Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/06/2023, 07:51 UTC

General

  • Target

    dc55c78b5ceb3c21ad4aa2af56c7a359ff5f3e08d9f6912da7b7cee62807c7cf.dll

  • Size

    92KB

  • MD5

    01767b0e766ccabb965bd88af49f733a

  • SHA1

    3012e252559b75f7740469e5ec61377c89f56a40

  • SHA256

    dc55c78b5ceb3c21ad4aa2af56c7a359ff5f3e08d9f6912da7b7cee62807c7cf

  • SHA512

    7511d7b4a0671817ab624559407ffa8fae4d443b45436ffc43af5c5e8751c6c6b28d1c42ccdf96959427b25e5fc2dc6b7e191a9cbe874f69097f3ba6d1466357

  • SSDEEP

    1536:fS0ZG4UMpzNFj5OKAWmlrYZRJmnPeUsgqzbLMsNOxBznt:fSAbAKAWmqYnPeUstzDMxBzn

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 28 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc55c78b5ceb3c21ad4aa2af56c7a359ff5f3e08d9f6912da7b7cee62807c7cf.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc55c78b5ceb3c21ad4aa2af56c7a359ff5f3e08d9f6912da7b7cee62807c7cf.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:2152

Network

  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    210.80.52.64.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    210.80.52.64.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.103.197.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.103.197.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.36.159.162.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.36.159.162.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    64.13.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.13.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    1.208.79.178.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.208.79.178.in-addr.arpa
    IN PTR
    Response
    1.208.79.178.in-addr.arpa
    IN PTR
    https-178-79-208-1amsllnwnet
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 52.242.97.97:443
    260 B
    5
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 209.197.3.8:80
    322 B
    7
  • 209.197.3.8:80
    322 B
    7
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 173.223.113.164:443
    322 B
    7
  • 131.253.33.203:80
    322 B
    7
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    310 B
    467 B
    6
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    218 B
    467 B
    4
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    218 B
    467 B
    4
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 64.52.80.210:443
    https
    rundll32.exe
    264 B
    467 B
    5
    4
  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    210.80.52.64.in-addr.arpa
    dns
    71 B
    126 B
    1
    1

    DNS Request

    210.80.52.64.in-addr.arpa

  • 8.8.8.8:53
    14.103.197.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.103.197.20.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    2.36.159.162.in-addr.arpa
    dns
    71 B
    133 B
    1
    1

    DNS Request

    2.36.159.162.in-addr.arpa

  • 8.8.8.8:53
    64.13.109.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    64.13.109.52.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    1.208.79.178.in-addr.arpa
    dns
    71 B
    116 B
    1
    1

    DNS Request

    1.208.79.178.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.