Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 07:03
Static task
static1
Behavioral task
behavioral1
Sample
c00a476332468890344fe5e2d98b5cdf0598dd342a562b033f6ec5a32405bc9f.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c00a476332468890344fe5e2d98b5cdf0598dd342a562b033f6ec5a32405bc9f.dll
Resource
win10v2004-20220901-en
General
-
Target
c00a476332468890344fe5e2d98b5cdf0598dd342a562b033f6ec5a32405bc9f.dll
-
Size
34KB
-
MD5
f41b417f8945e50760929a80c7ef8c59
-
SHA1
f1b389f7597b8eb9f09a4bd04903019a991142f9
-
SHA256
c00a476332468890344fe5e2d98b5cdf0598dd342a562b033f6ec5a32405bc9f
-
SHA512
1de31a94fc2ba2cd24023093a254858e31b2e19a5943266b31ac6b818a9ebe566ef6f3c652d84075700ee7213a268ff05bd6ca542e641090e28fa6ccb3f78c5c
-
SSDEEP
768:CRE3rOLiay36F2HfSva8nmjXASGZ3gzGY0QQzAwuAZ0Vyq7:DU1F7DmjXzGZwaYVQEwuAZc
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 29 3040 rundll32.exe 31 3040 rundll32.exe 32 3040 rundll32.exe -
Loads dropped DLL 3 IoCs
pid Process 3036 rundll32.exe 3036 rundll32.exe 3040 rundll32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\xxyxXRig.dll,#1" rundll32.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\xxyxXRig.dll rundll32.exe File opened for modification C:\Windows\SysWOW64\xxyxXRig.dll rundll32.exe File created C:\Windows\SysWOW64\ddcBtUlM.dll rundll32.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ = "C:\\Windows\\SysWow64\\xxyxXRig.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ThreadingModel = "Both" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3036 rundll32.exe 3036 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3036 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3036 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3036 rundll32.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1368 wrote to memory of 3036 1368 rundll32.exe 69 PID 1368 wrote to memory of 3036 1368 rundll32.exe 69 PID 1368 wrote to memory of 3036 1368 rundll32.exe 69 PID 3036 wrote to memory of 588 3036 rundll32.exe 3 PID 3036 wrote to memory of 3040 3036 rundll32.exe 85 PID 3036 wrote to memory of 3040 3036 rundll32.exe 85 PID 3036 wrote to memory of 3040 3036 rundll32.exe 85 PID 3040 wrote to memory of 3692 3040 rundll32.exe 86 PID 3040 wrote to memory of 3692 3040 rundll32.exe 86 PID 3040 wrote to memory of 3692 3040 rundll32.exe 86
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:588
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c00a476332468890344fe5e2d98b5cdf0598dd342a562b033f6ec5a32405bc9f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c00a476332468890344fe5e2d98b5cdf0598dd342a562b033f6ec5a32405bc9f.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\system32\xxyxXRig.dll,a3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\system32\ddcBtUlM.dll",s4⤵PID:3692
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5e6e1dadbfa5bb505379680095e720653
SHA1b3593ff068fa42ef977412318c93e645bc3595c8
SHA256107ff3a6d63930e9e4e7b5fc6f4bfc6eed9cb8bac3b8859c1d85c04f63d380fc
SHA512a3e43381054268c215e8c211ae24ac51cde3da7a59131bac187dba048e16460c014dbea6954a96f5300ce80908aae0d19eb8659d50908b81414c3e8b764ae2c9
-
Filesize
34KB
MD5f41b417f8945e50760929a80c7ef8c59
SHA1f1b389f7597b8eb9f09a4bd04903019a991142f9
SHA256c00a476332468890344fe5e2d98b5cdf0598dd342a562b033f6ec5a32405bc9f
SHA5121de31a94fc2ba2cd24023093a254858e31b2e19a5943266b31ac6b818a9ebe566ef6f3c652d84075700ee7213a268ff05bd6ca542e641090e28fa6ccb3f78c5c
-
Filesize
34KB
MD5f41b417f8945e50760929a80c7ef8c59
SHA1f1b389f7597b8eb9f09a4bd04903019a991142f9
SHA256c00a476332468890344fe5e2d98b5cdf0598dd342a562b033f6ec5a32405bc9f
SHA5121de31a94fc2ba2cd24023093a254858e31b2e19a5943266b31ac6b818a9ebe566ef6f3c652d84075700ee7213a268ff05bd6ca542e641090e28fa6ccb3f78c5c
-
Filesize
34KB
MD5f41b417f8945e50760929a80c7ef8c59
SHA1f1b389f7597b8eb9f09a4bd04903019a991142f9
SHA256c00a476332468890344fe5e2d98b5cdf0598dd342a562b033f6ec5a32405bc9f
SHA5121de31a94fc2ba2cd24023093a254858e31b2e19a5943266b31ac6b818a9ebe566ef6f3c652d84075700ee7213a268ff05bd6ca542e641090e28fa6ccb3f78c5c
-
Filesize
34KB
MD5f41b417f8945e50760929a80c7ef8c59
SHA1f1b389f7597b8eb9f09a4bd04903019a991142f9
SHA256c00a476332468890344fe5e2d98b5cdf0598dd342a562b033f6ec5a32405bc9f
SHA5121de31a94fc2ba2cd24023093a254858e31b2e19a5943266b31ac6b818a9ebe566ef6f3c652d84075700ee7213a268ff05bd6ca542e641090e28fa6ccb3f78c5c