Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 20:28 UTC
Behavioral task
behavioral1
Sample
1bd80fc494ee1490467b5e0cb9743d92.dll
Resource
win7-20231215-en
3 signatures
150 seconds
General
-
Target
1bd80fc494ee1490467b5e0cb9743d92.dll
-
Size
7KB
-
MD5
1bd80fc494ee1490467b5e0cb9743d92
-
SHA1
f4d2fea98a83c356d29330be9f05d802c88931a4
-
SHA256
8621da0999f3e2606af2c2dbd611826617027de4320cccef89ff59c71183560a
-
SHA512
d94d6cb96c0c0332ab3cb9807ed120ebc617929c385b346188eac1c45386df5b21a6c5c7172a1bcd3c2887b058c833cc20656542975629ea7512a54c41eb2806
-
SSDEEP
96:JyFsHMdvdKKUZwiIvu/Ces8oeO7OlLtMHBy8wmZePJ6F6y7K1JrCGYD2pGXGC:I1l4iOs8oeOylhMkMT7KHFYypDC
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3908-0-0x0000000010000000-0x0000000010009000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}\ regsvr32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\xxx = "xxx" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1bd80fc494ee1490467b5e0cb9743d92.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1836 wrote to memory of 3908 1836 regsvr32.exe 48 PID 1836 wrote to memory of 3908 1836 regsvr32.exe 48 PID 1836 wrote to memory of 3908 1836 regsvr32.exe 48
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1bd80fc494ee1490467b5e0cb9743d92.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\1bd80fc494ee1490467b5e0cb9743d92.dll2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:3908
-
Network
-
Remote address:8.8.8.8:53Request59.128.231.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request19.53.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request194.178.17.96.in-addr.arpaIN PTRResponse194.178.17.96.in-addr.arpaIN PTRa96-17-178-194deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request194.178.17.96.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request45.19.74.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request104.241.123.92.in-addr.arpaIN PTRResponse104.241.123.92.in-addr.arpaIN PTRa92-123-241-104deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request119.110.54.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301252_11F00W2XRY0QC5K0X&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301252_11F00W2XRY0QC5K0X&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 272564
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FF66442F75134379ACB3DE99D7AB32B9 Ref B: LON04EDGE0620 Ref C: 2024-01-01T04:04:44Z
date: Mon, 01 Jan 2024 04:04:44 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301661_1CZ6A5AROGHUCR9ZX&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301661_1CZ6A5AROGHUCR9ZX&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 470375
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0EAD7B6732C84F28A460DE5B943358E7 Ref B: LON04EDGE0620 Ref C: 2024-01-01T04:04:44Z
date: Mon, 01 Jan 2024 04:04:44 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301175_1O75L39KSXK4UQDB6&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301175_1O75L39KSXK4UQDB6&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 319613
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6F9DF5D2BD8E4D759FF18B2A88F897C3 Ref B: LON04EDGE0620 Ref C: 2024-01-01T04:04:44Z
date: Mon, 01 Jan 2024 04:04:44 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301301_1HNUYFKEUE0HR23I4&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301301_1HNUYFKEUE0HR23I4&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 515204
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5B86FEB162F84F97B501A338337E09F9 Ref B: LON04EDGE0620 Ref C: 2024-01-01T04:04:44Z
date: Mon, 01 Jan 2024 04:04:44 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301710_1GM91LO3DFAM6GZ6M&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301710_1GM91LO3DFAM6GZ6M&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 434017
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D671AD61EBA4470DB2631BB5B72AD5FB Ref B: LON04EDGE0620 Ref C: 2024-01-01T04:04:44Z
date: Mon, 01 Jan 2024 04:04:44 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301584_1KMA1SYJOHONSUVLP&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301584_1KMA1SYJOHONSUVLP&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTRResponse18.134.221.88.in-addr.arpaIN PTRa88-221-134-18deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request0.205.248.87.in-addr.arpaIN PTRResponse0.205.248.87.in-addr.arpaIN PTRhttps-87-248-205-0lgwllnwnet
-
Remote address:8.8.8.8:53Request211.135.221.88.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request18.173.189.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.173.189.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request18.173.189.20.in-addr.arpaIN PTR
-
46 B 1
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239317301584_1KMA1SYJOHONSUVLP&pid=21.2&w=1080&h=1920&c=4tls, http259.9kB 1.6MB 1206 1203
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301252_11F00W2XRY0QC5K0X&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301661_1CZ6A5AROGHUCR9ZX&pid=21.2&w=1080&h=1920&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301175_1O75L39KSXK4UQDB6&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301301_1HNUYFKEUE0HR23I4&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301710_1GM91LO3DFAM6GZ6M&pid=21.2&w=1080&h=1920&c=4HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301584_1KMA1SYJOHONSUVLP&pid=21.2&w=1080&h=1920&c=4 -
1.2kB 8.3kB 16 14
-
1.2kB 8.3kB 16 14
-
1.2kB 8.3kB 16 14
-
1.2kB 8.3kB 16 14
-
-
-
-
-
-
-
-
-
-
-
-
-
52 B 1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
2.1kB 55.9kB 40 40
-
71 B 157 B 1 1
DNS Request
59.128.231.4.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
19.53.126.40.in-addr.arpa
-
144 B 137 B 2 1
DNS Request
194.178.17.96.in-addr.arpa
DNS Request
194.178.17.96.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
45.19.74.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.154.82.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
142 B 157 B 2 1
DNS Request
55.36.223.20.in-addr.arpa
DNS Request
55.36.223.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
104.241.123.92.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
119.110.54.20.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
73 B 106 B 1 1
DNS Request
200.197.79.204.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
18.134.221.88.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
0.205.248.87.in-addr.arpa
-
-
-
73 B 1
DNS Request
211.135.221.88.in-addr.arpa
-
-
-
-
216 B 158 B 3 1
DNS Request
18.173.189.20.in-addr.arpa
DNS Request
18.173.189.20.in-addr.arpa
DNS Request
18.173.189.20.in-addr.arpa
-