Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
188s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 16:58
Static task
static1
General
-
Target
27b1a426cbe8250b695562c84407f117df248f61652364d1c2ecfcc55e77e1b1.dll
-
Size
73KB
-
MD5
82cda6dff0369daf45c2d87fc255b17e
-
SHA1
7df4aca8422e249dc8c6a62411f13d8c41a5f3ab
-
SHA256
27b1a426cbe8250b695562c84407f117df248f61652364d1c2ecfcc55e77e1b1
-
SHA512
702035147472943c34734386394262331a3b3c82fe95f819c9f3ee48abcf213328db0a0c625abbcbe8ceafa5325641c2c132c11f61207ffcb946db9608dc0185
-
SSDEEP
1536:awsdCFnE4Nz1/SXPtpoprAeDYxUfGChK5O:awsAik1a4pGChK5O
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NfsRL2.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 41 5048 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation rundll32.exe -
Executes dropped EXE 1 IoCs
pid Process 4316 NfsRL2.exe -
resource yara_rule behavioral1/files/0x0009000000022df1-10.dat upx behavioral1/files/0x0009000000022df1-16.dat upx behavioral1/files/0x0009000000022df1-17.dat upx behavioral1/memory/4316-18-0x0000000000400000-0x0000000000558000-memory.dmp upx behavioral1/memory/4316-39-0x0000000000400000-0x0000000000558000-memory.dmp upx behavioral1/memory/4316-58-0x0000000000400000-0x0000000000558000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5048 rundll32.exe 5048 rundll32.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4316 NfsRL2.exe 4316 NfsRL2.exe 4316 NfsRL2.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3324 wrote to memory of 5048 3324 rundll32.exe 86 PID 3324 wrote to memory of 5048 3324 rundll32.exe 86 PID 3324 wrote to memory of 5048 3324 rundll32.exe 86 PID 5048 wrote to memory of 4316 5048 rundll32.exe 97 PID 5048 wrote to memory of 4316 5048 rundll32.exe 97 PID 5048 wrote to memory of 4316 5048 rundll32.exe 97 PID 4316 wrote to memory of 4416 4316 NfsRL2.exe 102 PID 4316 wrote to memory of 4416 4316 NfsRL2.exe 102 PID 4316 wrote to memory of 4416 4316 NfsRL2.exe 102 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NfsRL2.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27b1a426cbe8250b695562c84407f117df248f61652364d1c2ecfcc55e77e1b1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27b1a426cbe8250b695562c84407f117df248f61652364d1c2ecfcc55e77e1b1.dll,#12⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\ProgramData\dC9nH\NfsRL2.exe"C:\ProgramData\dC9nH\NfsRL2.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4316 -
C:\Windows\SysWOW64\cmd.execmd /c echo.>c:\xxxx.ini4⤵PID:4416
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
358KB
MD588dc5511d1e562702be62538fa689250
SHA1fb57c4bd0834c3d383206b06ef26446ddadbf5b2
SHA2564164667986e2d6279a8061b0f2c376af7ff56c475d687f821b6a4e476b09c749
SHA512170f7ecc158746721105eacfca89b52e03198a0f0d7b38a5829cf3bd1b71117aa565ed0abd9bd4925ecd817fb92fafb5b0dda3effb8e46be587fe197de84ee2e
-
Filesize
132KB
MD529748a35652b7141564bb12bfe0c1518
SHA122185dfc9fd96cfe31e8c366873f0579123c907b
SHA256eed2dee4085add557bcc6d695a1296bd00671c8a453ab13a6ae075d02aba7384
SHA5121ec1459dc1ea8497c3e44ce17110ebcc272a7ceea72f59f44083e3872f8999e0ac7eb58953fc0d57d00f331e5884c3c4b3d1307193379abff94fbb51c73056dc
-
Filesize
525KB
MD56a1a6f99898c8e80ba2dcc123d94dcee
SHA15ffeb81a5699d75eef7157017ca5cc5b5441e27e
SHA256796580bae30683b0b502dddfd0fd5574b91f3f1e72f67785df43654208990471
SHA512702802da0bb8e3c536ca290cd1cda88c1001bf4a5a6cf5f124c4d4599aae42948e966fdf8f2949ee1624778b128492411416b24dbfb7998131a4b4d27b9cb909
-
Filesize
525KB
MD56a1a6f99898c8e80ba2dcc123d94dcee
SHA15ffeb81a5699d75eef7157017ca5cc5b5441e27e
SHA256796580bae30683b0b502dddfd0fd5574b91f3f1e72f67785df43654208990471
SHA512702802da0bb8e3c536ca290cd1cda88c1001bf4a5a6cf5f124c4d4599aae42948e966fdf8f2949ee1624778b128492411416b24dbfb7998131a4b4d27b9cb909
-
Filesize
525KB
MD56a1a6f99898c8e80ba2dcc123d94dcee
SHA15ffeb81a5699d75eef7157017ca5cc5b5441e27e
SHA256796580bae30683b0b502dddfd0fd5574b91f3f1e72f67785df43654208990471
SHA512702802da0bb8e3c536ca290cd1cda88c1001bf4a5a6cf5f124c4d4599aae42948e966fdf8f2949ee1624778b128492411416b24dbfb7998131a4b4d27b9cb909
-
Filesize
76KB
MD5f53a690dbef87549d32c96d072c5de6c
SHA176b5496fcada2ceca09eb105408854ab06f67e2f
SHA256442dc3f6a6205a0c90ee7df342d18bbd73380b7a1ecc465800dff662bb58e9e6
SHA5120d16a47e536f4070d6484599adece2e997f29d4a10e602fa81f0d5ec7c95780b000ea3170e119c279fad4cc337153f4843434cd5c34c728e2b62d73cd8b6bc29
-
Filesize
6KB
MD5e39405e85e09f64ccde0f59392317dd3
SHA19c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b
SHA256cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f
SHA5126733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a
-
Filesize
36KB
MD5f6bf82a293b69aa5b47d4e2de305d45a
SHA14948716616d4bbe68be2b4c5bf95350402d3f96f
SHA2566a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0
SHA512edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa