Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

00b58e4f85...33.dll

windows10-1703-x64

7

Analysis

  • max time kernel
    67s
  • max time network
    73s
  • platform
    windows10-1703_x64
  • resource
    win10-20231023-en
  • resource tags

    arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21/11/2023, 21:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00b58e4f8525161379681c1532f83e7b85f432933d35dc139ec85bb680ddf633.dll

  • Size

    180KB

  • MD5

    3a3fee2e8e1abdd99a020eeb8ee2d271

  • SHA1

    4bf22a850b047906f63590f078047e110bbc0445

  • SHA256

    00b58e4f8525161379681c1532f83e7b85f432933d35dc139ec85bb680ddf633

  • SHA512

    3d069855a785b21267912ec70b866f603ddd6ad9574d8843bde594a5c5fe3913c6e2722823912e3dcc675f3072c41f0d98a5992525437d930553d12f148569b6

  • SSDEEP

    3072:TtnUNALmVZvvGBeQYLjpLIAq2tn2TBfki43y97FozS4Oq1sqH73oGN:p4LvkwLjpVqun2TB8i4i0zLOosqHkG

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 12 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\00b58e4f8525161379681c1532f83e7b85f432933d35dc139ec85bb680ddf633.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:444
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\00b58e4f8525161379681c1532f83e7b85f432933d35dc139ec85bb680ddf633.dll,#1
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4160
      • C:\Users\Admin\AppData\Local\Temp\msupdate.exe
        C:\Users\Admin\AppData\Local\Temp\msupdate.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:5008
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 C:\Windows\MSAgent\AGENTCPD.DLL _start@16 0
          4⤵
          • Suspicious use of FindShellTrayWindow
          PID:192
  • C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UnprotectFind.jfif" /ForceBootstrapPaint3D
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:3776
  • C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UnprotectFind.jfif" /ForceBootstrapPaint3D
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:4580
  • C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
    "C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
    Filesize

    2B

    MD5

    d751713988987e9331980363e24189ce

    SHA1

    97d170e1550eee4afc0af065b78cda302a97674c

    SHA256

    4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

    SHA512

    b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
    Filesize

    233B

    MD5

    8f50a33baa3103a222b667e0a5afc0f5

    SHA1

    e72a69359ff679f22dd06f9547aa51320c06772b

    SHA256

    ad3124c9ae37797bb508d985cb079f344689c91619901139225d1eeee8592c74

    SHA512

    ad9a79080cec051975e2dca86585a8fefb817c1f12b1c0e0d69022d186f1fcccb9dad081fa0b963dd76c8186deb68f03cda6515c8de06b63dfbaa6d71bc04e6d

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
    Filesize

    2KB

    MD5

    404a3ec24e3ebf45be65e77f75990825

    SHA1

    1e05647cf0a74cedfdeabfa3e8ee33b919780a61

    SHA256

    cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

    SHA512

    a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\msupdate.exe
    Filesize

    104KB

    MD5

    4092cd7ba067a1b3fd89ff188e5d9fb7

    SHA1

    614a2edc4b58ce68180b29cdd4e5d650f0467c8a

    SHA256

    861a87f13cbe612ee5f422864b86f6f45c83c8b9fdd31b9a331bad46d7dc1850

    SHA512

    79b2db577deef4fb58a98f20834646c789edc6d3f2ecd7cdfaca46ed9923042dab77ef6b59fc7f3b11df99944c5c6469ce0f35776e572637f4720f2fbcd8c63b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\msupdate.exe
    Filesize

    104KB

    MD5

    4092cd7ba067a1b3fd89ff188e5d9fb7

    SHA1

    614a2edc4b58ce68180b29cdd4e5d650f0467c8a

    SHA256

    861a87f13cbe612ee5f422864b86f6f45c83c8b9fdd31b9a331bad46d7dc1850

    SHA512

    79b2db577deef4fb58a98f20834646c789edc6d3f2ecd7cdfaca46ed9923042dab77ef6b59fc7f3b11df99944c5c6469ce0f35776e572637f4720f2fbcd8c63b

    Download Submit

  • C:\Windows\SysWOW64\shelldoc.dll
    Filesize

    52KB

    MD5

    03f8cfdf5e6d9ecdff1cab3e47d39f44

    SHA1

    a9fbfe65a3d44a55bfdf0bd01c6c61f436139447

    SHA256

    6eb00b34d1daffa49b2f4c90841705b2c994563bde672bf35eb1c46cdb19a1ed

    SHA512

    6e7cec13f27e602bf5105c1f34417d4ceb2ce614a9b4cbe0636a8af68988348297ed5300ece7d4af802c23d476dcb9d0dc528b0b8efb85a64302f07b8af0ea5c

    Download Submit

  • \Windows\SysWOW64\shelldoc.dll
    Filesize

    52KB

    MD5

    03f8cfdf5e6d9ecdff1cab3e47d39f44

    SHA1

    a9fbfe65a3d44a55bfdf0bd01c6c61f436139447

    SHA256

    6eb00b34d1daffa49b2f4c90841705b2c994563bde672bf35eb1c46cdb19a1ed

    SHA512

    6e7cec13f27e602bf5105c1f34417d4ceb2ce614a9b4cbe0636a8af68988348297ed5300ece7d4af802c23d476dcb9d0dc528b0b8efb85a64302f07b8af0ea5c

    Download Submit

  • \Windows\SysWOW64\shelldoc.dll
    Filesize

    52KB

    MD5

    03f8cfdf5e6d9ecdff1cab3e47d39f44

    SHA1

    a9fbfe65a3d44a55bfdf0bd01c6c61f436139447

    SHA256

    6eb00b34d1daffa49b2f4c90841705b2c994563bde672bf35eb1c46cdb19a1ed

    SHA512

    6e7cec13f27e602bf5105c1f34417d4ceb2ce614a9b4cbe0636a8af68988348297ed5300ece7d4af802c23d476dcb9d0dc528b0b8efb85a64302f07b8af0ea5c

    Download Submit

  • memory/4160-12-0x0000000000800000-0x000000000080F000-memory.dmp

    Filesize

    60KB

    Download