Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 07:28
Behavioral task
behavioral1
Sample
bc555887bac3e40e5ad3ac9dafe0bcde2b8ed296b026d214543701aecedd4a94.exe
Resource
win7-20220812-en
General
-
Target
bc555887bac3e40e5ad3ac9dafe0bcde2b8ed296b026d214543701aecedd4a94.exe
-
Size
86KB
-
MD5
312ec29cefab4b8d0f118e7ad6943fd2
-
SHA1
83fcba61b17e101f51e0b6c9f9301308a3a29e5b
-
SHA256
bc555887bac3e40e5ad3ac9dafe0bcde2b8ed296b026d214543701aecedd4a94
-
SHA512
2f610f1e073657ff9b25ca8c73036a2fbf2630778638949e2f85b21408ec3168f3318ff9fbb094d187ea71c4855251e014dc95898cf0619d1af08a823def64cb
-
SSDEEP
1536:8KVMKBC9cS4NZoGvefpKcbN0DNM1vtNcTR5G0Vpxr8D43Q:jVMKIR0ZbvwvxGM1rcV5hVK2
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1260-132-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/1260-134-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/files/0x001b00000001d9f9-135.dat upx behavioral2/files/0x001b00000001d9f9-136.dat upx behavioral2/memory/4132-137-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Loads dropped DLL 1 IoCs
pid Process 4132 rundll32.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC} rundll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\bc555887bac3e40e5ad3ac9dafe0bcde2b8ed296b026d214543701aecedd4a94.dll bc555887bac3e40e5ad3ac9dafe0bcde2b8ed296b026d214543701aecedd4a94.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}\InprocServer32\ThreadingModel = "Both" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}\InprocServer32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}\InprocServer32\ = "C:\\Windows\\SysWow64\\bc555887bac3e40e5ad3ac9dafe0bcde2b8ed296b026d214543701aecedd4a94.dll" rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1260 wrote to memory of 4132 1260 bc555887bac3e40e5ad3ac9dafe0bcde2b8ed296b026d214543701aecedd4a94.exe 80 PID 1260 wrote to memory of 4132 1260 bc555887bac3e40e5ad3ac9dafe0bcde2b8ed296b026d214543701aecedd4a94.exe 80 PID 1260 wrote to memory of 4132 1260 bc555887bac3e40e5ad3ac9dafe0bcde2b8ed296b026d214543701aecedd4a94.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc555887bac3e40e5ad3ac9dafe0bcde2b8ed296b026d214543701aecedd4a94.exe"C:\Users\Admin\AppData\Local\Temp\bc555887bac3e40e5ad3ac9dafe0bcde2b8ed296b026d214543701aecedd4a94.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\system32\bc555887bac3e40e5ad3ac9dafe0bcde2b8ed296b026d214543701aecedd4a94.dll",dll_inject2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:4132
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD5722e2973ae6c0401c95294e6a44e2fcf
SHA16184af79414a489624187ca887c4e0bb552ffd30
SHA256464684f65b7e7b601f395f7cfa1faaf5aa5636a32bd7571b5e861d358a5d0fce
SHA512238578daa6c9eb7a20b9355408f1f9347ffce104ad1fb53de8419d74ff249e4800a678ce74dbfd0895519efc51990b353ed45f54f09e729dacc3e4fcbd2110a7
-
Filesize
69KB
MD5722e2973ae6c0401c95294e6a44e2fcf
SHA16184af79414a489624187ca887c4e0bb552ffd30
SHA256464684f65b7e7b601f395f7cfa1faaf5aa5636a32bd7571b5e861d358a5d0fce
SHA512238578daa6c9eb7a20b9355408f1f9347ffce104ad1fb53de8419d74ff249e4800a678ce74dbfd0895519efc51990b353ed45f54f09e729dacc3e4fcbd2110a7