Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2022, 19:48
Behavioral task
behavioral1
Sample
b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe
Resource
win10v2004-20220812-en
General
-
Target
b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe
-
Size
96KB
-
MD5
685d0110bbdc8e55dc8340001d5eab9e
-
SHA1
277b56e9391a4aec627eedd44cf63eb5ce057c3b
-
SHA256
b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50
-
SHA512
abf19efd4fecc6ca72ae87265583bdc81e54ad5ee753bf65a264424225b03964dee2969e9bf91e1a09044f3bcc35afa99b32434c83f2f23d5aca9b011e6356c2
-
SSDEEP
1536:Pg8JY+gwf+JeRjY6hii6L3SSQAUm3jDJNdBb2N3iDMmpjZfDHqfqqfnm:PhJY2+6dTSQeJVS3iDMmlxD4nm
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/5096-132-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/5096-139-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Loads dropped DLL 2 IoCs
pid Process 5096 b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe 5044 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\udtyfwi.dll = "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\system32\\udtyfwi.dll,fvgpbdf" b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11246469-E4E9-E3B4-062C-028B6129A9DC} b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\udtyfwi.dll b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe File created C:\Windows\SysWOW64\vgjkv.dll b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11246469-E4E9-E3B4-062C-028B6129A9DC}\InprocServer32\ThreadingModel = "Apartment" b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11246469-E4E9-E3B4-062C-028B6129A9DC}\InprocServer32 b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11246469-E4E9-E3B4-062C-028B6129A9DC} b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11246469-E4E9-E3B4-062C-028B6129A9DC}\InprocServer32\ = "C:\\Windows\\SysWow64\\vgjkv.dll" b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5096 b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe 5096 b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5096 wrote to memory of 5044 5096 b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe 81 PID 5096 wrote to memory of 5044 5096 b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe 81 PID 5096 wrote to memory of 5044 5096 b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe"C:\Users\Admin\AppData\Local\Temp\b389b582e661d5bedc2e5d93656e2b9d25ab65b3a0785fac2e560648b439ce50.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\udtyfwi.dll,fvgpbdf2⤵
- Loads dropped DLL
PID:5044
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD54b8b331ada6af36d8dfe5f7d81ffb170
SHA1e64075e3fbb4365b907e95e23bd60f8f88ceff7e
SHA256cad22f042c3bf578e9fd61ca25e72fb7a754fb9ea387c2a44d77c9c6e9225fc9
SHA5122ca5bcbd2684c504f8fdc1d7f9a3dd3f4bd8cddf9032e981836c2e7bfb0bbce207f7c19a22ff8d0bc2f04afa1b3c7afc028fd941a36e03a622d7d7975539a416
-
Filesize
84KB
MD54b8b331ada6af36d8dfe5f7d81ffb170
SHA1e64075e3fbb4365b907e95e23bd60f8f88ceff7e
SHA256cad22f042c3bf578e9fd61ca25e72fb7a754fb9ea387c2a44d77c9c6e9225fc9
SHA5122ca5bcbd2684c504f8fdc1d7f9a3dd3f4bd8cddf9032e981836c2e7bfb0bbce207f7c19a22ff8d0bc2f04afa1b3c7afc028fd941a36e03a622d7d7975539a416
-
Filesize
62KB
MD5658305d90dd9719a1696d2adfad63847
SHA11acb16f3453c19e8d7a53f6a214c1871d23110a9
SHA256079ee037dcbcf5dd206ba779755ab34411a420d9f430aa9ccc48840f90ab638c
SHA512ccb913ecf1167751ebaa111599e0cba3c69e10576c50795b573591aa6fbc14b4e73bd70a38c98f7918f46d66e4ce99ce3e5db9fd85a28ebcc1bb7ea32305d093