Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2023, 01:04
Static task
static1
Behavioral task
behavioral1
Sample
MixSets.dll
Resource
win10v2004-20230220-en
7 signatures
150 seconds
General
-
Target
MixSets.dll
-
Size
520KB
-
MD5
d65679092030c32f0cbb00fe634dbc6a
-
SHA1
e9f618e04e8a0fc77870c8683c4c25bc854f2e61
-
SHA256
ffee9f32cbd3af9925807b2c0fac0f172d7c73e20610717692f878b16b3cb348
-
SHA512
431e865e1298042ec819952eb1263428781ac3bffcdc5d6af15c3977a5cb807d5c0ab1a4f3447e9d4d906aa3e45ffc594edfdf28d9dbffd8998e92b581a45fa5
-
SSDEEP
12288:DILisczd8b40Cychde/q9pSARdh4JdV09ssFDMuK+:Dcczd8b0ycn9IJIss9MP+
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4484 3168 WerFault.exe 82 3044 3168 WerFault.exe 82 -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings mspaint.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2560 mspaint.exe 2560 mspaint.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2952 OpenWith.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2560 mspaint.exe 2952 OpenWith.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 100 wrote to memory of 3168 100 rundll32.exe 82 PID 100 wrote to memory of 3168 100 rundll32.exe 82 PID 100 wrote to memory of 3168 100 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\MixSets.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\MixSets.dll,#12⤵PID:3168
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 5443⤵
- Program crash
PID:4484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 7923⤵
- Program crash
PID:3044
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3168 -ip 31681⤵PID:1696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3168 -ip 31681⤵PID:2020
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\PublishUpdate.jpe" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2560
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:2304
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2952