Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    135s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 17:26 UTC

General

  • Target

    ef6dfcec7a338ad05ec03bf5cfac1d20b26221e3ca4a36d2bb7d3b78ae2c590b.dll

  • Size

    19KB

  • MD5

    12a7e662ebd1b63d172db9232ba67cb0

  • SHA1

    faab9e3171614bbf0eafcf53b99bd62ad32cfdf0

  • SHA256

    ef6dfcec7a338ad05ec03bf5cfac1d20b26221e3ca4a36d2bb7d3b78ae2c590b

  • SHA512

    0acf73107caceaa7cca85df4809bdcfac31caafb99032270d94b7d8880f3600bd65ad97f93134eea3a0db877100c5ec4800a4ecfe34923d103903c412b722a06

  • SSDEEP

    384:f7/n22ITPgfEhDsrQ800i80zY4+j7JdZgU0FaXE8:f7/nyPhhDsGn80zpW7JdZgtFaXE

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ef6dfcec7a338ad05ec03bf5cfac1d20b26221e3ca4a36d2bb7d3b78ae2c590b.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4664
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ef6dfcec7a338ad05ec03bf5cfac1d20b26221e3ca4a36d2bb7d3b78ae2c590b.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:4744

Network

  • flag-us
    DNS
    capital.go2cloud.org
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    capital.go2cloud.org
    IN A
    Response
    capital.go2cloud.org
    IN A
    34.198.147.111
    capital.go2cloud.org
    IN A
    52.20.195.125
    capital.go2cloud.org
    IN A
    52.205.36.237
  • flag-us
    GET
    http://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=1505&aff_sub2=4223161&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http%3A%2F%2Fup.cp-rig.xyz/offer.php%3FaffId%3D{aff_id}%26trackingId%3D467344%26instId%3D11%26ho_trackingid%3D{transaction_id}%26cc%3DRU
    rundll32.exe
    Remote address:
    34.198.147.111:80
    Request
    GET http://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=1505&aff_sub2=4223161&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http%3A%2F%2Fup.cp-rig.xyz/offer.php%3FaffId%3D{aff_id}%26trackingId%3D467344%26instId%3D11%26ho_trackingid%3D{transaction_id}%26cc%3DRU HTTP/1.1
    Host: capital.go2cloud.org
    Connection: close
    Accept: */*
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Wed, 12 Oct 2022 00:15:31 GMT
    Content-Length: 0
    Connection: close
  • flag-us
    GET
    http://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=1505&aff_sub2=4223161&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http%3A%2F%2Fup.cp-rig.xyz/offer.php%3FaffId%3D{aff_id}%26trackingId%3D467344%26instId%3D11%26ho_trackingid%3D{transaction_id}%26cc%3DRU
    rundll32.exe
    Remote address:
    34.198.147.111:80
    Request
    GET http://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=1505&aff_sub2=4223161&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http%3A%2F%2Fup.cp-rig.xyz/offer.php%3FaffId%3D{aff_id}%26trackingId%3D467344%26instId%3D11%26ho_trackingid%3D{transaction_id}%26cc%3DRU HTTP/1.1
    Host: capital.go2cloud.org
    Connection: close
    Accept: */*
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Wed, 12 Oct 2022 00:15:31 GMT
    Content-Length: 0
    Connection: close
  • 178.79.208.1:80
    260 B
    5
  • 34.198.147.111:80
    http://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=1505&aff_sub2=4223161&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http%3A%2F%2Fup.cp-rig.xyz/offer.php%3FaffId%3D{aff_id}%26trackingId%3D467344%26instId%3D11%26ho_trackingid%3D{transaction_id}%26cc%3DRU
    http
    rundll32.exe
    678 B
    324 B
    5
    5

    HTTP Request

    GET http://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=1505&aff_sub2=4223161&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http%3A%2F%2Fup.cp-rig.xyz/offer.php%3FaffId%3D{aff_id}%26trackingId%3D467344%26instId%3D11%26ho_trackingid%3D{transaction_id}%26cc%3DRU

    HTTP Response

    404
  • 34.198.147.111:80
    http://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=1505&aff_sub2=4223161&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http%3A%2F%2Fup.cp-rig.xyz/offer.php%3FaffId%3D{aff_id}%26trackingId%3D467344%26instId%3D11%26ho_trackingid%3D{transaction_id}%26cc%3DRU
    http
    rundll32.exe
    678 B
    324 B
    5
    5

    HTTP Request

    GET http://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=1505&aff_sub2=4223161&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http%3A%2F%2Fup.cp-rig.xyz/offer.php%3FaffId%3D{aff_id}%26trackingId%3D467344%26instId%3D11%26ho_trackingid%3D{transaction_id}%26cc%3DRU

    HTTP Response

    404
  • 93.184.220.29:80
    322 B
    7
  • 104.80.225.205:443
    322 B
    7
  • 20.42.73.26:443
    322 B
    7
  • 8.8.8.8:53
    capital.go2cloud.org
    dns
    rundll32.exe
    66 B
    114 B
    1
    1

    DNS Request

    capital.go2cloud.org

    DNS Response

    34.198.147.111
    52.20.195.125
    52.205.36.237

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.