Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
22s -
max time network
26s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 02:12
Static task
static1
Behavioral task
behavioral1
Sample
03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255.dll
Resource
win10v2004-20220812-en
General
-
Target
03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255.dll
-
Size
400KB
-
MD5
4c4560da5b64cecdbbc7c1b7734e3000
-
SHA1
66c5ac4a5e9a6907b934bbf30d6e99c2a36d3e42
-
SHA256
03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255
-
SHA512
1abb2fd04c52ea925bccdcf38bfe439bf10e62c31fa7415d27288f88752e3c69433558891770bb2589f434fa7764e3c8c2f79845555f298d584fb4822dbbee04
-
SSDEEP
12288:2uiW+x87s5lXl2yU36PUVFp7Ws8WGYUAsw:biW3gNLU2Uss8
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1124 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QezcoDicgo = "regsvr32.exe \"C:\\ProgramData\\QezcoDicgo\\ZisnAlitt.upt\"" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1124 regsvr32.exe 1124 regsvr32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1124 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeCreateGlobalPrivilege 1124 regsvr32.exe Token: SeDebugPrivilege 1124 regsvr32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2200 wrote to memory of 4192 2200 rundll32.exe 81 PID 2200 wrote to memory of 4192 2200 rundll32.exe 81 PID 2200 wrote to memory of 4192 2200 rundll32.exe 81 PID 4192 wrote to memory of 1124 4192 rundll32.exe 82 PID 4192 wrote to memory of 1124 4192 rundll32.exe 82 PID 4192 wrote to memory of 1124 4192 rundll32.exe 82 PID 1124 wrote to memory of 784 1124 regsvr32.exe 9 PID 1124 wrote to memory of 784 1124 regsvr32.exe 9
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe "C:\Users\Admin\AppData\Local\Temp\\~0E56E8AF.tmp"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD55fc0a35bb3de5e0a86ca37f6770cd002
SHA10b2e889a1df3c5264c129c8a062321dcfa34fcce
SHA2566125bb16e35306ea1ed2160c8bfcb3edb2d90e50946b3993052b5aa1694ad467
SHA51221c8bd24fc43e8fe95de75dca3529b51e053bd53149a67a294bf74c767a6b07c66fd6d1e31dbffe3a66e05a6d8c92970002445c82c3cef24cc5926170732f78f
-
Filesize
281KB
MD55fc0a35bb3de5e0a86ca37f6770cd002
SHA10b2e889a1df3c5264c129c8a062321dcfa34fcce
SHA2566125bb16e35306ea1ed2160c8bfcb3edb2d90e50946b3993052b5aa1694ad467
SHA51221c8bd24fc43e8fe95de75dca3529b51e053bd53149a67a294bf74c767a6b07c66fd6d1e31dbffe3a66e05a6d8c92970002445c82c3cef24cc5926170732f78f