Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 05:18
Static task
static1
Behavioral task
behavioral1
Sample
b589b79d19de9389c621142fc05f9bd180a1c84f7d2ee701d6f8ace9e0ccab25.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
b589b79d19de9389c621142fc05f9bd180a1c84f7d2ee701d6f8ace9e0ccab25.dll
Resource
win10v2004-20220812-en
General
-
Target
b589b79d19de9389c621142fc05f9bd180a1c84f7d2ee701d6f8ace9e0ccab25.dll
-
Size
1.6MB
-
MD5
80a52efd0c41ba37770c711fb85ca4f0
-
SHA1
508a62cdf6835cc78fb90d2a0723bf55e3556b90
-
SHA256
b589b79d19de9389c621142fc05f9bd180a1c84f7d2ee701d6f8ace9e0ccab25
-
SHA512
2e59884bf8dfffcefc3ac67d56b399b2a00bd5cefd7cec4be1ad164115b6d41b5547419ff85aa1e4dc82a593a3b2ee7561ad358abc3e30b39c3a1580a21fc025
-
SSDEEP
3072:G3huG90E7NOkdvaURX0iyUhfImen+ELTD2qnFkscO8Nw0r8usH3:euG9nN91R0iHFI1LTDpeK8Os
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SENS\Parameters\ServiceDll = "C:\\PROGRA~3\\dimasonimnj.dat" rundll32.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\PROGRA~3\dimasonimnj.dat rundll32.exe File opened for modification C:\PROGRA~3\dimasonimnj.dat rundll32.exe File created C:\PROGRA~3\jnminosamid.dat rundll32.exe File opened for modification C:\PROGRA~3\jnminosamid.dat rundll32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{0B24D55E-1EA3-4C7B-884A-69562E1E88E7}.crmlog dllhost.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{0B24D55E-1EA3-4C7B-884A-69562E1E88E7}.crmlog dllhost.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3740 4868 WerFault.exe 84 -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4868 rundll32.exe 4868 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4868 rundll32.exe Token: SeDebugPrivilege 4868 rundll32.exe Token: SeDebugPrivilege 4868 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4868 rundll32.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4904 wrote to memory of 4868 4904 rundll32.exe 84 PID 4904 wrote to memory of 4868 4904 rundll32.exe 84 PID 4904 wrote to memory of 4868 4904 rundll32.exe 84 PID 4868 wrote to memory of 788 4868 rundll32.exe 82 PID 4868 wrote to memory of 4684 4868 rundll32.exe 85 PID 4868 wrote to memory of 4684 4868 rundll32.exe 85 PID 4868 wrote to memory of 4684 4868 rundll32.exe 85 PID 4684 wrote to memory of 2108 4684 cmd.exe 88 PID 4684 wrote to memory of 2108 4684 cmd.exe 88 PID 4684 wrote to memory of 2108 4684 cmd.exe 88 PID 2108 wrote to memory of 4156 2108 net.exe 89 PID 2108 wrote to memory of 4156 2108 net.exe 89 PID 2108 wrote to memory of 4156 2108 net.exe 89 PID 4868 wrote to memory of 3552 4868 rundll32.exe 91 PID 4868 wrote to memory of 3552 4868 rundll32.exe 91 PID 4868 wrote to memory of 3552 4868 rundll32.exe 91 PID 3552 wrote to memory of 3300 3552 cmd.exe 93 PID 3552 wrote to memory of 3300 3552 cmd.exe 93 PID 3552 wrote to memory of 3300 3552 cmd.exe 93 PID 3300 wrote to memory of 2044 3300 net.exe 94 PID 3300 wrote to memory of 2044 3300 net.exe 94 PID 3300 wrote to memory of 2044 3300 net.exe 94
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:788
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b589b79d19de9389c621142fc05f9bd180a1c84f7d2ee701d6f8ace9e0ccab25.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b589b79d19de9389c621142fc05f9bd180a1c84f7d2ee701d6f8ace9e0ccab25.dll,#12⤵
- Sets DLL path for service in the registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\cmd.execmd.exe /c net start COMSysApp3⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\net.exenet start COMSysApp4⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start COMSysApp5⤵PID:4156
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net start SENS3⤵
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\net.exenet start SENS4⤵
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SENS5⤵PID:2044
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 6923⤵
- Program crash
PID:3740
-
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Drops file in Windows directory
PID:2992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4868 -ip 48681⤵PID:4948
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:2212