Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

1306386da3...3b.exe

windows7-x64

7

1306386da3...3b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 08:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1306386da358611407940f89342ca83b.exe

  • Size

    4.6MB

  • MD5

    1306386da358611407940f89342ca83b

  • SHA1

    764cf6b5e38e02b553e637e3b3fa39387c15ab8e

  • SHA256

    e8549034000f9633abb412a1cc7ef9b26d0d822a34890a91d32fedc386f0cce3

  • SHA512

    d4dbd6ccbf6fe7bd5077f72323be0f61f51e377404696dc1c10177470e92424d8a39585bdcbe59dbb509a8f7869396f897c508b263a1ece502af2d9a329935ec

  • SSDEEP

    98304:xa48Y1rxBxNw2MFVqN39+904/Wj9VcSm/IAWZGH9x1KEfYJ2nwftHVNYe/ValT:448YpPxYvqN90p/WMnIxUxwEfYJ2ncru

Score
7/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1306386da358611407940f89342ca83b.exe
    "C:\Users\Admin\AppData\Local\Temp\1306386da358611407940f89342ca83b.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3868
    • C:\Program Files (x86)\DuoMi\dmdeskbox.exe
      "C:\Program Files (x86)\DuoMi\dmdeskbox.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:5060
    • C:\Program Files (x86)\DuoMi\DuoMi.exe
      "C:\Program Files (x86)\DuoMi\DuoMi.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3320
      • C:\Program Files (x86)\DuoMi\DuoMi.exe
        "C:\Program Files (x86)\DuoMi\DuoMi.exe" /p2p
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Writes to the Master Boot Record (MBR)
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        PID:2648
  • C:\Program Files (x86)\DuoMi\dmdeskinfo.exe
    "C:\Program Files (x86)\DuoMi\dmdeskinfo.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:4872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\DuoMi\DuoMi.exe
    Filesize

    464KB

    MD5

    f81a2916fecfea6cb3030247d6b2ef46

    SHA1

    8e9f47439eea0a513248cf1cdde6544af06d8214

    SHA256

    b30db602370e8a1e9a5fc27fba7b8093172fdc552dd32c3851468c52e1554638

    SHA512

    e4a2321bfd0c6e3d7042310ff1324fef5c40b7903a0e216e6b45bd57e52928cd6813d5828decf3d857338fde8fbd52ad13412c32ef56cd7d0277f191abedf3a3

    Download Submit

  • C:\Program Files (x86)\DuoMi\MFC71.DLL
    Filesize

    898KB

    MD5

    cb03282a31338a34260465d21552169c

    SHA1

    f7f7bc840024a2bbb0bcdaf46f48e82d19406b24

    SHA256

    2b78e4f9bb8f4ae7c64b594c23eda3d4cca9a89815503ca36accfac772b4d6d9

    SHA512

    0a7f8479db180d4ca8eada69ea25629b4a114b2176859f4172ff2d9ce8de844a493d4db27f0fd17e1d687c807c4086d49d47e3c42b69efa1754911610bf56bc1

    Download Submit

  • C:\Program Files (x86)\DuoMi\MSVCP71.dll
    Filesize

    488KB

    MD5

    561fa2abb31dfa8fab762145f81667c2

    SHA1

    c8ccb04eedac821a13fae314a2435192860c72b8

    SHA256

    df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

    SHA512

    7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

    Download Submit

  • C:\Program Files (x86)\DuoMi\dmcommon.dll
    Filesize

    664KB

    MD5

    4a8a7d3297e3e6c205825899dedd0186

    SHA1

    9f52b311f625135b3035fbcec51838061de7eb06

    SHA256

    329ffc6bdba46f9f3da249727ae4dc561761b9b541085de2800affdb09db3eb2

    SHA512

    8eb2b6936c251b0b318474f44ca41db2bf5ebaddcea8502f36e94f0941dd60adcf75db25db8910686f696d80132ad56760051ad9ed9929b7c992436ceb092676

    Download Submit

  • C:\Program Files (x86)\DuoMi\dmdeskbox.exe
    Filesize

    144KB

    MD5

    1ebd1a8de2525e6932e389a54d3bf392

    SHA1

    9927dec8dbaf5fd68828ecf2ca3092b98c77ec09

    SHA256

    674ff51e887870b594f17fc52645f9988e4fbc7cdcdeac6964e164ee5ec6d31f

    SHA512

    66606d88487675646d561d5fc4c2565aac5dfe32a6206be72f36d2622a6549347cc597ae57ea2f39577f5f57bd80e86caf182242368d7f1f9f2c00963915cde5

    Download Submit

  • C:\Program Files (x86)\DuoMi\dmlyric.dll
    Filesize

    40KB

    MD5

    9c68196558b44fe1f9c18771d7c646bc

    SHA1

    2b19191237746801d08842491d75ba0a564f8958

    SHA256

    25485fb6572626a3a85caab5e63bac60c71a33502d18706994541f72689fec3c

    SHA512

    516a961f7f56d8588a0bc765c80088abdd62f2776c98602a25418359cff6a45130adeed5de6420b7fadb4ade2927899f13b8989855adb206b15b5066a35dbc3c

    Download Submit

  • C:\Program Files (x86)\DuoMi\dmobject.dll
    Filesize

    73KB

    MD5

    824fc40bd871979a38101220a3e1faa1

    SHA1

    7fbe5ff358cc4c20ecb3c84219ce2cb43a40bcd9

    SHA256

    de9cddad2d4757149ad30a7b9051a0233a1b95cb50ff514f04ffc92c4d0bcfa2

    SHA512

    40e32018fec23a9c8f3537c6cb9815878b0a6f802b55e6fcb26bcee8203da27fa3fed88d0cdf5f7da881f0607a82f665f843f04d7b8072e10426ce4eed1e0e14

    Download Submit

  • C:\Program Files (x86)\DuoMi\mfc71.dll
    Filesize

    92KB

    MD5

    9f521e572689d7142cdb75295e254dfc

    SHA1

    5d9a2ebdc515d5c75e2328f5c37ef6bcbcd1e320

    SHA256

    4471039e713db2e48a7df2ce12444514a7ef9eef8ae8f1f8996e392008abd334

    SHA512

    1b24403b3ee100f2b647033034847204f2c3b269c0f003adefc748e6b4f5f48ca40aceb4f1bd761c0753685c71b5aa4b49c9553b88ded795821071e33ca56d9a

    Download Submit

  • C:\Program Files (x86)\DuoMi\mfc71.dll
    Filesize

    381KB

    MD5

    7cb12d5d248fee6bd5a90e8ecb3e7c56

    SHA1

    408bfeae622b35daefe504f46218ceb0c0412fbc

    SHA256

    cc3c2392eea952d218bf786613531d3d5f255d99dd2552195fe720174ac2986a

    SHA512

    185ebc3b4b6cd6f2fc5574ec8e1263eca27eab4b28802575d21baf5fdb93e2afe6c9c5d244d9c7a798af811383d63fdc2176dacbe71cd82d09ef2b73163166a3

    Download Submit

  • C:\Program Files (x86)\DuoMi\msvcr71.dll
    Filesize

    340KB

    MD5

    86f1895ae8c5e8b17d99ece768a70732

    SHA1

    d5502a1d00787d68f548ddeebbde1eca5e2b38ca

    SHA256

    8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

    SHA512

    3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

    Download Submit

  • C:\Program Files (x86)\DuoMi\resource\mp3.ico
    Filesize

    25KB

    MD5

    758dad3b00dd72c0853ce77643eeb69d

    SHA1

    b159453a2768d35b959edda5aa0ac2d441d92880

    SHA256

    615ffa8f56d7eb49d6fda62c6bd0c54bb0ef8b9258409d77186dcbe5c9b30a8b

    SHA512

    3e0d80018e9842fc24389a2a1a848bc1ab2eba4f412216196d24b54f2cf5944efac0929e91cb9c03d3f8f1e0452a6ad3ff9c2e272ad918c578c743ca0041ae7f

    Download Submit

  • C:\Program Files (x86)\DuoMi\resource\rmvb.ico
    Filesize

    25KB

    MD5

    828586045f88de07f3f0c66baacca604

    SHA1

    6b60a06fa74b8446dd1064f3966636fd9f11765f

    SHA256

    915e7c73162ef50df387f3246f4abc3ed3c6a3e4fe268e2463d9ef22d94b633b

    SHA512

    3504ef82521d240425cb2cd5c9d26debe2c980487cd024ebbcda028f7db99faf726bfeedac4d647c55d5e09395a4ac46e41010e11b1d55f05d1c2b7b44b118fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsr56CD.tmp\System.dll
    Filesize

    11KB

    MD5

    00a0194c20ee912257df53bfe258ee4a

    SHA1

    d7b4e319bc5119024690dc8230b9cc919b1b86b2

    SHA256

    dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

    SHA512

    3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsr56CD.tmp\rfshdktp.dll
    Filesize

    2KB

    MD5

    9410591a148871a6d0629cf25b94526f

    SHA1

    be1e8b0fe8327f185136a0d2460a68f720484535

    SHA256

    acc76e81f71e7f2ba58c36d678bc9ae4705e0187a3cdfa6d0025190467d9c0c7

    SHA512

    465d3e418e769b907262e07cbca3d2c5132bf328431d456be09c059821be20a6d30106562d7ef0bfa93ca219b2abe57ee891d937419fc4b8840987b184b45df0

    Download Submit

  • memory/2648-403-0x0000000000500000-0x000000000050D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2648-404-0x0000000002190000-0x00000000021CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3320-316-0x0000000000A50000-0x0000000000AF7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/3320-384-0x0000000008200000-0x000000000827A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/3320-396-0x0000000008580000-0x0000000008597000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3320-437-0x0000000000A50000-0x0000000000AF7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/3320-296-0x0000000000A50000-0x0000000000AF7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/3320-394-0x0000000008060000-0x000000000806D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3320-390-0x0000000008180000-0x000000000819C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3320-332-0x0000000005B50000-0x0000000005B6E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3320-387-0x0000000008280000-0x000000000836E000-memory.dmp

    Filesize

    952KB

    Download

  • memory/3320-392-0x00000000081A0000-0x00000000081D7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/3320-381-0x00000000075C0000-0x000000000761D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/3320-336-0x0000000005B70000-0x0000000005BA2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3320-346-0x00000000073F0000-0x0000000007416000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3320-341-0x00000000073B0000-0x00000000073ED000-memory.dmp

    Filesize

    244KB

    Download

  • memory/3320-431-0x00000000025A0000-0x00000000029D3000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/3868-38-0x0000000003060000-0x0000000003071000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4872-322-0x0000000002070000-0x00000000020A2000-memory.dmp

    Filesize

    200KB

    Download