Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 06:17 UTC

General

  • Target

    8776e624d9163e54af0924c337fe2dfdfb8613a0b23ded8d0205f0a03ee9b960.dll

  • Size

    3.5MB

  • MD5

    7454d33db10137d3c64663adcc477e3a

  • SHA1

    6855f2eabdda3f9af0eafc234f2a354eb6150e6d

  • SHA256

    8776e624d9163e54af0924c337fe2dfdfb8613a0b23ded8d0205f0a03ee9b960

  • SHA512

    41ce86848bdcfe698f7082fcc58a345939b3a74f034548feb826348108d2c0e0af21aac31752069cd6a73a5e1afad89b688f8fae06b50bb38f3fd5c290623c98

  • SSDEEP

    49152:zLx999999999999999999999999999999999999999999999999999999999999y:H0

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8776e624d9163e54af0924c337fe2dfdfb8613a0b23ded8d0205f0a03ee9b960.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4020
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8776e624d9163e54af0924c337fe2dfdfb8613a0b23ded8d0205f0a03ee9b960.dll,#1
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2612
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 728
        3⤵
        • Program crash
        PID:1044
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Loads dropped DLL
    PID:4208
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2612 -ip 2612
    1⤵
      PID:4804

    Network

    • flag-unknown
      DNS
      bbs100.codns.com
      imgsvc
      Remote address:
      8.8.8.8:53
      Request
      bbs100.codns.com
      IN A
      Response
      bbs100.codns.com
      IN A
      127.0.0.1
    • flag-unknown
      DNS
      97.97.242.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.97.242.52.in-addr.arpa
      IN PTR
      Response
    • flag-unknown
      DNS
      2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
      Remote address:
      8.8.8.8:53
      Request
      2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
      IN PTR
      Response
    • 127.0.0.1:5545
      imgsvc
    • 93.184.221.240:80
      322 B
      7
    • 93.184.221.240:80
      260 B
      5
    • 127.0.0.1:5545
      imgsvc
    • 93.184.221.240:80
      322 B
      7
    • 93.184.221.240:80
      322 B
      7
    • 93.184.221.240:80
      260 B
      5
    • 127.0.0.1:5545
      imgsvc
    • 127.0.0.1:5545
      imgsvc
    • 8.8.8.8:53
      bbs100.codns.com
      dns
      imgsvc
      62 B
      78 B
      1
      1

      DNS Request

      bbs100.codns.com

      DNS Response

      127.0.0.1

    • 8.8.8.8:53
      97.97.242.52.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      97.97.242.52.in-addr.arpa

    • 8.8.8.8:53
      2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
      dns
      118 B
      204 B
      1
      1

      DNS Request

      2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Svae\DqcpbfwhV.jpg

      Filesize

      11.3MB

      MD5

      a12c6281586d7861f1602fe2cef0a2ac

      SHA1

      38f5a384744c3b8980f114a5b65bff0a3d87af14

      SHA256

      b1b7ac3056d43680bd6b97389cca0d5926a61eaca0ef21167ef9e719f944fc29

      SHA512

      4432442e25e1aa6114b0df46aa3871c5d5728b7660dc99797eca38a61fda4f13ab16d5afe214be70fe95a68a9d236062d688711aedf4b2f7e60515db1be89a50

    • \??\c:\program files (x86)\svae\dqcpbfwhv.jpg

      Filesize

      11.3MB

      MD5

      a12c6281586d7861f1602fe2cef0a2ac

      SHA1

      38f5a384744c3b8980f114a5b65bff0a3d87af14

      SHA256

      b1b7ac3056d43680bd6b97389cca0d5926a61eaca0ef21167ef9e719f944fc29

      SHA512

      4432442e25e1aa6114b0df46aa3871c5d5728b7660dc99797eca38a61fda4f13ab16d5afe214be70fe95a68a9d236062d688711aedf4b2f7e60515db1be89a50

    • memory/2612-133-0x0000000010000000-0x0000000010042000-memory.dmp

      Filesize

      264KB

    • memory/2612-137-0x0000000010000000-0x0000000010042000-memory.dmp

      Filesize

      264KB

    • memory/4208-136-0x0000000010000000-0x0000000010042000-memory.dmp

      Filesize

      264KB

    • memory/4208-138-0x0000000010000000-0x0000000010042000-memory.dmp

      Filesize

      264KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.