Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

stage4_aft...it.dll

windows10-2004-x64

8

Resubmissions

08/03/2023, 21:50

230308-1pyvasgc3t 8

08/03/2023, 21:48

230308-1n5apahc88 1

08/03/2023, 21:45

230308-1mhejagc2w 1

08/03/2023, 12:51

230308-p3h58ada29 3

Analysis

  • max time kernel
    210s
  • max time network
    210s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    08/03/2023, 21:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    stage4_after_autoit.dll

  • Size

    27.9MB

  • MD5

    cf6c8c2264f48739230e812d9c0a52c0

  • SHA1

    eec61aa4a98726c0634a16aaa41e76ef1d87a42f

  • SHA256

    9d93a71a00351322c77e85e297cf58155f2049ad42ef475029cfdb7b913560c9

  • SHA512

    ab99d12d41adecbf24e340c39f7208fd8c4f97220244dd700ef109d2809ff27dca28eee1d8b6eeeaf0422fdc158dba2f45a0e13008a2edc31c4d2ddf6f2cc1a0

  • SSDEEP

    98304:l62O/te/kRbtH8Jqr9N4eExVrYHYwBtBjZADA0Pjq:w/g/i3rCV6btBjODFPW

Score
8/10
spywarestealer

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 12 IoCs
  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\stage4_after_autoit.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\stage4_after_autoit.dll,#1
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      PID:536
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1076
        3⤵
        • Program crash
        PID:748
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 536 -ip 536
    1⤵
      PID:872
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4872
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2508
        • C:\Windows\system32\rundll32.exe
          rundll32 stage4_after_autoit.dll,A040822_1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4536
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32 stage4_after_autoit.dll,A040822_1
            3⤵
            • Blocklisted process makes network request
            • Checks processor information in registry
            • Enumerates system info in registry
            PID:1480
        • C:\Windows\system32\rundll32.exe
          rundll32
          2⤵
            PID:3500
          • C:\windows\system32\rundll32.exe
            C:\windows\system32\rundll32.exe stage4_after_autoit.dll,A040822_1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:380
            • C:\Windows\SysWOW64\rundll32.exe
              C:\windows\system32\rundll32.exe stage4_after_autoit.dll,A040822_1
              3⤵
              • Checks processor information in registry
              • Enumerates system info in registry
              PID:1964
        • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
          "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
          1⤵
            PID:5020
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
            1⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2580
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:17410 /prefetch:2
              2⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4800

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver1812.tmp
            Filesize

            15KB

            MD5

            1a545d0052b581fbb2ab4c52133846bc

            SHA1

            62f3266a9b9925cd6d98658b92adec673cbe3dd3

            SHA256

            557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

            SHA512

            bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\suggestions[1].es-ES
            Filesize

            18KB

            MD5

            e2749896090665aeb9b29bce1a591a75

            SHA1

            59e05283e04c6c0252d2b75d5141ba62d73e9df9

            SHA256

            d428ea8ca335c7cccf1e1564554d81b52fb5a1f20617aa99136cacf73354e0b7

            SHA512

            c750e9ccb30c45e2c4844df384ee9b02b81aa4c8e576197c0811910a63376a7d60e68f964dad858ff0e46a8fd0952ddaf19c8f79f3fd05cefd7dbf2c043d52c5

            Download Submit

          • memory/536-135-0x00000000027A0000-0x0000000004396000-memory.dmp

            Filesize

            28.0MB

            Download

          • memory/536-133-0x00000000027A0000-0x0000000004396000-memory.dmp

            Filesize

            28.0MB

            Download

          • memory/1480-162-0x0000000001FA0000-0x0000000003B96000-memory.dmp

            Filesize

            28.0MB

            Download

          • memory/1480-164-0x0000000001FA0000-0x0000000003B96000-memory.dmp

            Filesize

            28.0MB

            Download

          • memory/1480-145-0x0000000001FA0000-0x0000000003B96000-memory.dmp

            Filesize

            28.0MB

            Download

          • memory/1480-142-0x0000000001FA0000-0x0000000003B96000-memory.dmp

            Filesize

            28.0MB

            Download

          • memory/1480-143-0x0000000001FA0000-0x0000000003B96000-memory.dmp

            Filesize

            28.0MB

            Download

          • memory/1480-177-0x0000000001FA0000-0x0000000003B96000-memory.dmp

            Filesize

            28.0MB

            Download

          • memory/1480-160-0x0000000001FA0000-0x0000000003B96000-memory.dmp

            Filesize

            28.0MB

            Download

          • memory/1480-136-0x0000000001FA0000-0x0000000003B96000-memory.dmp

            Filesize

            28.0MB

            Download

          • memory/1480-138-0x00000000006F0000-0x00000000006F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1964-155-0x0000000002260000-0x0000000003E56000-memory.dmp

            Filesize

            28.0MB

            Download

          • memory/1964-163-0x0000000002260000-0x0000000003E56000-memory.dmp

            Filesize

            28.0MB

            Download

          • memory/1964-165-0x0000000002260000-0x0000000003E56000-memory.dmp

            Filesize

            28.0MB

            Download

          • memory/1964-161-0x0000000002260000-0x0000000003E56000-memory.dmp

            Filesize

            28.0MB

            Download

          • memory/1964-159-0x0000000000770000-0x0000000000771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1964-178-0x0000000002260000-0x0000000003E56000-memory.dmp

            Filesize

            28.0MB

            Download