Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

6ed2cd0ad3...5d.dll

windows7-x64

8

6ed2cd0ad3...5d.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    123s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2022, 03:27 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ed2cd0ad3af207c3b07e8f0ae43df89001f516e4edfab090bb2283a9bf4875d.dll

  • Size

    596KB

  • MD5

    7ba3161d629cc179412835c88c4500f7

  • SHA1

    8773e6711a316100db0f319ee6decd9d433fab1e

  • SHA256

    6ed2cd0ad3af207c3b07e8f0ae43df89001f516e4edfab090bb2283a9bf4875d

  • SHA512

    7ac20b72505ffe2a3d4c09896dc3d41da18d9d199c045ba053cc85de276256d9a53eb5917be362c7b771089adff80603d74a2b68195f6e632ab66ff6b4414776

  • SSDEEP

    12288:bXo450qjYthuCNIm/kqF6a2FjyHIDiroM3kN:y/ku6FjyHe+oM32

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ed2cd0ad3af207c3b07e8f0ae43df89001f516e4edfab090bb2283a9bf4875d.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ed2cd0ad3af207c3b07e8f0ae43df89001f516e4edfab090bb2283a9bf4875d.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1004
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1164
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:820
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1240
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1240 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:708
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 280
        3⤵
        • Program crash
        PID:1524

Network

  • flag-us
    DNS
    api.bing.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    api.bing.com
    IN A
    Response
    api.bing.com
    IN CNAME
    api-bing-com.e-0001.e-msedge.net
    api-bing-com.e-0001.e-msedge.net
    IN CNAME
    e-0001.e-msedge.net
    e-0001.e-msedge.net
    IN A
    13.107.5.80
  • 204.79.197.200:443
    ieonline.microsoft.com
    tls
    iexplore.exe
    707 B
     7.6kB
     8
    11
  • 8.8.8.8:53
    api.bing.com
    dns
    iexplore.exe
    58 B
     134 B
     1
    1

    DNS Request

    api.bing.com

    DNS Response

    13.107.5.80

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{27E7BB41-5074-11ED-8C74-D6AAFEFD221A}.dat
    Filesize

    3KB

    MD5

    10f534afb9e4a2e246dceb4b4f83c461

    SHA1

    d5895a048c36b00a98ec6d5a11ad9db74e79248f

    SHA256

    f02a622d0bd7362f04497808b5a1af3a23625406f7c5069084f9fe24153197f1

    SHA512

    dfeec57e68d9d1f60edc1a2891116d7b3d6091e24dfa14c408b241188f67b02aa30689fe6b12b2f326c5266fd61539e9416be3107459c0b67d175a7a350c28bf

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{27E9B711-5074-11ED-8C74-D6AAFEFD221A}.dat
    Filesize

    3KB

    MD5

    4110f59d4bbfab94229276b0addcef33

    SHA1

    600fafa5f6bb32eefdfc5aefd65405e34db6b8a2

    SHA256

    0aba3084f033975edc0ed54a632503a146f71c556d063a4b8e73b1e422fe2d97

    SHA512

    8258033498f5761fc0ab7c6374e18f11d0ce3b06478efea71561413fd4e44c6cc33d8683b087e93eac5a98bad8767389e6772081891f83cf3b1b037a29b1ef6e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YRKOHOX7.txt
    Filesize

    599B

    MD5

    ad837ba6d357f8659017e1631834ea3e

    SHA1

    51f32f11b2a757f048a6a2038d5b1dd50d1a8531

    SHA256

    e55ab272f0ef60c575b73404d2be77dbe4060592944d8f60f19927203a1e7257

    SHA512

    d3eec65fdc5ec35b9d822fb2c7c8e8519e4eeecff8c7dd22eab1e701b8b0f51570a4b128b65bf90123e601a8cf6d978a71c09bb2ebba47948c9b3d6cf6433ca9

    Download Submit

  • C:\Windows\SysWOW64\rundll32mgr.exe
    Filesize

    221KB

    MD5

    ce0c184845b7fcfffeb671f7f992a177

    SHA1

    41f7d4b9ddac19ba5cd10e4a4aff5168d4443171

    SHA256

    2c576d543410c985df7b044ef8dc203c0846016d16a5785d67556d3a85b86a96

    SHA512

    f41dc07ba2fa14a612dbf2d17b511b34413d6eae6af82ec5d5c44bf7c2b9a29b74e4eb436853c0618451f06a75f0b96078a66f715a6041f55fb697aef7d160ac

    Download Submit

  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    221KB

    MD5

    ce0c184845b7fcfffeb671f7f992a177

    SHA1

    41f7d4b9ddac19ba5cd10e4a4aff5168d4443171

    SHA256

    2c576d543410c985df7b044ef8dc203c0846016d16a5785d67556d3a85b86a96

    SHA512

    f41dc07ba2fa14a612dbf2d17b511b34413d6eae6af82ec5d5c44bf7c2b9a29b74e4eb436853c0618451f06a75f0b96078a66f715a6041f55fb697aef7d160ac

    Download Submit

  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    221KB

    MD5

    ce0c184845b7fcfffeb671f7f992a177

    SHA1

    41f7d4b9ddac19ba5cd10e4a4aff5168d4443171

    SHA256

    2c576d543410c985df7b044ef8dc203c0846016d16a5785d67556d3a85b86a96

    SHA512

    f41dc07ba2fa14a612dbf2d17b511b34413d6eae6af82ec5d5c44bf7c2b9a29b74e4eb436853c0618451f06a75f0b96078a66f715a6041f55fb697aef7d160ac

    Download Submit

  • memory/1004-63-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1004-64-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1456-61-0x0000000010000000-0x00000000126CD000-memory.dmp

    Filesize

    38.8MB

    Download

  • memory/1456-62-0x0000000000670000-0x00000000006E3000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1456-55-0x0000000075E11000-0x0000000075E13000-memory.dmp

    Filesize

    8KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.