Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

24/05/2023, 19:53

230524-ymb7eafa8s 8

24/05/2023, 19:52

230524-ylkgdsfa7x 3

24/05/2023, 19:46

230524-ygzqhsef63 7

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/05/2023, 19:53

General

  • Target

    bot3.dll

  • Size

    3.3MB

  • MD5

    e362ae83e78eeb6ab2e6fa885c4bf114

  • SHA1

    c30b0261b6e741d960cd3fb552077efac9ee29b5

  • SHA256

    ecac2400261d2962ba84f149b9104fb6a6955ccb35d4044a464de26c545b2bd5

  • SHA512

    4d27f8cd937f2d919f311c3b039a66a95cead5bb5a2a19424ad3df5c9cd25193434ead5d4c54a4ea83168937401adaa8ad876e21567766bf6abd82c3a3e4be6c

  • SSDEEP

    49152:vfqRHVwASOpGtlqpDIU6iu4NkZTg+cSwDjys6VUbf01OEe04oE4UWz53B8YVTVq4:n6M+qGD8HzNPDVEkXpiJ

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 15 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bot3.dll
    1⤵
      PID:3296
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:700
      • C:\Windows\system32\rundll32.exe
        rundll32
        2⤵
          PID:1252
        • C:\Windows\system32\rundll32.exe
          rundll32 bot3.dll, dllmain
          2⤵
          • Blocklisted process makes network request
          PID:868
        • C:\Windows\system32\rundll32.exe
          rundll32 bot3.dll dllmain
          2⤵
          • Blocklisted process makes network request
          PID:2076
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:476

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/476-133-0x000001BB4DFE0000-0x000001BB4DFE1000-memory.dmp

        Filesize

        4KB

      • memory/476-134-0x000001BB4DFE0000-0x000001BB4DFE1000-memory.dmp

        Filesize

        4KB

      • memory/476-135-0x000001BB4DFE0000-0x000001BB4DFE1000-memory.dmp

        Filesize

        4KB

      • memory/476-139-0x000001BB4DFE0000-0x000001BB4DFE1000-memory.dmp

        Filesize

        4KB

      • memory/476-140-0x000001BB4DFE0000-0x000001BB4DFE1000-memory.dmp

        Filesize

        4KB

      • memory/476-141-0x000001BB4DFE0000-0x000001BB4DFE1000-memory.dmp

        Filesize

        4KB

      • memory/476-142-0x000001BB4DFE0000-0x000001BB4DFE1000-memory.dmp

        Filesize

        4KB

      • memory/476-143-0x000001BB4DFE0000-0x000001BB4DFE1000-memory.dmp

        Filesize

        4KB

      • memory/476-144-0x000001BB4DFE0000-0x000001BB4DFE1000-memory.dmp

        Filesize

        4KB

      • memory/476-145-0x000001BB4DFE0000-0x000001BB4DFE1000-memory.dmp

        Filesize

        4KB