Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 13:18 UTC

General

  • Target

    9cdd65c79921a2dd62616ab5b94dcd7123d13038fc097627f91162e4d9a3db5c.dll

  • Size

    667KB

  • MD5

    a086e03be718ed752d880d21ab9cdb50

  • SHA1

    3d720f928d9791696365bfc19d0bdc4ca371c55e

  • SHA256

    9cdd65c79921a2dd62616ab5b94dcd7123d13038fc097627f91162e4d9a3db5c

  • SHA512

    1c73e1170f2c438cf18fdcf586b4bde3afaf98c013554000f33ca0e7e276aa3c3b521b281a012fe4848dbe5902bb512c2c6ae5ad8d16c929c810155c82e95ee5

  • SSDEEP

    12288:bzb9rMfc+CKUQyUmjtc4euuzPrs9pGp8hunWoopooK9kwP:bzb1MlCKUQyUmjtczu6Prs9pgWoopoo6

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9cdd65c79921a2dd62616ab5b94dcd7123d13038fc097627f91162e4d9a3db5c.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\9cdd65c79921a2dd62616ab5b94dcd7123d13038fc097627f91162e4d9a3db5c.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        PID:1464

Network

  • flag-us
    DNS
    rmnzerobased.com
    rundll32Srv.exe
    Remote address:
    8.8.8.8:53
    Request
    rmnzerobased.com
    IN A
    Response
  • flag-us
    DNS
    rmnzerobased.com
    rundll32Srv.exe
    Remote address:
    8.8.8.8:53
    Request
    rmnzerobased.com
    IN A
    Response
  • flag-us
    DNS
    rmnzerobased.com
    rundll32Srv.exe
    Remote address:
    8.8.8.8:53
    Request
    rmnzerobased.com
    IN A
    Response
  • flag-us
    DNS
    rmnzerobased.com
    rundll32Srv.exe
    Remote address:
    8.8.8.8:53
    Request
    rmnzerobased.com
    IN A
    Response
  • flag-us
    DNS
    rmnzerobased.com
    rundll32Srv.exe
    Remote address:
    8.8.8.8:53
    Request
    rmnzerobased.com
    IN A
    Response
  • 8.8.8.8:443
    tls
    46 B
    169 B
    1
    1
  • 8.8.8.8:443
    tls
    46 B
    169 B
    1
    1
  • 104.80.229.204:443
    322 B
    7
  • 8.8.8.8:443
    tls
    46 B
    113 B
    1
    1
  • 51.104.15.252:443
    322 B
    7
  • 87.248.202.1:80
    322 B
    7
  • 87.248.202.1:80
    322 B
    7
  • 67.24.33.254:80
    322 B
    7
  • 67.26.105.254:80
    46 B
    40 B
    1
    1
  • 8.8.8.8:53
    rmnzerobased.com
    dns
    rundll32Srv.exe
    62 B
    135 B
    1
    1

    DNS Request

    rmnzerobased.com

  • 8.8.8.8:53
    rmnzerobased.com
    dns
    rundll32Srv.exe
    62 B
    135 B
    1
    1

    DNS Request

    rmnzerobased.com

  • 8.8.8.8:53
    rmnzerobased.com
    dns
    rundll32Srv.exe
    62 B
    135 B
    1
    1

    DNS Request

    rmnzerobased.com

  • 8.8.8.8:53
    rmnzerobased.com
    dns
    rundll32Srv.exe
    62 B
    135 B
    1
    1

    DNS Request

    rmnzerobased.com

  • 8.8.8.8:53
    rmnzerobased.com
    dns
    rundll32Srv.exe
    62 B
    135 B
    1
    1

    DNS Request

    rmnzerobased.com

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\rundll32Srv.exe

    Filesize

    10KB

    MD5

    9f7f94a22e1ed7f03995292038b35b98

    SHA1

    c4c5a6e26687e788b3a0859aa0e6f1917a7334c2

    SHA256

    a7a43eef41b32a366e865ca71c160ff23e831cce9a28937ff7cd212acd2109e3

    SHA512

    f775bbddc1f594984c5f7d7b88d211d5ddbd54d2fed1c92ae11b5007f6ef3e00b614f729253c77b8f1471b328dbd6be585309414b4310f0c2840dedb9a743bb4

  • C:\Windows\SysWOW64\rundll32Srv.exe

    Filesize

    10KB

    MD5

    9f7f94a22e1ed7f03995292038b35b98

    SHA1

    c4c5a6e26687e788b3a0859aa0e6f1917a7334c2

    SHA256

    a7a43eef41b32a366e865ca71c160ff23e831cce9a28937ff7cd212acd2109e3

    SHA512

    f775bbddc1f594984c5f7d7b88d211d5ddbd54d2fed1c92ae11b5007f6ef3e00b614f729253c77b8f1471b328dbd6be585309414b4310f0c2840dedb9a743bb4

  • memory/1464-137-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/1464-138-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/4796-136-0x0000000005000000-0x00000000050AC000-memory.dmp

    Filesize

    688KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.