Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

6ed2cd0ad3...5d.dll

windows7-x64

8

6ed2cd0ad3...5d.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    123s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2022, 03:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ed2cd0ad3af207c3b07e8f0ae43df89001f516e4edfab090bb2283a9bf4875d.dll

  • Size

    596KB

  • MD5

    7ba3161d629cc179412835c88c4500f7

  • SHA1

    8773e6711a316100db0f319ee6decd9d433fab1e

  • SHA256

    6ed2cd0ad3af207c3b07e8f0ae43df89001f516e4edfab090bb2283a9bf4875d

  • SHA512

    7ac20b72505ffe2a3d4c09896dc3d41da18d9d199c045ba053cc85de276256d9a53eb5917be362c7b771089adff80603d74a2b68195f6e632ab66ff6b4414776

  • SSDEEP

    12288:bXo450qjYthuCNIm/kqF6a2FjyHIDiroM3kN:y/ku6FjyHe+oM32

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ed2cd0ad3af207c3b07e8f0ae43df89001f516e4edfab090bb2283a9bf4875d.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ed2cd0ad3af207c3b07e8f0ae43df89001f516e4edfab090bb2283a9bf4875d.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1004
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1164
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:820
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1240
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1240 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:708
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 280
        3⤵
        • Program crash
        PID:1524

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{27E7BB41-5074-11ED-8C74-D6AAFEFD221A}.dat
    Filesize

    3KB

    MD5

    10f534afb9e4a2e246dceb4b4f83c461

    SHA1

    d5895a048c36b00a98ec6d5a11ad9db74e79248f

    SHA256

    f02a622d0bd7362f04497808b5a1af3a23625406f7c5069084f9fe24153197f1

    SHA512

    dfeec57e68d9d1f60edc1a2891116d7b3d6091e24dfa14c408b241188f67b02aa30689fe6b12b2f326c5266fd61539e9416be3107459c0b67d175a7a350c28bf

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{27E9B711-5074-11ED-8C74-D6AAFEFD221A}.dat
    Filesize

    3KB

    MD5

    4110f59d4bbfab94229276b0addcef33

    SHA1

    600fafa5f6bb32eefdfc5aefd65405e34db6b8a2

    SHA256

    0aba3084f033975edc0ed54a632503a146f71c556d063a4b8e73b1e422fe2d97

    SHA512

    8258033498f5761fc0ab7c6374e18f11d0ce3b06478efea71561413fd4e44c6cc33d8683b087e93eac5a98bad8767389e6772081891f83cf3b1b037a29b1ef6e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YRKOHOX7.txt
    Filesize

    599B

    MD5

    ad837ba6d357f8659017e1631834ea3e

    SHA1

    51f32f11b2a757f048a6a2038d5b1dd50d1a8531

    SHA256

    e55ab272f0ef60c575b73404d2be77dbe4060592944d8f60f19927203a1e7257

    SHA512

    d3eec65fdc5ec35b9d822fb2c7c8e8519e4eeecff8c7dd22eab1e701b8b0f51570a4b128b65bf90123e601a8cf6d978a71c09bb2ebba47948c9b3d6cf6433ca9

    Download Submit

  • C:\Windows\SysWOW64\rundll32mgr.exe
    Filesize

    221KB

    MD5

    ce0c184845b7fcfffeb671f7f992a177

    SHA1

    41f7d4b9ddac19ba5cd10e4a4aff5168d4443171

    SHA256

    2c576d543410c985df7b044ef8dc203c0846016d16a5785d67556d3a85b86a96

    SHA512

    f41dc07ba2fa14a612dbf2d17b511b34413d6eae6af82ec5d5c44bf7c2b9a29b74e4eb436853c0618451f06a75f0b96078a66f715a6041f55fb697aef7d160ac

    Download Submit

  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    221KB

    MD5

    ce0c184845b7fcfffeb671f7f992a177

    SHA1

    41f7d4b9ddac19ba5cd10e4a4aff5168d4443171

    SHA256

    2c576d543410c985df7b044ef8dc203c0846016d16a5785d67556d3a85b86a96

    SHA512

    f41dc07ba2fa14a612dbf2d17b511b34413d6eae6af82ec5d5c44bf7c2b9a29b74e4eb436853c0618451f06a75f0b96078a66f715a6041f55fb697aef7d160ac

    Download Submit

  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    221KB

    MD5

    ce0c184845b7fcfffeb671f7f992a177

    SHA1

    41f7d4b9ddac19ba5cd10e4a4aff5168d4443171

    SHA256

    2c576d543410c985df7b044ef8dc203c0846016d16a5785d67556d3a85b86a96

    SHA512

    f41dc07ba2fa14a612dbf2d17b511b34413d6eae6af82ec5d5c44bf7c2b9a29b74e4eb436853c0618451f06a75f0b96078a66f715a6041f55fb697aef7d160ac

    Download Submit

  • memory/1004-63-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1004-64-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1456-61-0x0000000010000000-0x00000000126CD000-memory.dmp

    Filesize

    38.8MB

    Download

  • memory/1456-62-0x0000000000670000-0x00000000006E3000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1456-55-0x0000000075E11000-0x0000000075E13000-memory.dmp

    Filesize

    8KB

    Download