Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2023, 23:48

General

  • Target

    077dcb6c8134902c078acdfe0ee2c3b8.dll

  • Size

    628KB

  • MD5

    077dcb6c8134902c078acdfe0ee2c3b8

  • SHA1

    6a9552a76f4384a324ab029e9bc8bf64f88ce65d

  • SHA256

    4be7afa2d5daa1b0207ae18bb652a8c184a9f2d1f08ded6273fa0ed6875f45c8

  • SHA512

    65adddd45cae47ea55251caa22bea172285e738c2a6a7745e4dcb6e36fcd0a3f4ca4139b52566b8e6e510c286cfcaa1bdc14f5e89a6a723040bee5dc233d3b2b

  • SSDEEP

    12288:MnCsLfthen/RApUKlmR4IHGGX+0W/kRwJ+T0BiNgLl+pwt8aE:MnLfthKAUKlmRHGGF8AwjBiNgLHt8T

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Modifies Internet Explorer settings 1 TTPs 47 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\077dcb6c8134902c078acdfe0ee2c3b8.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3800
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\077dcb6c8134902c078acdfe0ee2c3b8.dll
      2⤵
      • Adds Run key to start application
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      PID:1160
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:2720
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1728

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verBBBE.tmp

      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0SGFK56Z\errorPageStrings[1]

      Filesize

      4KB

      MD5

      d65ec06f21c379c87040b83cc1abac6b

      SHA1

      208d0a0bb775661758394be7e4afb18357e46c8b

      SHA256

      a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

      SHA512

      8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BMK4G1YN\down[2]

      Filesize

      748B

      MD5

      c4f558c4c8b56858f15c09037cd6625a

      SHA1

      ee497cc061d6a7a59bb66defea65f9a8145ba240

      SHA256

      39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

      SHA512

      d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BMK4G1YN\httpErrorPagesScripts[2]

      Filesize

      11KB

      MD5

      9234071287e637f85d721463c488704c

      SHA1

      cca09b1e0fba38ba29d3972ed8dcecefdef8c152

      SHA256

      65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

      SHA512

      87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ISEWAASI\dnserror[1]

      Filesize

      2KB

      MD5

      2dc61eb461da1436f5d22bce51425660

      SHA1

      e1b79bcab0f073868079d807faec669596dc46c1

      SHA256

      acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

      SHA512

      a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QTPKWBD2\NewErrorPageTemplate[2]

      Filesize

      1KB

      MD5

      dfeabde84792228093a5a270352395b6

      SHA1

      e41258c9576721025926326f76063c2305586f76

      SHA256

      77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

      SHA512

      e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QTPKWBD2\suggestions[1].en-US

      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee