Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

f2b3499121...d6.dll

windows7-x64

8

f2b3499121...d6.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    103s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 12:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2b3499121baba009f05137bca2ffaf7ad4d582621f36febf563c55974718dd6.dll

  • Size

    260KB

  • MD5

    96c79ea51c2beae60aa1e4881f3bd824

  • SHA1

    47db43984d893fbcf363ce6a66ea94986925777e

  • SHA256

    f2b3499121baba009f05137bca2ffaf7ad4d582621f36febf563c55974718dd6

  • SHA512

    2aab23a13fc6bc791610e71c6f28ed262fe56de749d77e2d10f1d2bfededb061a4ed7b47cd7cae08053e43e30a6ceaae7e253d2a6c5b4330e28fcc03b654c3d1

  • SSDEEP

    3072:sZmu9K33WSwdJ/tILtAPrL+oxdv9jD4Nn0LhlchQAItUkkH0jpgj7xIhVH/g:s8b33QqUrSqc0LDchQptQieVI//g

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f2b3499121baba009f05137bca2ffaf7ad4d582621f36febf563c55974718dd6.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f2b3499121baba009f05137bca2ffaf7ad4d582621f36febf563c55974718dd6.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4912
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3732
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:1972
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:2260
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 208
                6⤵
                • Program crash
                PID:3096
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3968
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3968 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4316
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              PID:2964
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2260 -ip 2260
      1⤵
        PID:1996

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        117KB

        MD5

        8496f6a2cbd1e710149e098e047eaee2

        SHA1

        dd0a84f13d385928e5270ef9b4b442150fd4a060

        SHA256

        dfa3498dc41116db8aec3fd24721709e90248ad9de239222f1ed31f1f9286a03

        SHA512

        c7a58e158ff3fbfd2bf5e2327221f6f5d24fc7abef2b48da63e98ee96efb3ff0e9d8ce8047f34f3843f385ca0607ee85a5ca7e0a8e3330366a23e99c1d9e3dd5

        Download Submit

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        117KB

        MD5

        8496f6a2cbd1e710149e098e047eaee2

        SHA1

        dd0a84f13d385928e5270ef9b4b442150fd4a060

        SHA256

        dfa3498dc41116db8aec3fd24721709e90248ad9de239222f1ed31f1f9286a03

        SHA512

        c7a58e158ff3fbfd2bf5e2327221f6f5d24fc7abef2b48da63e98ee96efb3ff0e9d8ce8047f34f3843f385ca0607ee85a5ca7e0a8e3330366a23e99c1d9e3dd5

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        7550b85aee4221c59808672005ed8855

        SHA1

        aeb269eff06f518132b9ecea824523fa125ba2d2

        SHA256

        2b1c1e36c5419b7b3351aad8a08fee019473c832fe242ec2bf438b160d5eb8b2

        SHA512

        216d401cb461099f7d2f3626957800cba77308b790ec181e2affb97339570bb9e168a56f3264cad79cd60589637679728fb2a87199a91667dc3ccfd4117f2bab

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        434B

        MD5

        02b49e4e2df910337e1edef7571465a8

        SHA1

        4d73836e70305a908439b4ef05ec98fa707eea41

        SHA256

        54902246d0b830ec4bafda400f30cb8ad0ab94c88958ab007692f43d370168fd

        SHA512

        3459e1e759a0b81af42b1804ebf43d7403ab89bd636ea2dc419429d4e9cba81b13b28106012f8547ebc3903e3cb63e1443ae952cc87fd7a5f0d01ccd20d9cd63

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        117KB

        MD5

        8496f6a2cbd1e710149e098e047eaee2

        SHA1

        dd0a84f13d385928e5270ef9b4b442150fd4a060

        SHA256

        dfa3498dc41116db8aec3fd24721709e90248ad9de239222f1ed31f1f9286a03

        SHA512

        c7a58e158ff3fbfd2bf5e2327221f6f5d24fc7abef2b48da63e98ee96efb3ff0e9d8ce8047f34f3843f385ca0607ee85a5ca7e0a8e3330366a23e99c1d9e3dd5

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        117KB

        MD5

        8496f6a2cbd1e710149e098e047eaee2

        SHA1

        dd0a84f13d385928e5270ef9b4b442150fd4a060

        SHA256

        dfa3498dc41116db8aec3fd24721709e90248ad9de239222f1ed31f1f9286a03

        SHA512

        c7a58e158ff3fbfd2bf5e2327221f6f5d24fc7abef2b48da63e98ee96efb3ff0e9d8ce8047f34f3843f385ca0607ee85a5ca7e0a8e3330366a23e99c1d9e3dd5

        Download Submit

      • memory/1972-160-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/1972-154-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/1972-161-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/1972-162-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1972-159-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/1972-158-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/1972-149-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/1972-153-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/1972-156-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/3732-145-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3732-157-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/3732-146-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/3732-141-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3732-140-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3732-137-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/4912-133-0x0000000074ED0000-0x0000000074F13000-memory.dmp

        Filesize

        268KB

        Download