Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

3

Vievsp.dll

windows7-x64

1

Vievsp.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2023, 23:48 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Vievsp.dll

  • Size

    583KB

  • MD5

    e57ccafa9f8c49657073add0d0536e42

  • SHA1

    77e9056492e97c49ea2bd9294abcfc03eeee0772

  • SHA256

    766653b6e5db8d5ffc46735bc95d73aa75ec2e3776136076f76a1fd6483518c5

  • SHA512

    1f923e2c3e31fa923fe51082fad57c2abb4b1f82f31919ecc010066354d2af8202d9e79a1864fa586145efd891b37287619abb39ec3c3930be86d0f05d496885

  • SSDEEP

    12288:pjan3B7+2BoGEwYXorDxBDWgyv9cii8VPezCTr:Mn3B7+2ByJo/DWz9cS2zW

Score
1/10

Malware Config

Signatures

  • Modifies registry class 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Vievsp.dll
    1⤵
    • Modifies registry class
    PID:1932

Network

  • flag-us
    DNS
    jkbarmossen.com
    regsvr32.exe
    Remote address:
    8.8.8.8:53
    Request
    jkbarmossen.com
    IN A
    Response
    jkbarmossen.com
    IN A
    173.255.204.62
  • flag-us
    DNS
    evinakortu.com
    regsvr32.exe
    Remote address:
    8.8.8.8:53
    Request
    evinakortu.com
    IN A
    Response
    evinakortu.com
    IN A
    94.232.46.27
  • flag-us
    DNS
    hofsaalos.com
    regsvr32.exe
    Remote address:
    8.8.8.8:53
    Request
    hofsaalos.com
    IN A
    Response
    hofsaalos.com
    IN A
    92.118.112.113
  • flag-us
    DNS
    skrechelres.com
    regsvr32.exe
    Remote address:
    8.8.8.8:53
    Request
    skrechelres.com
    IN A
    Response
  • flag-us
    DNS
    skrechelres.com
    regsvr32.exe
    Remote address:
    8.8.8.8:53
    Request
    skrechelres.com
    IN A
    Response
  • flag-us
    DNS
    jerryposter.com
    regsvr32.exe
    Remote address:
    8.8.8.8:53
    Request
    jerryposter.com
    IN A
    Response
    jerryposter.com
    IN A
    77.105.140.181
  • flag-ru
    POST
    https://jerryposter.com/news/1/255/0
    regsvr32.exe
    Remote address:
    77.105.140.181:443
    Request
    POST /news/1/255/0 HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/octet-stream
    Authorization: Basic MzYxODkzODcyOjM2MzY0MTYwMjM6MTExOjY2OjE=
    Cookie: session=MDowOjA6MzA0OjA=
    Content-Length: 332
    Host: jerryposter.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 11 Oct 2023 23:51:56 GMT
    Content-Type: text/plain
    Content-Length: 9
    Connection: keep-alive
  • flag-ru
    GET
    https://jerryposter.com/news/18/255/0
    regsvr32.exe
    Remote address:
    77.105.140.181:443
    Request
    GET /news/18/255/0 HTTP/1.1
    Connection: Keep-Alive
    Authorization: Basic MzYxODkzODcyOjM2MzY0MTYwMjM6MTExOjY2OjE=
    Host: jerryposter.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 11 Oct 2023 23:51:57 GMT
    Content-Type: application/octet-stream
    Transfer-Encoding: chunked
    Connection: keep-alive
  • 173.255.204.62:443
    jkbarmossen.com
    tls
    regsvr32.exe
    257 B
     88 B
     3
    2
  • 94.232.46.27:443
    evinakortu.com
    regsvr32.exe
    152 B
     120 B
     3
    3
  • 92.118.112.113:443
    hofsaalos.com
    regsvr32.exe
    152 B
     3
  • 77.105.140.181:443
    https://jerryposter.com/news/18/255/0
    tls, http
    regsvr32.exe
    1.5kB
     2.4kB
     9
    8

    HTTP Request

    POST https://jerryposter.com/news/1/255/0

    HTTP Response

    200

    HTTP Request

    GET https://jerryposter.com/news/18/255/0

    HTTP Response

    200
  • 8.8.8.8:53
    jkbarmossen.com
    dns
    regsvr32.exe
    61 B
     77 B
     1
    1

    DNS Request

    jkbarmossen.com

    DNS Response

    173.255.204.62

  • 8.8.8.8:53
    evinakortu.com
    dns
    regsvr32.exe
    60 B
     76 B
     1
    1

    DNS Request

    evinakortu.com

    DNS Response

    94.232.46.27

  • 8.8.8.8:53
    hofsaalos.com
    dns
    regsvr32.exe
    59 B
     75 B
     1
    1

    DNS Request

    hofsaalos.com

    DNS Response

    92.118.112.113

  • 8.8.8.8:53
    skrechelres.com
    dns
    regsvr32.exe
    122 B
     122 B
     2
    2

    DNS Request

    skrechelres.com

    DNS Request

    skrechelres.com

  • 8.8.8.8:53
    jerryposter.com
    dns
    regsvr32.exe
    61 B
     77 B
     1
    1

    DNS Request

    jerryposter.com

    DNS Response

    77.105.140.181

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab758F.tmp
    Filesize

    61KB

    MD5

    f3441b8572aae8801c04f3060b550443

    SHA1

    4ef0a35436125d6821831ef36c28ffaf196cda15

    SHA256

    6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

    SHA512

    5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

    Download Submit

  • memory/1932-1-0x0000000000120000-0x000000000016F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/1932-2-0x0000000001D00000-0x0000000001D4C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1932-8-0x0000000000120000-0x000000000016F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/1932-9-0x0000000001D00000-0x0000000001D4C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1932-10-0x0000000001D00000-0x0000000001D4C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1932-30-0x0000000001D00000-0x0000000001D4C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1932-31-0x0000000001D00000-0x0000000001D4C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1932-33-0x0000000001D00000-0x0000000001D4C000-memory.dmp

    Filesize

    304KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.