Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 20:20
Static task
static1
Behavioral task
behavioral1
Sample
4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa.dll
Resource
win10v2004-20220812-en
General
-
Target
4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa.dll
-
Size
204KB
-
MD5
80371305b7e024c580fe236f05ee03b0
-
SHA1
53866548687dad95bf09109b970f3b8487e25e63
-
SHA256
4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa
-
SHA512
0f9ba38d6eb5a260a39a9ca6c823ead3de95cd2795ca67b350e4bd9af214be5fbdb8c381ad6c84cf627295c3eb35c2e9e7e039d8a65744139510743941e8ad34
-
SSDEEP
3072:iXJ7sOuqIjZypLh9lFMec2zRPPOeXZ5o2c1qxJqwMctgfdK+i8dBP2xyu:iXxMNy1h9rc2VP2P2sIqZcKhi8d
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 1 1668 rundll32.exe 8 1668 rundll32.exe 57 1668 rundll32.exe -
resource yara_rule behavioral2/memory/2108-133-0x0000000075730000-0x0000000075769000-memory.dmp upx behavioral2/memory/2108-139-0x0000000075730000-0x0000000075769000-memory.dmp upx behavioral2/memory/1668-140-0x0000000075290000-0x00000000752C9000-memory.dmp upx behavioral2/memory/1668-146-0x0000000075290000-0x00000000752C9000-memory.dmp upx behavioral2/memory/1668-147-0x0000000075290000-0x00000000752C9000-memory.dmp upx behavioral2/memory/3492-148-0x0000000075170000-0x00000000751A9000-memory.dmp upx behavioral2/memory/3492-152-0x0000000075170000-0x00000000751A9000-memory.dmp upx behavioral2/memory/1668-153-0x0000000075290000-0x00000000752C9000-memory.dmp upx behavioral2/memory/3492-154-0x0000000075170000-0x00000000751A9000-memory.dmp upx -
Loads dropped DLL 2 IoCs
pid Process 1668 rundll32.exe 3492 rundll32.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\PROGRA~3\7rt7vfr.jss rundll32.exe File created C:\PROGRA~3\rfv7tr7.fee rundll32.exe File opened for modification C:\PROGRA~3\rfv7tr7.fee rundll32.exe File created C:\PROGRA~3\rfv7tr7.odd rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2108 2092 rundll32.exe 78 PID 2092 wrote to memory of 2108 2092 rundll32.exe 78 PID 2092 wrote to memory of 2108 2092 rundll32.exe 78 PID 2108 wrote to memory of 1668 2108 rundll32.exe 79 PID 2108 wrote to memory of 1668 2108 rundll32.exe 79 PID 2108 wrote to memory of 1668 2108 rundll32.exe 79 PID 1668 wrote to memory of 3492 1668 rundll32.exe 80 PID 1668 wrote to memory of 3492 1668 rundll32.exe 80 PID 1668 wrote to memory of 3492 1668 rundll32.exe 80
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa.dll,#12⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\PROGRA~3\7rt7vfr.jss,CCZ03⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7rt7vfr.jss,CCZ44⤵
- Loads dropped DLL
PID:3492
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD580371305b7e024c580fe236f05ee03b0
SHA153866548687dad95bf09109b970f3b8487e25e63
SHA2564b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa
SHA5120f9ba38d6eb5a260a39a9ca6c823ead3de95cd2795ca67b350e4bd9af214be5fbdb8c381ad6c84cf627295c3eb35c2e9e7e039d8a65744139510743941e8ad34
-
Filesize
90.6MB
MD550ffe27f64f859fc6dd5e513fd3d188c
SHA16ccf0d0986fb9125384ad2ab247252dbcc521549
SHA256c6438ad471b8bced71b848f154a1703ce8c0876fcc13e922a5f2f0464ce09e8f
SHA512e7c3fc3fc1941bb274717b1d2b333e6e73fdfeb44a0a5440846cfaa217fdc7028e720726570aa260dd653d277a975121ccb9c3561dd347d4d6bb0b126b4af80a
-
Filesize
204KB
MD580371305b7e024c580fe236f05ee03b0
SHA153866548687dad95bf09109b970f3b8487e25e63
SHA2564b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa
SHA5120f9ba38d6eb5a260a39a9ca6c823ead3de95cd2795ca67b350e4bd9af214be5fbdb8c381ad6c84cf627295c3eb35c2e9e7e039d8a65744139510743941e8ad34
-
Filesize
204KB
MD580371305b7e024c580fe236f05ee03b0
SHA153866548687dad95bf09109b970f3b8487e25e63
SHA2564b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa
SHA5120f9ba38d6eb5a260a39a9ca6c823ead3de95cd2795ca67b350e4bd9af214be5fbdb8c381ad6c84cf627295c3eb35c2e9e7e039d8a65744139510743941e8ad34
-
Filesize
204KB
MD580371305b7e024c580fe236f05ee03b0
SHA153866548687dad95bf09109b970f3b8487e25e63
SHA2564b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa
SHA5120f9ba38d6eb5a260a39a9ca6c823ead3de95cd2795ca67b350e4bd9af214be5fbdb8c381ad6c84cf627295c3eb35c2e9e7e039d8a65744139510743941e8ad34