Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 01:43

General

  • Target

    4a2ddc9b32143ae5772e14f2d5308210.exe

  • Size

    68KB

  • MD5

    4a2ddc9b32143ae5772e14f2d5308210

  • SHA1

    899aadc58311ddb1e947a1dbe72e2bd98ff48b59

  • SHA256

    a53f8afa4f54cc77bb794afbeedcbac8b2c788dcaa46cf9a94affa137311bc2d

  • SHA512

    e1c506f39fefb7d4564daf92d17875c6819ab3a7abdcda8e65828d08fc40df0abddf97b77e33f09571c6954480c59c9dd20829dfbff3454e45580783243b564d

  • SSDEEP

    1536:TQk6VhqGK/IJHtv6gO1qkkJSnZjS1giN762oRfd3q19xZ2H:/6H9K/YHtvOqkkgn9iT+qc

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a2ddc9b32143ae5772e14f2d5308210.exe
    "C:\Users\Admin\AppData\Local\Temp\4a2ddc9b32143ae5772e14f2d5308210.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\System32\ydile.dll
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:3952
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32 ccy154.dll , InstallMyDll
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      PID:2656
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\System32\taoba_1.dll
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      PID:4824
    • C:\Windows\SysWOW64\cpa_1.exe
      C:\Windows\System32\cpa_1.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3092
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 375519961O57540.bat
      2⤵
        PID:916
    • C:\Windows\SysWOW64\explorer.exe
      explorer
      1⤵
        PID:632
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2692
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
        1⤵
          PID:3664

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\ccy154.dll

          Filesize

          120KB

          MD5

          510f9a4c16b9141d29b7b723e0c15a21

          SHA1

          6162d7d76a6bcaf90d0e6f97eb8cf8558f264773

          SHA256

          15882f2024d91dcd9e95f6ae901868e8c862efb05855b5546d5c6ab0ba6a0cff

          SHA512

          c079327b0f8465cd94b4795f0c577504956306f84b4dd5cd9135c8f3ae61b6735ed2641dd767b44c97943cf0a97a0f71f99844eeddd7ae4c742b0e2f5f742d1f

        • C:\Windows\SysWOW64\ydile.dll

          Filesize

          48KB

          MD5

          538f79a36ca7a9f38a87f1a218df638d

          SHA1

          31fcd9c21011b8cb02f9320e1f58ca0ec00b0110

          SHA256

          3a20bb541e1ea1c0917ee77a4280baa563099209ee4a3f7c148edeab1cd813ea

          SHA512

          b4c58defc4fe57197c4dcd675bf15471c725ca5871f5faaeaf520c668efd1ea87a34efe11c78925e36d0839ccb3607b1639c55b1844d8c73e971bd0d0584e86c

        • memory/4820-0-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

        • memory/4820-7-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

        • memory/4820-22-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB