Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
24/05/2023, 19:53
230524-ymb7eafa8s 824/05/2023, 19:52
230524-ylkgdsfa7x 324/05/2023, 19:46
230524-ygzqhsef63 7Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24/05/2023, 19:53
Static task
static1
Behavioral task
behavioral1
Sample
bot3.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
bot3.dll
Resource
win10v2004-20230220-en
General
-
Target
bot3.dll
-
Size
3.3MB
-
MD5
e362ae83e78eeb6ab2e6fa885c4bf114
-
SHA1
c30b0261b6e741d960cd3fb552077efac9ee29b5
-
SHA256
ecac2400261d2962ba84f149b9104fb6a6955ccb35d4044a464de26c545b2bd5
-
SHA512
4d27f8cd937f2d919f311c3b039a66a95cead5bb5a2a19424ad3df5c9cd25193434ead5d4c54a4ea83168937401adaa8ad876e21567766bf6abd82c3a3e4be6c
-
SSDEEP
49152:vfqRHVwASOpGtlqpDIU6iu4NkZTg+cSwDjys6VUbf01OEe04oE4UWz53B8YVTVq4:n6M+qGD8HzNPDVEkXpiJ
Malware Config
Signatures
-
Blocklisted process makes network request 15 IoCs
flow pid Process 47 868 rundll32.exe 48 868 rundll32.exe 54 868 rundll32.exe 55 868 rundll32.exe 56 868 rundll32.exe 58 868 rundll32.exe 59 868 rundll32.exe 60 868 rundll32.exe 61 868 rundll32.exe 63 868 rundll32.exe 65 2076 rundll32.exe 66 868 rundll32.exe 67 2076 rundll32.exe 68 868 rundll32.exe 69 2076 rundll32.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 checkip.amazonaws.com 46 checkip.amazonaws.com 64 checkip.amazonaws.com -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 476 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 476 taskmgr.exe Token: SeSystemProfilePrivilege 476 taskmgr.exe Token: SeCreateGlobalPrivilege 476 taskmgr.exe Token: 33 476 taskmgr.exe Token: SeIncBasePriorityPrivilege 476 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe 476 taskmgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 700 wrote to memory of 1252 700 cmd.exe 98 PID 700 wrote to memory of 1252 700 cmd.exe 98 PID 700 wrote to memory of 868 700 cmd.exe 100 PID 700 wrote to memory of 868 700 cmd.exe 100 PID 700 wrote to memory of 2076 700 cmd.exe 101 PID 700 wrote to memory of 2076 700 cmd.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\bot3.dll1⤵PID:3296
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\system32\rundll32.exerundll322⤵PID:1252
-
-
C:\Windows\system32\rundll32.exerundll32 bot3.dll, dllmain2⤵
- Blocklisted process makes network request
PID:868
-
-
C:\Windows\system32\rundll32.exerundll32 bot3.dll dllmain2⤵
- Blocklisted process makes network request
PID:2076
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:476