603ed211d167c9546bb8737
SHA512b7694eb80cfb19bf18f16350dc360b2763bfba9b530a8bc52da95daf02ed472b8b9ccc1a042e1f36d135d204ac9bfecbe28b20cf517e9832f229a9f6769c0f9c
-
Filesize
344B
MD58b06cf7fb379949a6f1443bc3f9e5915
SHA186ef42b31059b64a686291cc21d77dc4fd6a5bb6
SHA2563fbef24d11d47b3a23402d03cfb611e6015193b22e8722233c21c887331cacc7
SHA51227f8532f10370f08e169944bb02d49115b02767cf057bbf09aebc4fc5de4cd9f2dad37aa17adac464f8f10335f373749133febf6a304cf7a6dffb2097f11db55
-
Filesize
344B
MD555b88a79c99449c8c64d72391307beb5
SHA1f4addd89acf0ced82c8cdac4a964645688440b39
SHA256ba11c78903288421f289234b5aa6a0f132ef8cb0e33494795859e6bdc48bbba3
SHA5122d88e9a2c6d41135e53ccad7e9d168fc20cb285a91d4e6aa8deba8be2b40bd1d324c1e09922f06291084cdc5befcaac3e3879e1c521502ce2708ac13bc0572ce
-
Filesize
344B
MD5154913f01be731e864a6d480fc8a6c25
SHA16469726d44be1268b50de20a1e4ae33b25925254
SHA256532a656a1bc7cc5df29541592fa36bc67059996ef02a92610bc9f51e9efd26d1
SHA512c986748881878432027a5e56b163bc07a60c0955f83d0035008a0b2caeca03191ee9510a8726b30543b45f2a4b3d36d790df864b1e0c4fe20c05b55fb946a01e
-
Filesize
344B
MD5784d524d00ad0de483116663eba501e0
SHA155e2de5cf0e404ab811b44bb8f67cd826d63f048
SHA2560d87d1d07f3433d57c3822a61bedf0eca94fad77cb34adb326967284c17b120a
SHA5124b8bf527b677cddc07e0ccb95023175651a007563a5c70ff1d64ac2a25c023f89914944d9c2e5717d97476ca46a049b31ff7c45ec20f5fad99b3cf4b83302d23
-
Filesize
344B
MD5d7c2d626a6b494d592e8e346bae0c981
SHA1541cd5f0a9ef2c6b94c63752a2588627c4cc611f
SHA25670401fbcfb955d1c2f22b00de774fc409e006d401516cf52619b08e898f2cf7a
SHA5129293949ac6564eaeb2eaf0583e870e5c381dfbb66cc6cf11592615956d31d3c60adcf291d5d48d9c03812089a02534a0acf3a5b3b361963f701b0546ae62b557
-
Filesize
344B
MD5d1dfd8a3d17aa16a723215eab11ccc43
SHA1413e68c54f0d168886ec85bf3e6599263811d3cd
SHA256702a012f5707bb893bb9a9fccc990ea0b4cc9cd2bdb83e22e77095d9c2421c99
SHA512bae82321d0ec03f2372d57e7e5e306352aae14339a9c7983f69cf533e2d2a80df848bf0481f508455c2cfb977c61702dcec4e8d9ea7aa714066442132671532c
-
Filesize
344B
MD5667580514199eedf20b28c1b3d7dced6
SHA1c83af898e76a5d7b1729223af5117a7195857c2c
SHA2560525051a317fc3ba66a36aba7024f6431f3bedf06977b1e3c814e29c81fabdc5
SHA51253264d1acd72706a24a8ffd52fd6c5fe9b661ac6500038b7437c29c4b1d880eb4d6c86ac22f7621ea7039432246e2c9bac559f090dcf5843f1166823cde3b5aa
-
Filesize
344B
MD5121d60784c65471b1ea5034d0d613874
SHA1a735f048f88101662cc40658cdd0bb78ad8cd74b
SHA25629d33cd7a8fb8abdac5cae3fbac6d0ab4e938caaf0ea02568e8c24f833989ce8
SHA5126d3adf10bf56bf2495f18d202f058e811f1ef907b8cdcd9490a0a38ef8d5673fd798658f7e0e8e2e8e5b8497da84b15bf4a461d4cdc914753333d14104131680
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc
-
Filesize
3.4MB
MD597a60b70cc9f6355900cd2eaee20f60e
SHA1f510eb68f8d07923572d5ba8f19f3c38904f3102
SHA256777dea123ef4c3c207e357dc523af98ef166856826cfbbd45c713ccf25e83fec
SHA51200ccbbddbd238c3fb792ad46f10aca2404ccad58efc4db2422f0c74f86177a389f1b7f28288568a6d05ce42634d9518aadd2796f699ae491052064e23bab7b58
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
4KB
-
Filesize
60KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
8KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
4KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
