Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1802748d08...be.dll

windows7-x64

10

1802748d08...be.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    91s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 12:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1802748d085c9502a4fc7cbdd23e0c9ada2a8d841a4687b8bef6ff6ceb2409be.dll

  • Size

    454KB

  • MD5

    a003aa5c85856f5d4f5ab277358ea710

  • SHA1

    6845fd9cdd1d20c94918aabe87942638b7797762

  • SHA256

    1802748d085c9502a4fc7cbdd23e0c9ada2a8d841a4687b8bef6ff6ceb2409be

  • SHA512

    c469cdbf3ac71f0dbad89dd5c50822aa82ecd83307b0e8eef0e0d74d056119a223336f75eb192abe4b8a91916bc2beb045376a317336bd270abf7ffbe20e28a7

  • SSDEEP

    12288:7xGCOXzURlbDC9K69u2m+SqOWcsQQKiY4leDDGoggH/VREG6j4Gm01b8nPCFZyQ9:twXz2aFZ3Tf

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Program crash 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1802748d085c9502a4fc7cbdd23e0c9ada2a8d841a4687b8bef6ff6ceb2409be.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\1802748d085c9502a4fc7cbdd23e0c9ada2a8d841a4687b8bef6ff6ceb2409be.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5024
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2104
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4900
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:4360
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
                PID:1408
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 204
                  7⤵
                  • Program crash
                  PID:3044
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4800
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4800 CREDAT:17410 /prefetch:2
                  7⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3020
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4548
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4548 CREDAT:17410 /prefetch:2
                  7⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:2092
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:1656
            • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
              "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
              5⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:2912
              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of UnmapMainImage
                • Suspicious use of WriteProcessMemory
                PID:216
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\system32\svchost.exe
                  7⤵
                    PID:4240
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 204
                      8⤵
                      • Program crash
                      PID:4632
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    7⤵
                    • Modifies Internet Explorer settings
                    PID:1140
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    7⤵
                    • Modifies Internet Explorer settings
                    PID:1124
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\system32\svchost.exe
                5⤵
                  PID:4352
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 204
                    6⤵
                    • Program crash
                    PID:3080
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  5⤵
                  • Modifies Internet Explorer settings
                  PID:4924
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  5⤵
                  • Modifies Internet Explorer settings
                  PID:808
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 628
              3⤵
              • Program crash
              PID:2852
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5024 -ip 5024
          1⤵
            PID:424
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1408 -ip 1408
            1⤵
              PID:3156
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4352 -ip 4352
              1⤵
                PID:1788
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4240 -ip 4240
                1⤵
                  PID:1272

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Microsoft\WaterMark.exe
                  Filesize

                  241KB

                  MD5

                  ccc1590163f5d7ecab7056a44e9db124

                  SHA1

                  1dcb42c050ee4bc9eb9a4576e7e74958f3b3a701

                  SHA256

                  f26f3a906655f0f2ecf28e4f1ace3ed923ca3c84e58d07632c2533eb2bebca1f

                  SHA512

                  5bb0db687caef40a1a918c3e859dffd314de7877827261c6957ea2f5157b8b5d7802938daa26e69d24e0725d3b4f2a145c8e4c315be6a60a611aa0cc5a41afe0

                  Download Submit

                • C:\Program Files (x86)\Microsoft\WaterMark.exe
                  Filesize

                  241KB

                  MD5

                  ccc1590163f5d7ecab7056a44e9db124

                  SHA1

                  1dcb42c050ee4bc9eb9a4576e7e74958f3b3a701

                  SHA256

                  f26f3a906655f0f2ecf28e4f1ace3ed923ca3c84e58d07632c2533eb2bebca1f

                  SHA512

                  5bb0db687caef40a1a918c3e859dffd314de7877827261c6957ea2f5157b8b5d7802938daa26e69d24e0725d3b4f2a145c8e4c315be6a60a611aa0cc5a41afe0

                  Download Submit

                • C:\Program Files (x86)\Microsoft\WaterMark.exe
                  Filesize

                  241KB

                  MD5

                  ccc1590163f5d7ecab7056a44e9db124

                  SHA1

                  1dcb42c050ee4bc9eb9a4576e7e74958f3b3a701

                  SHA256

                  f26f3a906655f0f2ecf28e4f1ace3ed923ca3c84e58d07632c2533eb2bebca1f

                  SHA512

                  5bb0db687caef40a1a918c3e859dffd314de7877827261c6957ea2f5157b8b5d7802938daa26e69d24e0725d3b4f2a145c8e4c315be6a60a611aa0cc5a41afe0

                  Download Submit

                • C:\Program Files (x86)\Microsoft\WaterMark.exe
                  Filesize

                  241KB

                  MD5

                  ccc1590163f5d7ecab7056a44e9db124

                  SHA1

                  1dcb42c050ee4bc9eb9a4576e7e74958f3b3a701

                  SHA256

                  f26f3a906655f0f2ecf28e4f1ace3ed923ca3c84e58d07632c2533eb2bebca1f

                  SHA512

                  5bb0db687caef40a1a918c3e859dffd314de7877827261c6957ea2f5157b8b5d7802938daa26e69d24e0725d3b4f2a145c8e4c315be6a60a611aa0cc5a41afe0

                  Download Submit

                • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
                  Filesize

                  119KB

                  MD5

                  a6aa2de4617939ba1d45caf06ee26101

                  SHA1

                  37855db4d68303311050208ad699825466efec12

                  SHA256

                  53aa56335d1c3cc1c4b0db3688c3250c4ded0611ce14bbd165544761c4a195b6

                  SHA512

                  f5238d39b66af7234c6b82e5d0bd2225f329e76e6e564712beba7c7b629a19006329e764b0795d5aef7ad689ecc48096591c79996bf0991efa57294d3d29ea71

                  Download Submit

                • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
                  Filesize

                  119KB

                  MD5

                  a6aa2de4617939ba1d45caf06ee26101

                  SHA1

                  37855db4d68303311050208ad699825466efec12

                  SHA256

                  53aa56335d1c3cc1c4b0db3688c3250c4ded0611ce14bbd165544761c4a195b6

                  SHA512

                  f5238d39b66af7234c6b82e5d0bd2225f329e76e6e564712beba7c7b629a19006329e764b0795d5aef7ad689ecc48096591c79996bf0991efa57294d3d29ea71

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  471B

                  MD5

                  7550b85aee4221c59808672005ed8855

                  SHA1

                  aeb269eff06f518132b9ecea824523fa125ba2d2

                  SHA256

                  2b1c1e36c5419b7b3351aad8a08fee019473c832fe242ec2bf438b160d5eb8b2

                  SHA512

                  216d401cb461099f7d2f3626957800cba77308b790ec181e2affb97339570bb9e168a56f3264cad79cd60589637679728fb2a87199a91667dc3ccfd4117f2bab

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  471B

                  MD5

                  7550b85aee4221c59808672005ed8855

                  SHA1

                  aeb269eff06f518132b9ecea824523fa125ba2d2

                  SHA256

                  2b1c1e36c5419b7b3351aad8a08fee019473c832fe242ec2bf438b160d5eb8b2

                  SHA512

                  216d401cb461099f7d2f3626957800cba77308b790ec181e2affb97339570bb9e168a56f3264cad79cd60589637679728fb2a87199a91667dc3ccfd4117f2bab

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  434B

                  MD5

                  a25a44e9e385d32b3a36f35a93ec4115

                  SHA1

                  e7bcfead5852fa7b40d4b39038f55230fa0c02c4

                  SHA256

                  dae1654fa80f929481f49bf148f3b820972fc51684cc621bf7abf2a0526e0b6a

                  SHA512

                  e4b2dc4eefe232bb3e85b67a6b3c5a86f27290614fd8db0524928e7d52045b4c82c290a866ddfceb143b1afd018b8f219090d7fc2e2a924f29684fdf7587e6cd

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  434B

                  MD5

                  1590003a44fcb0f08b4b703ab4928dcd

                  SHA1

                  e89bba23182d08959706cdd803a572eee57b6b22

                  SHA256

                  c32bfbfec52a01857dc6b3f86cd9aa3255097f5d5ee79ab7bcdb2deea7dec93c

                  SHA512

                  5d62747e41955758bed47ad029da844b132d504f21c0ae7721315e6b5580cad15ad1ef5c5a9829361a57f102d4a0a7bb8f9fd703ab9edc813e79832015875308

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{31D7F7C6-51C2-11ED-A0EE-D64C4877EDD1}.dat
                  Filesize

                  3KB

                  MD5

                  001a56433bbb7859572519bdfc23b5b7

                  SHA1

                  919891d43bd20ed0c9650b50433b10cd418d1224

                  SHA256

                  380d7a60f743a50f78689ee6e8aee3514bda43602acb7fa21b2665acb059fc34

                  SHA512

                  a044580a9dba7bbf9eb07b17b6ace648afa8291079f4e169a1942d32a1623da38fa576e1977bde7be0f9b244665cd70ea82d7c0a180bed3fac6faf2532a547f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{31E17F30-51C2-11ED-A0EE-D64C4877EDD1}.dat
                  Filesize

                  5KB

                  MD5

                  ec970dbe1e1cd9c4707e5764ccc7e1bb

                  SHA1

                  7b160c7091de9d97ac22f6552fce6940d2eda8b8

                  SHA256

                  4e67d0fa8e6fdf84866845cc680310a25dcfd64ad6e6954d7423eecf6b6c15de

                  SHA512

                  98969a1554eaa2575f886c458100f63fd39b98c39d51187ee92703bd4546d9f34818154c11e314355e5d320a99732fd45373669f24c2da7c1e927af89af3c7f8

                  Download Submit

                • C:\Windows\SysWOW64\rundll32mgr.exe
                  Filesize

                  241KB

                  MD5

                  ccc1590163f5d7ecab7056a44e9db124

                  SHA1

                  1dcb42c050ee4bc9eb9a4576e7e74958f3b3a701

                  SHA256

                  f26f3a906655f0f2ecf28e4f1ace3ed923ca3c84e58d07632c2533eb2bebca1f

                  SHA512

                  5bb0db687caef40a1a918c3e859dffd314de7877827261c6957ea2f5157b8b5d7802938daa26e69d24e0725d3b4f2a145c8e4c315be6a60a611aa0cc5a41afe0

                  Download Submit

                • C:\Windows\SysWOW64\rundll32mgr.exe
                  Filesize

                  241KB

                  MD5

                  ccc1590163f5d7ecab7056a44e9db124

                  SHA1

                  1dcb42c050ee4bc9eb9a4576e7e74958f3b3a701

                  SHA256

                  f26f3a906655f0f2ecf28e4f1ace3ed923ca3c84e58d07632c2533eb2bebca1f

                  SHA512

                  5bb0db687caef40a1a918c3e859dffd314de7877827261c6957ea2f5157b8b5d7802938daa26e69d24e0725d3b4f2a145c8e4c315be6a60a611aa0cc5a41afe0

                  Download Submit

                • C:\Windows\SysWOW64\rundll32mgrmgr.exe
                  Filesize

                  119KB

                  MD5

                  a6aa2de4617939ba1d45caf06ee26101

                  SHA1

                  37855db4d68303311050208ad699825466efec12

                  SHA256

                  53aa56335d1c3cc1c4b0db3688c3250c4ded0611ce14bbd165544761c4a195b6

                  SHA512

                  f5238d39b66af7234c6b82e5d0bd2225f329e76e6e564712beba7c7b629a19006329e764b0795d5aef7ad689ecc48096591c79996bf0991efa57294d3d29ea71

                  Download Submit

                • C:\Windows\SysWOW64\rundll32mgrmgr.exe
                  Filesize

                  119KB

                  MD5

                  a6aa2de4617939ba1d45caf06ee26101

                  SHA1

                  37855db4d68303311050208ad699825466efec12

                  SHA256

                  53aa56335d1c3cc1c4b0db3688c3250c4ded0611ce14bbd165544761c4a195b6

                  SHA512

                  f5238d39b66af7234c6b82e5d0bd2225f329e76e6e564712beba7c7b629a19006329e764b0795d5aef7ad689ecc48096591c79996bf0991efa57294d3d29ea71

                  Download Submit

                • memory/216-209-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/216-205-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/216-208-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/216-198-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/216-196-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/216-197-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/216-193-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/1656-192-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/1656-195-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/1656-203-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/1656-204-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/1656-169-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/1656-175-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/1656-207-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/2104-156-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2912-172-0x0000000000400000-0x0000000000429000-memory.dmp

                  Filesize

                  164KB

                  Download

                • memory/2912-185-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4360-206-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/4360-210-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4360-202-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/4360-177-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/4360-194-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/4360-162-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/4360-201-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/4360-166-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/4900-148-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4900-146-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4900-155-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/5024-159-0x0000000010000000-0x0000000010079000-memory.dmp

                  Filesize

                  484KB

                  Download