Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    92s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2022, 19:48

General

  • Target

    b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe

  • Size

    96KB

  • MD5

    685d0110bbdc8e55dc8340001d5eab9e

  • SHA1

    277b56e9391a4aec627eedd44cf63eb5ce057c3b

  • SHA256

    b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50

  • SHA512

    abf19efd4fecc6ca72ae87265583bdc81e54ad5ee753bf65a264424225b03964dee2969e9bf91e1a09044f3bcc35afa99b32434c83f2f23d5aca9b011e6356c2

  • SSDEEP

    1536:Pg8JY+gwf+JeRjY6hii6L3SSQAUm3jDJNdBb2N3iDMmpjZfDHqfqqfnm:PhJY2+6dTSQeJVS3iDMmlxD4nm

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 2 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe
    "C:\Users\Admin\AppData\Local\Temp\b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5096
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\system32\udtyfwi.dll,fvgpbdf
      2⤵
      • Loads dropped DLL
      PID:5044

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\udtyfwi.dll

    Filesize

    84KB

    MD5

    4b8b331ada6af36d8dfe5f7d81ffb170

    SHA1

    e64075e3fbb4365b907e95e23bd60f8f88ceff7e

    SHA256

    cad22f042c3bf578e9fd61ca25e72fb7a754fb9ea387c2a44d77c9c6e9225fc9

    SHA512

    2ca5bcbd2684c504f8fdc1d7f9a3dd3f4bd8cddf9032e981836c2e7bfb0bbce207f7c19a22ff8d0bc2f04afa1b3c7afc028fd941a36e03a622d7d7975539a416

  • C:\Windows\SysWOW64\udtyfwi.dll

    Filesize

    84KB

    MD5

    4b8b331ada6af36d8dfe5f7d81ffb170

    SHA1

    e64075e3fbb4365b907e95e23bd60f8f88ceff7e

    SHA256

    cad22f042c3bf578e9fd61ca25e72fb7a754fb9ea387c2a44d77c9c6e9225fc9

    SHA512

    2ca5bcbd2684c504f8fdc1d7f9a3dd3f4bd8cddf9032e981836c2e7bfb0bbce207f7c19a22ff8d0bc2f04afa1b3c7afc028fd941a36e03a622d7d7975539a416

  • C:\Windows\SysWOW64\vgjkv.dll

    Filesize

    62KB

    MD5

    658305d90dd9719a1696d2adfad63847

    SHA1

    1acb16f3453c19e8d7a53f6a214c1871d23110a9

    SHA256

    079ee037dcbcf5dd206ba779755ab34411a420d9f430aa9ccc48840f90ab638c

    SHA512

    ccb913ecf1167751ebaa111599e0cba3c69e10576c50795b573591aa6fbc14b4e73bd70a38c98f7918f46d66e4ce99ce3e5db9fd85a28ebcc1bb7ea32305d093

  • memory/5044-138-0x0000000010000000-0x000000001001C000-memory.dmp

    Filesize

    112KB

  • memory/5096-132-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/5096-134-0x0000000010000000-0x0000000010016000-memory.dmp

    Filesize

    88KB

  • memory/5096-139-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/5096-140-0x0000000010000000-0x0000000010016000-memory.dmp

    Filesize

    88KB