Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 20:20

General

  • Target

    4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa.dll

  • Size

    204KB

  • MD5

    80371305b7e024c580fe236f05ee03b0

  • SHA1

    53866548687dad95bf09109b970f3b8487e25e63

  • SHA256

    4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa

  • SHA512

    0f9ba38d6eb5a260a39a9ca6c823ead3de95cd2795ca67b350e4bd9af214be5fbdb8c381ad6c84cf627295c3eb35c2e9e7e039d8a65744139510743941e8ad34

  • SSDEEP

    3072:iXJ7sOuqIjZypLh9lFMec2zRPPOeXZ5o2c1qxJqwMctgfdK+i8dBP2xyu:iXxMNy1h9rc2VP2P2sIqZcKhi8d

Score
8/10
upx

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa.dll,#1
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32.exe C:\PROGRA~3\7rt7vfr.jss,CCZ0
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1668
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7rt7vfr.jss,CCZ4
          4⤵
          • Loads dropped DLL
          PID:3492

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~3\7rt7vfr.jss

    Filesize

    204KB

    MD5

    80371305b7e024c580fe236f05ee03b0

    SHA1

    53866548687dad95bf09109b970f3b8487e25e63

    SHA256

    4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa

    SHA512

    0f9ba38d6eb5a260a39a9ca6c823ead3de95cd2795ca67b350e4bd9af214be5fbdb8c381ad6c84cf627295c3eb35c2e9e7e039d8a65744139510743941e8ad34

  • C:\PROGRA~3\rfv7tr7.fee

    Filesize

    90.6MB

    MD5

    50ffe27f64f859fc6dd5e513fd3d188c

    SHA1

    6ccf0d0986fb9125384ad2ab247252dbcc521549

    SHA256

    c6438ad471b8bced71b848f154a1703ce8c0876fcc13e922a5f2f0464ce09e8f

    SHA512

    e7c3fc3fc1941bb274717b1d2b333e6e73fdfeb44a0a5440846cfaa217fdc7028e720726570aa260dd653d277a975121ccb9c3561dd347d4d6bb0b126b4af80a

  • C:\ProgramData\7rt7vfr.jss

    Filesize

    204KB

    MD5

    80371305b7e024c580fe236f05ee03b0

    SHA1

    53866548687dad95bf09109b970f3b8487e25e63

    SHA256

    4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa

    SHA512

    0f9ba38d6eb5a260a39a9ca6c823ead3de95cd2795ca67b350e4bd9af214be5fbdb8c381ad6c84cf627295c3eb35c2e9e7e039d8a65744139510743941e8ad34

  • C:\Users\Admin\AppData\Local\Temp\7rt7vfr.jss

    Filesize

    204KB

    MD5

    80371305b7e024c580fe236f05ee03b0

    SHA1

    53866548687dad95bf09109b970f3b8487e25e63

    SHA256

    4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa

    SHA512

    0f9ba38d6eb5a260a39a9ca6c823ead3de95cd2795ca67b350e4bd9af214be5fbdb8c381ad6c84cf627295c3eb35c2e9e7e039d8a65744139510743941e8ad34

  • C:\Users\Admin\AppData\Local\Temp\7rt7vfr.jss

    Filesize

    204KB

    MD5

    80371305b7e024c580fe236f05ee03b0

    SHA1

    53866548687dad95bf09109b970f3b8487e25e63

    SHA256

    4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa

    SHA512

    0f9ba38d6eb5a260a39a9ca6c823ead3de95cd2795ca67b350e4bd9af214be5fbdb8c381ad6c84cf627295c3eb35c2e9e7e039d8a65744139510743941e8ad34

  • memory/1668-146-0x0000000075290000-0x00000000752C9000-memory.dmp

    Filesize

    228KB

  • memory/1668-153-0x0000000075290000-0x00000000752C9000-memory.dmp

    Filesize

    228KB

  • memory/1668-140-0x0000000075290000-0x00000000752C9000-memory.dmp

    Filesize

    228KB

  • memory/1668-147-0x0000000075290000-0x00000000752C9000-memory.dmp

    Filesize

    228KB

  • memory/2108-133-0x0000000075730000-0x0000000075769000-memory.dmp

    Filesize

    228KB

  • memory/2108-139-0x0000000075730000-0x0000000075769000-memory.dmp

    Filesize

    228KB

  • memory/3492-148-0x0000000075170000-0x00000000751A9000-memory.dmp

    Filesize

    228KB

  • memory/3492-152-0x0000000075170000-0x00000000751A9000-memory.dmp

    Filesize

    228KB

  • memory/3492-154-0x0000000075170000-0x00000000751A9000-memory.dmp

    Filesize

    228KB