Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 07:03

General

  • Target

    c00a476332468890344fe5e2d98b5cdf0598dd342a562b033f6ec5a32405bc9f.dll

  • Size

    34KB

  • MD5

    f41b417f8945e50760929a80c7ef8c59

  • SHA1

    f1b389f7597b8eb9f09a4bd04903019a991142f9

  • SHA256

    c00a476332468890344fe5e2d98b5cdf0598dd342a562b033f6ec5a32405bc9f

  • SHA512

    1de31a94fc2ba2cd24023093a254858e31b2e19a5943266b31ac6b818a9ebe566ef6f3c652d84075700ee7213a268ff05bd6ca542e641090e28fa6ccb3f78c5c

  • SSDEEP

    768:CRE3rOLiay36F2HfSva8nmjXASGZ3gzGY0QQzAwuAZ0Vyq7:DU1F7DmjXzGZwaYVQEwuAZc

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:588
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c00a476332468890344fe5e2d98b5cdf0598dd342a562b033f6ec5a32405bc9f.dll,#1
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\c00a476332468890344fe5e2d98b5cdf0598dd342a562b033f6ec5a32405bc9f.dll,#1
        2⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3036
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Windows\system32\xxyxXRig.dll,a
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3040
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32.exe "C:\Windows\system32\ddcBtUlM.dll",s
            4⤵
              PID:3692

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\ddcBtUlM.dll

        Filesize

        7KB

        MD5

        e6e1dadbfa5bb505379680095e720653

        SHA1

        b3593ff068fa42ef977412318c93e645bc3595c8

        SHA256

        107ff3a6d63930e9e4e7b5fc6f4bfc6eed9cb8bac3b8859c1d85c04f63d380fc

        SHA512

        a3e43381054268c215e8c211ae24ac51cde3da7a59131bac187dba048e16460c014dbea6954a96f5300ce80908aae0d19eb8659d50908b81414c3e8b764ae2c9

      • C:\Windows\SysWOW64\xxyxXRig.dll

        Filesize

        34KB

        MD5

        f41b417f8945e50760929a80c7ef8c59

        SHA1

        f1b389f7597b8eb9f09a4bd04903019a991142f9

        SHA256

        c00a476332468890344fe5e2d98b5cdf0598dd342a562b033f6ec5a32405bc9f

        SHA512

        1de31a94fc2ba2cd24023093a254858e31b2e19a5943266b31ac6b818a9ebe566ef6f3c652d84075700ee7213a268ff05bd6ca542e641090e28fa6ccb3f78c5c

      • C:\Windows\SysWOW64\xxyxXRig.dll

        Filesize

        34KB

        MD5

        f41b417f8945e50760929a80c7ef8c59

        SHA1

        f1b389f7597b8eb9f09a4bd04903019a991142f9

        SHA256

        c00a476332468890344fe5e2d98b5cdf0598dd342a562b033f6ec5a32405bc9f

        SHA512

        1de31a94fc2ba2cd24023093a254858e31b2e19a5943266b31ac6b818a9ebe566ef6f3c652d84075700ee7213a268ff05bd6ca542e641090e28fa6ccb3f78c5c

      • C:\Windows\SysWOW64\xxyxXRig.dll

        Filesize

        34KB

        MD5

        f41b417f8945e50760929a80c7ef8c59

        SHA1

        f1b389f7597b8eb9f09a4bd04903019a991142f9

        SHA256

        c00a476332468890344fe5e2d98b5cdf0598dd342a562b033f6ec5a32405bc9f

        SHA512

        1de31a94fc2ba2cd24023093a254858e31b2e19a5943266b31ac6b818a9ebe566ef6f3c652d84075700ee7213a268ff05bd6ca542e641090e28fa6ccb3f78c5c

      • C:\Windows\SysWOW64\xxyxXRig.dll

        Filesize

        34KB

        MD5

        f41b417f8945e50760929a80c7ef8c59

        SHA1

        f1b389f7597b8eb9f09a4bd04903019a991142f9

        SHA256

        c00a476332468890344fe5e2d98b5cdf0598dd342a562b033f6ec5a32405bc9f

        SHA512

        1de31a94fc2ba2cd24023093a254858e31b2e19a5943266b31ac6b818a9ebe566ef6f3c652d84075700ee7213a268ff05bd6ca542e641090e28fa6ccb3f78c5c

      • memory/3036-136-0x0000000000A40000-0x0000000000A45000-memory.dmp

        Filesize

        20KB

      • memory/3036-138-0x0000000002460000-0x00000000024ED000-memory.dmp

        Filesize

        564KB

      • memory/3036-139-0x0000000002460000-0x00000000024ED000-memory.dmp

        Filesize

        564KB

      • memory/3036-140-0x0000000002460000-0x00000000024ED000-memory.dmp

        Filesize

        564KB

      • memory/3036-141-0x0000000002460000-0x00000000024ED000-memory.dmp

        Filesize

        564KB

      • memory/3036-137-0x0000000002470000-0x0000000002484000-memory.dmp

        Filesize

        80KB

      • memory/3036-135-0x0000000010000000-0x0000000010014000-memory.dmp

        Filesize

        80KB

      • memory/3040-145-0x0000000010000000-0x0000000010014000-memory.dmp

        Filesize

        80KB

      • memory/3040-146-0x0000000000F30000-0x0000000000F35000-memory.dmp

        Filesize

        20KB