Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

1ddec479b1...a3.dll

windows7-x64

10

1ddec479b1...a3.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ddec479b1a7579fc52c734510473aa3.dll

  • Size

    137KB

  • MD5

    1ddec479b1a7579fc52c734510473aa3

  • SHA1

    960b1b4292c2a73fbe3c04a1ff938ffd76981620

  • SHA256

    087153ed5bb9bb9807e37a8fd745a16a634497a842896f232ab4cfb54197ba00

  • SHA512

    02c67f543a9ec456679e5fa30f9a2ea453bed95393d96de5f409605626cf9d968b50ad27151fb925253029d20a43507020bc6adf20b2ae037471ea2fe46177de

  • SSDEEP

    3072:wUJ9sXDS+LpeJ+zbCWS6FFswY0uYGpCM:ZsXDNBzbC76FFsjE

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://162.244.80.46:80/components/mt.ico

Attributes
  • user_agent

    Host: loikdo.com Connection: close Accept-Encoding: br User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1ddec479b1a7579fc52c734510473aa3.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Windows\system32\cmd.exe
      cmd.exe /c echo FAOqxPwqZlkwNsCeERGZufOugRshkCoFLY>"C:\Users\Admin\AppData\Local\Temp\DEM8B8D.tmp"&exit
      2⤵
        PID:2376

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\DEM8B8D.tmp
      Filesize

      36B

      MD5

      07624cd821003a28a77adcb159242c3e

      SHA1

      c1226a35672387b6c82335efcbf6b7c44737f1d8

      SHA256

      78453f7d45b69b7be3fa921c36f6098fdfd36429aa279aca32504bbdf33ddbdb

      SHA512

      1fb7317b8c26ef0b0b105fc9a84597bed74cfbc3e9e3a0632c93ab0627f03fe52431b9ed45c08812b7c485081a5882550e557a503c4e126d32c8adde375f4464

      Download Submit

    • memory/2740-2-0x0000000000210000-0x0000000000211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2740-3-0x000000006BAC0000-0x000000006BAEA000-memory.dmp

      Filesize

      168KB

      Download

    • memory/2740-5-0x0000000002B30000-0x0000000002F30000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2740-6-0x0000000002B30000-0x0000000002F30000-memory.dmp

      Filesize

      4.0MB

      Download