Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

nouactelegram.vmp.dll

windows7_x64

10

nouactelegram.vmp.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    10/02/2022, 15:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nouactelegram.vmp.dll

  • Size

    5.5MB

  • MD5

    52703c8091a4e3ac70d95c6acbf7dd0d

  • SHA1

    671467744181cd12695db8e5ba1d79b0d83271c0

  • SHA256

    02dfd5448fecf132e9c2062dce335945d220e7fd1a0ab0885ac20d409da02bbf

  • SHA512

    ae54f063f36e13f6f04971b54dc19cb915a774dd0f35035c13ca61ce716515b9740695cae5035ff66bc5a44cf9c9d4979f21e5eab2409920cb0ec0fdb781bf90

Score
10/10
chinese_generic_botnetbotnet

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • Chinese Botnet Payload 1 IoCs
    botnet
  • Blocklisted process makes network request 8 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\nouactelegram.vmp.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4320
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\nouactelegram.vmp.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4196
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4536
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4196-131-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4196-130-0x00000000009F0000-0x00000000009F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4196-132-0x00000000740D0000-0x00000000749B4000-memory.dmp

    Filesize

    8.9MB

    Download

  • memory/4196-134-0x00000000740E6000-0x0000000074431000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4196-135-0x00000000740D1000-0x00000000740DE000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4196-136-0x0000000010000000-0x0000000010017000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4536-138-0x0000020818620000-0x0000020818630000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4536-139-0x0000020818680000-0x0000020818690000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4536-140-0x000002081AD50000-0x000002081AD54000-memory.dmp

    Filesize

    16KB

    Download