Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
169s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 00:55
Static task
static1
Behavioral task
behavioral1
Sample
965776dc658c84410096ff846182c9bf402b04a437cf31db432cc5579be2fda7.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
965776dc658c84410096ff846182c9bf402b04a437cf31db432cc5579be2fda7.dll
Resource
win10v2004-20221111-en
General
-
Target
965776dc658c84410096ff846182c9bf402b04a437cf31db432cc5579be2fda7.dll
-
Size
147KB
-
MD5
264313c0e5e6060ddffc07df8a07ea70
-
SHA1
91b7a6ba877cf4631164b65227b5ccc865fe34dd
-
SHA256
965776dc658c84410096ff846182c9bf402b04a437cf31db432cc5579be2fda7
-
SHA512
0cca84fa69fd2bf01f37d297e7b742c27ef3ca55fddc6c6e272c52ddeb7ead0337dea93b07a02705862d25d5915430984c0be3ec8c45400f547647d87ec542a6
-
SSDEEP
3072:8mtVm+0Z8gm+gIViTZQBzZGGXxWZcgKNYw1sC1mmVXGI:lVm+0qgHkSvxEcigVl
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 44 2176 rundll32.exe 66 2176 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "C:\\PROGRA~3\\v4w7rjbn.pzz" regedit.exe -
Loads dropped DLL 1 IoCs
pid Process 2176 rundll32.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\PROGRA~3\nbjr7w4v.plz rundll32.exe File created C:\PROGRA~3\v4w7rjbn.pff rundll32.exe File opened for modification C:\PROGRA~3\v4w7rjbn.pff rundll32.exe File created C:\PROGRA~3\v4w7rjbn.ctrl rundll32.exe File created C:\PROGRA~3\v4w7rjbn.reg rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "147" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe -
Runs .reg file with regedit 1 IoCs
pid Process 4216 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 2176 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4200 LogonUI.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2344 wrote to memory of 332 2344 rundll32.exe 82 PID 2344 wrote to memory of 332 2344 rundll32.exe 82 PID 2344 wrote to memory of 332 2344 rundll32.exe 82 PID 332 wrote to memory of 2176 332 rundll32.exe 83 PID 332 wrote to memory of 2176 332 rundll32.exe 83 PID 332 wrote to memory of 2176 332 rundll32.exe 83 PID 2176 wrote to memory of 4216 2176 rundll32.exe 89 PID 2176 wrote to memory of 4216 2176 rundll32.exe 89 PID 2176 wrote to memory of 4216 2176 rundll32.exe 89
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\965776dc658c84410096ff846182c9bf402b04a437cf31db432cc5579be2fda7.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\965776dc658c84410096ff846182c9bf402b04a437cf31db432cc5579be2fda7.dll,#12⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\PROGRA~3\nbjr7w4v.plz,GL3003⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\regedit.exeC:\Windows\regedit.exe -s C:\PROGRA~3\v4w7rjbn.reg4⤵
- Sets DLL path for service in the registry
- Runs .reg file with regedit
PID:4216
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39b1855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147KB
MD5264313c0e5e6060ddffc07df8a07ea70
SHA191b7a6ba877cf4631164b65227b5ccc865fe34dd
SHA256965776dc658c84410096ff846182c9bf402b04a437cf31db432cc5579be2fda7
SHA5120cca84fa69fd2bf01f37d297e7b742c27ef3ca55fddc6c6e272c52ddeb7ead0337dea93b07a02705862d25d5915430984c0be3ec8c45400f547647d87ec542a6
-
Filesize
147KB
MD5264313c0e5e6060ddffc07df8a07ea70
SHA191b7a6ba877cf4631164b65227b5ccc865fe34dd
SHA256965776dc658c84410096ff846182c9bf402b04a437cf31db432cc5579be2fda7
SHA5120cca84fa69fd2bf01f37d297e7b742c27ef3ca55fddc6c6e272c52ddeb7ead0337dea93b07a02705862d25d5915430984c0be3ec8c45400f547647d87ec542a6
-
Filesize
285B
MD58d4e96ef0806a418c6118e678aa6030c
SHA15cac1d68a91b18d63cceb709843b6b7b7905f4ea
SHA256639ec70faa7e4fb59543488900ab7fa10398aa1539afbc09b19944dde0d101df
SHA51268808ebac711e0d309c41937d0483010e2dffaff4635812380653120e5bc2933c1dae34bd0e82ed8ace3e3df97e887520fa997bee1697b8e1680b3dc48d9fc49