Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    159s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2023, 20:34

General

  • Target

    034952c93a87e5465783cea13800fbcd.exe

  • Size

    154KB

  • MD5

    034952c93a87e5465783cea13800fbcd

  • SHA1

    f0fdb581db3183ea3d0a40f4e6386bb310dac4b8

  • SHA256

    f9d61f1953345a0da112b6653fbe72292c73ba8e67f875c0b60e0c8f05f4d024

  • SHA512

    1a8d85efd59936156c68fae0018aa6a65f6fb210edc620b703d4218136034165006022c0fdb87a29eeed738e9bf5a1f940bd81f29a2d94067cae3c8389673a90

  • SSDEEP

    3072:r0Cc0k/A9aXfaOxMy/+wErSdhz2ZJsZ4CDl5sgqu3W+YlLsQ0i:rW0kXXfaOxMy/+wE6UZJsZ4Clqu3gL

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\034952c93a87e5465783cea13800fbcd.exe
    "C:\Users\Admin\AppData\Local\Temp\034952c93a87e5465783cea13800fbcd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Windows\SysWOW64\RUNDLL32.EXE
      RUNDLL32.EXE "C:\ProgramData\Microsoft\PDA\TVT.DLL" VzcPlqsyj 0 "C:\Users\Admin\AppData\Local\Temp\034952c93a87e5465783cea13800fbcd.exe"
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        RUNDLL32.EXE "C:\ProgramData\Microsoft\PDA\TVT.DLL" VzcPlqsyj 3
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\PDA\TVT.DLL

    Filesize

    153KB

    MD5

    8794b968b5c3fbefa9a65405e70d0c71

    SHA1

    cfa55a57682f5cdb370fc7e9bca102ad6e9397e9

    SHA256

    ffa7b06212eeb312e28e41bd599ab9ee7b784d2b0dde50e6802db1e40d875f90

    SHA512

    96b1f68f9a13578d9d44dfb1ffb7c076c0d35ec59bde3c246b1b38c81a5a3a0febba76cd9a805521f4bc845449588f81e98ade2c10c58928df7f3d6a58eda639

  • C:\ProgramData\Microsoft\PDA\TVT.DLL

    Filesize

    134KB

    MD5

    3dee15921e7e4b1b87e7c8916e02748f

    SHA1

    8fe371a5cc6ae340fdb8237477a02d1bb8e8b125

    SHA256

    4924b9e1511aee61e5d29e5b60a4dcbed493ab9f83aeebfef95531e356131247

    SHA512

    2da0990862f02024562f07e6a8054b1c6610df9f5aab743c370b23867bb2f1e8469a9df28f55d215a1c36a2093c4f940daa817506782b905cc62e7877e7de72e

  • C:\ProgramData\Microsoft\PDA\TVT.DLL

    Filesize

    108KB

    MD5

    67db607fc24f6673f5642231c72c6148

    SHA1

    9a1b0d71368976cec43f89ad82814946ab1dc576

    SHA256

    efc38899ab35a2943a4cb57e329fc9deb113ad0e9467bc677e2e5b7bf1515e0c

    SHA512

    29ec9bde65ecf46325988776151b61d269921babdcec85507f95a45015a3e0a67e2644f835a0c692305d237488b24f7f38cacbba6d8b24204a6fe9ed3100dfe2