Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
124s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01/02/2022, 10:46
Static task
static1
Behavioral task
behavioral1
Sample
219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa.dll
Resource
win10v2004-en-20220113
General
-
Target
219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa.dll
-
Size
276KB
-
MD5
0448f77a9999f945a136305716eabe49
-
SHA1
7d906884962033eb5381fcb018fce79779578584
-
SHA256
219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa
-
SHA512
3270f2a146bf94a5e6981e6d99fde8b9204bb90f5b6b04305261fb6bc10541664bd2f8d6cde290e4296f81c602b649ed6ffc6315c67590506625e59f8263e6db
Malware Config
Extracted
zloader
DLLobnova
hihiupdate
https://fdsjfjdsfjdsdsjajjs.com/gate.php
https://idisaudhasdhasdj.com/gate.php
https://dsjdjsjdsadhasdas.com/gate.php
https://dsdjfhdsufudhjas.com/gate.php
https://dsdjfhdsufudhjas.info/gate.php
https://fdsjfjdsfjdsdsjajjs.info/gate.php
https://idisaudhasdhasdj.info/gate.php
https://dsdjfhdsufudhjas.pro/gate.php
https://dsdjfhd9ddksaas.pro/gate.php
-
build_id
7
Signatures
-
suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
Blocklisted process makes network request 8 IoCs
flow pid Process 5 1488 msiexec.exe 7 1488 msiexec.exe 9 1488 msiexec.exe 11 1488 msiexec.exe 13 1488 msiexec.exe 15 1488 msiexec.exe 17 1488 msiexec.exe 19 1488 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anaw = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Azbo\\olig.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1588 set thread context of 1488 1588 rundll32.exe 30 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\ rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 1488 msiexec.exe Token: SeSecurityPrivilege 1488 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 740 wrote to memory of 1588 740 rundll32.exe 27 PID 740 wrote to memory of 1588 740 rundll32.exe 27 PID 740 wrote to memory of 1588 740 rundll32.exe 27 PID 740 wrote to memory of 1588 740 rundll32.exe 27 PID 740 wrote to memory of 1588 740 rundll32.exe 27 PID 740 wrote to memory of 1588 740 rundll32.exe 27 PID 740 wrote to memory of 1588 740 rundll32.exe 27 PID 1588 wrote to memory of 1488 1588 rundll32.exe 30 PID 1588 wrote to memory of 1488 1588 rundll32.exe 30 PID 1588 wrote to memory of 1488 1588 rundll32.exe 30 PID 1588 wrote to memory of 1488 1588 rundll32.exe 30 PID 1588 wrote to memory of 1488 1588 rundll32.exe 30 PID 1588 wrote to memory of 1488 1588 rundll32.exe 30 PID 1588 wrote to memory of 1488 1588 rundll32.exe 30 PID 1588 wrote to memory of 1488 1588 rundll32.exe 30 PID 1588 wrote to memory of 1488 1588 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa.dll,#12⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-