Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2023, 17:40
Static task
static1
Behavioral task
behavioral1
Sample
29d86377ab1b8f4167aa1635fb27aa88144b831de08f7eb0c674c5008d1ebd9d.dll
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
29d86377ab1b8f4167aa1635fb27aa88144b831de08f7eb0c674c5008d1ebd9d.dll
Resource
win10v2004-20231023-en
General
-
Target
29d86377ab1b8f4167aa1635fb27aa88144b831de08f7eb0c674c5008d1ebd9d.dll
-
Size
240KB
-
MD5
7a80cf9a5d63c498231ee4006edfcc72
-
SHA1
b22ec6e91a8b7f20025073cd4f9922942e371412
-
SHA256
29d86377ab1b8f4167aa1635fb27aa88144b831de08f7eb0c674c5008d1ebd9d
-
SHA512
581cb1307c95a679e6246af60cc962467804d19c116e9f7e041c2f52a2a9e15bfec378d285449ed847df9d158ccae063a3cf837e33928405cb1474050775aed5
-
SSDEEP
6144:65r3lV6n42+3WSKhxD8RVo2rcaGKNqAwyotp21:6C+3xWDY9IpKNTwyom
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 19 840 rundll32.exe 20 840 rundll32.exe 22 840 rundll32.exe 23 840 rundll32.exe 25 840 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Platform = "C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\29d86377ab1b8f4167aa1635fb27aa88144b831de08f7eb0c674c5008d1ebd9d.dll\",Erase" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\z: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 840 rundll32.exe 840 rundll32.exe 840 rundll32.exe 840 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 840 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 208 wrote to memory of 840 208 rundll32.exe 84 PID 208 wrote to memory of 840 208 rundll32.exe 84 PID 208 wrote to memory of 840 208 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\29d86377ab1b8f4167aa1635fb27aa88144b831de08f7eb0c674c5008d1ebd9d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\29d86377ab1b8f4167aa1635fb27aa88144b831de08f7eb0c674c5008d1ebd9d.dll,#12⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1