Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

f191664e09...28.dll

windows7-x64

8

f191664e09...28.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 11:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f191664e09320044aea809e4972e61cbdd25de7c7d96c22b1ac843933309b928.dll

  • Size

    71KB

  • MD5

    9340fa9e8a2c8eb8566a700001a39087

  • SHA1

    4b457daf14d5029a53b7f2696afbb1651df12554

  • SHA256

    f191664e09320044aea809e4972e61cbdd25de7c7d96c22b1ac843933309b928

  • SHA512

    57d6b7adb40274b1b98f1d2204d8415cd22fda01026688ce6b09e4a242b7ecb06a347bfb866eba41f45456549c195b882a32422431dfb431a6a8d51fbcef2537

  • SSDEEP

    768:0kSpisvuzgdwMG9hl7c1M5uEcnZ99AO3z9p38MpMXTnkx+UZJnbkpHx4Bn4LZ7:9SplSbm1rtAO3zfMMpwD4nJnbhBn49

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 8 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f191664e09320044aea809e4972e61cbdd25de7c7d96c22b1ac843933309b928.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f191664e09320044aea809e4972e61cbdd25de7c7d96c22b1ac843933309b928.dll,#1
      2⤵
      • Checks computer location settings
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:3912
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe -s "C:\Users\Admin\AppData\Local\Temp\bjhgfreg.reg"
        3⤵
        • Runs .reg file with regedit
        PID:1780
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\Common Files\Microsoft Shared\bjhgf.dll",polmxhat
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1656

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\Microsoft Shared\bjhgf.dll
    Filesize

    71KB

    MD5

    9340fa9e8a2c8eb8566a700001a39087

    SHA1

    4b457daf14d5029a53b7f2696afbb1651df12554

    SHA256

    f191664e09320044aea809e4972e61cbdd25de7c7d96c22b1ac843933309b928

    SHA512

    57d6b7adb40274b1b98f1d2204d8415cd22fda01026688ce6b09e4a242b7ecb06a347bfb866eba41f45456549c195b882a32422431dfb431a6a8d51fbcef2537

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\bjhgf.dll
    Filesize

    71KB

    MD5

    9340fa9e8a2c8eb8566a700001a39087

    SHA1

    4b457daf14d5029a53b7f2696afbb1651df12554

    SHA256

    f191664e09320044aea809e4972e61cbdd25de7c7d96c22b1ac843933309b928

    SHA512

    57d6b7adb40274b1b98f1d2204d8415cd22fda01026688ce6b09e4a242b7ecb06a347bfb866eba41f45456549c195b882a32422431dfb431a6a8d51fbcef2537

    Download Submit