Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

bdd3f0e846...cd.dll

windows7-x64

10

bdd3f0e846...cd.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 18:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bdd3f0e846f4c3aa1531049ad6c833e1ad5afae1c869063410ea927061f599cd.dll

  • Size

    236KB

  • MD5

    e4c2d1e7df0e33ee1996bf1efd8fba0b

  • SHA1

    2f2af265b0802113318a09f4b792e28f217aa90a

  • SHA256

    bdd3f0e846f4c3aa1531049ad6c833e1ad5afae1c869063410ea927061f599cd

  • SHA512

    d58d53000d5f7dd9387dce329ca2729ee3f7108b5916de97e2c43375a3641971907cdb00ffa09a10b6bf0ac53c8a583e763cc42cfb2455b588774dfce31db662

  • SSDEEP

    3072:3F24fliN+7XlmZKxbLYH1rhAwHL5K2W5QVgxwkFy:3F24flic7X8ZibLYHFhAkKZYgny

Score
10/10
persistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bdd3f0e846f4c3aa1531049ad6c833e1ad5afae1c869063410ea927061f599cd.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\bdd3f0e846f4c3aa1531049ad6c833e1ad5afae1c869063410ea927061f599cd.dll,#1
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3284

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\yhzrcrmwa.dll
    Filesize

    478KB

    MD5

    e99416267b61f52fa5ab994019efd359

    SHA1

    86d31eae707db7fe51d2556394fcf0e8e9f6b0fd

    SHA256

    768c286674371564b5e6095edb56e0a4231f341be895da69cfccca5160029774

    SHA512

    0a1c7579a9c787c2c1bef35f0660e72e74b42824e14ebea63b87ed25ddaf107e3746567bb431cab41a2f6719fad2c22d96e0715a1fe085d75805d7d66f7f05ae

    Download Submit

  • memory/3284-134-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3284-135-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download