Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 16:03
Static task
static1
Behavioral task
behavioral1
Sample
04cc43bb4a21ce1e4970fece41622730.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
04cc43bb4a21ce1e4970fece41622730.dll
Resource
win10v2004-20231215-en
General
-
Target
04cc43bb4a21ce1e4970fece41622730.dll
-
Size
237KB
-
MD5
04cc43bb4a21ce1e4970fece41622730
-
SHA1
534665a7767056ff2c476165fa04afcee8c074c5
-
SHA256
e56b4bd66250725d8eec4a1e2953acb46cdd30c3ba3ad159079f6980554294a0
-
SHA512
d5d006bbadbbe6b9714d205fd16acd74970102e1e1233af42fdb0ddd4abffa40998a91a1056d56888d1d11ae41c411b7f2cbf5c0528f92c5ac20c2100ba98d2f
-
SSDEEP
1536:v62JJyFkQk+oE0XCTsT2xGaPsK/shfHOAP38fgkFRd5vIrfG8GRwk/p:v62HJE0XIGaT/scK32RXvISwkB
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tkpfzuxcy = "{9c919e30-1419-696e-252a-141916b88959}" rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 1844 rundll32.exe 1844 rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\gxcsmhkpl.dll rundll32.exe File opened for modification C:\Windows\SysWOW64\gxcsmhkpl.dll rundll32.exe File created C:\Windows\SysWOW64\sjoeytwbx.dll rundll32.exe File created C:\Windows\SysWOW64\ofkaupsxt.dll rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9c919e30-1419-696e-252a-141916b88959}\InprocServer32\ = "C:\\Windows\\SysWow64\\ofkaupsxt.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9c919e30-1419-696e-252a-141916b88959}\InprocServer32\ThreadingModel = "Apartment" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9c919e30-1419-696e-252a-141916b88959} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9c919e30-1419-696e-252a-141916b88959}\ rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9c919e30-1419-696e-252a-141916b88959}\InprocServer32 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1844 rundll32.exe 1844 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1844 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1844 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4312 wrote to memory of 1844 4312 rundll32.exe 14 PID 4312 wrote to memory of 1844 4312 rundll32.exe 14 PID 4312 wrote to memory of 1844 4312 rundll32.exe 14
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\04cc43bb4a21ce1e4970fece41622730.dll,#11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1844
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\04cc43bb4a21ce1e4970fece41622730.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119KB
MD532cc4d862b7db58a6d11dff2e5bfe4e9
SHA14bfbf8adc27764bfd5ab3396c235406db6eb2b37
SHA25684d030235d0e105e42aba36fc7b5c2bd87eb7605896b0aa32b203c0dfb5f3b09
SHA512511dab27714e50da81ca46779e0ce57cc2e115c545780b87571bdac8fa0fb28d667209e2874247f6146620678ad9e9befac9ffb4ef8ed45f727c6b68fb71cb85
-
Filesize
183KB
MD5dd6837d132bb702a7d6b8b11e4ec595f
SHA1c76ba49109f967fae5900a2eb5896bfedd77e32f
SHA25632658a06fb0b99f91927947ceeedcb1eb4512ebb56de79d8a3b94fe59d6095d8
SHA5125241cf1a50e6ca88151d654acd403cc501cf292c78a5eef896bd2c229d3205d07bc09c20139db6d30fdc1b18cfc49c1072b851c1f72532b0d7bfccb15d77a525
-
Filesize
139KB
MD5c07602ebe0b2720a8c021b5e3af7564d
SHA12d9bbe908b0cf3d6565fb12cf34348e5cf3979db
SHA256e026ae96ed173c42d292b57f92a894656505aa4ea647bab83cd965628bd9fa09
SHA5126afd06894e28b0d4ac888a7d46ce059e0a79e9e9c70a906ff2654dab64f225788926a8a9e7ee64331b5a58162415a2bc1ea0825fe656204a8d3ef386564daabc