Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
166s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 16:37
Static task
static1
Behavioral task
behavioral1
Sample
99ac31b4ef6d211eaf12d90975d0b75a0149c6c14acdb14abfda71ccdde6076c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
99ac31b4ef6d211eaf12d90975d0b75a0149c6c14acdb14abfda71ccdde6076c.exe
Resource
win10v2004-20221111-en
General
-
Target
99ac31b4ef6d211eaf12d90975d0b75a0149c6c14acdb14abfda71ccdde6076c.exe
-
Size
184KB
-
MD5
ee93ea77139fdc0881d181de424be3db
-
SHA1
ea0efe310ee3794a4d5f6e074e2f1f56e50180bc
-
SHA256
99ac31b4ef6d211eaf12d90975d0b75a0149c6c14acdb14abfda71ccdde6076c
-
SHA512
3e7013317814860cd439c11c7502d136464f6f16830960fb106d8546f3de112594461f741664eb3ed84a6610abd373863c61b15392e8ba17ea03f5dcd7b5fba2
-
SSDEEP
3072:bqPO7C6IiSX2hI/rmE8PjguXRY7ArrCEmguU1DNlFJa39g:bSOu6i2hI/rXGg4RLmED5F
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 59 4288 RUNDLL32.EXE 79 4288 RUNDLL32.EXE 86 4288 RUNDLL32.EXE 97 4288 RUNDLL32.EXE -
Loads dropped DLL 2 IoCs
pid Process 1220 RUNDLL32.EXE 4288 RUNDLL32.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run RUNDLL32.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Autorun = "RUNDLL32.EXE \"\\SxS.DLL\" GnrkQr 3爀" RUNDLL32.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4288 RUNDLL32.EXE Token: SeTcbPrivilege 4288 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2104 wrote to memory of 1220 2104 99ac31b4ef6d211eaf12d90975d0b75a0149c6c14acdb14abfda71ccdde6076c.exe 84 PID 2104 wrote to memory of 1220 2104 99ac31b4ef6d211eaf12d90975d0b75a0149c6c14acdb14abfda71ccdde6076c.exe 84 PID 2104 wrote to memory of 1220 2104 99ac31b4ef6d211eaf12d90975d0b75a0149c6c14acdb14abfda71ccdde6076c.exe 84 PID 1220 wrote to memory of 4288 1220 RUNDLL32.EXE 85 PID 1220 wrote to memory of 4288 1220 RUNDLL32.EXE 85 PID 1220 wrote to memory of 4288 1220 RUNDLL32.EXE 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\99ac31b4ef6d211eaf12d90975d0b75a0149c6c14acdb14abfda71ccdde6076c.exe"C:\Users\Admin\AppData\Local\Temp\99ac31b4ef6d211eaf12d90975d0b75a0149c6c14acdb14abfda71ccdde6076c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\RUNDLL32.EXERUNDLL32.EXE "\SxS.DLL" GnrkQr 0 "C:\Users\Admin\AppData\Local\Temp\99ac31b4ef6d211eaf12d90975d0b75a0149c6c14acdb14abfda71ccdde6076c.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\RUNDLL32.EXERUNDLL32.EXE "\SxS.DLL" GnrkQr 33⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184KB
MD55d5215ef8f5c5dbbb867cf73e081fad2
SHA1b2a5830d7f6c5f2ad4cae0ad918f02c8b8eda43d
SHA25634d9102d202bb16baaf24ee805b638570474cf717eb6356273827881cf09d687
SHA5124e86f21c5e755e06c928279ccb74ecd91d15e317b9c11e04d4baf379cf9aafe686565c7d2b329778437609d44b97e3deb7d968b3d9325b68171f9bc5da97fcb8
-
Filesize
184KB
MD55d5215ef8f5c5dbbb867cf73e081fad2
SHA1b2a5830d7f6c5f2ad4cae0ad918f02c8b8eda43d
SHA25634d9102d202bb16baaf24ee805b638570474cf717eb6356273827881cf09d687
SHA5124e86f21c5e755e06c928279ccb74ecd91d15e317b9c11e04d4baf379cf9aafe686565c7d2b329778437609d44b97e3deb7d968b3d9325b68171f9bc5da97fcb8
-
Filesize
184KB
MD55d5215ef8f5c5dbbb867cf73e081fad2
SHA1b2a5830d7f6c5f2ad4cae0ad918f02c8b8eda43d
SHA25634d9102d202bb16baaf24ee805b638570474cf717eb6356273827881cf09d687
SHA5124e86f21c5e755e06c928279ccb74ecd91d15e317b9c11e04d4baf379cf9aafe686565c7d2b329778437609d44b97e3deb7d968b3d9325b68171f9bc5da97fcb8