Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

3c8f6d0c77...4a.dll

windows7-x64

1

3c8f6d0c77...4a.dll

windows10-2004-x64

7

Analysis

  • max time kernel
    46s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/01/2024, 10:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c8f6d0c77309ecced7ae3efd472eb4a.dll

  • Size

    33KB

  • MD5

    3c8f6d0c77309ecced7ae3efd472eb4a

  • SHA1

    32d589ad80fd6a6c850d82101a48064309f122bc

  • SHA256

    edfb4dbba9dfcc35942031468815f604d0a04ded79b0872f14aff6f51faed43e

  • SHA512

    e0c9ee36f7d894c3100a137400d7e5d43dde7907714994981828c849a8438164499da81770bd41f93c967a664aee4b33011ea386cd36295d558f696efdbf64ec

  • SSDEEP

    768:EReSZXXIvhzkZW4dyJ56ShX895UAJZNvxwA9vuJ:ERD4v2dyJ5lsUAJZNvx19vi

Score
7/10
persistenceupx

Malware Config

Signatures

  • Loads dropped DLL 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:616
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c8f6d0c77309ecced7ae3efd472eb4a.dll,#1
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Windows\system32\fcccbcaB.dll,a
        2⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:3652
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c8f6d0c77309ecced7ae3efd472eb4a.dll,#1
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2412

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\fcccbcaB.dll
      Filesize

      33KB

      MD5

      3c8f6d0c77309ecced7ae3efd472eb4a

      SHA1

      32d589ad80fd6a6c850d82101a48064309f122bc

      SHA256

      edfb4dbba9dfcc35942031468815f604d0a04ded79b0872f14aff6f51faed43e

      SHA512

      e0c9ee36f7d894c3100a137400d7e5d43dde7907714994981828c849a8438164499da81770bd41f93c967a664aee4b33011ea386cd36295d558f696efdbf64ec

      Download Submit

    • C:\Windows\SysWOW64\fcccbcaB.dll
      Filesize

      1KB

      MD5

      1c883f7d24ab11e1508acbc85a464950

      SHA1

      297080af9696b00b0d8bdb6958110ef53d4e8643

      SHA256

      86f01c2164fc3c46081fa6be865417afee592a31343018f4dfb0fb8c97e542d3

      SHA512

      737cc33ceba82543646642b7bfba138420166d7ce55f8c354e503f7e8a15829ff428dc0eafb5649213721b81633fbda67eff06c070b23966c73bb260ca6511b2

      Download Submit

    • memory/1976-2-0x0000000010000000-0x0000000010014000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1976-3-0x0000000000890000-0x0000000000896000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1976-0-0x0000000010000000-0x0000000010014000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1976-4-0x0000000010000000-0x0000000010014000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1976-13-0x00000000009D0000-0x00000000009E4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3652-23-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3652-22-0x0000000010000000-0x0000000010014000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3652-24-0x0000000010000000-0x0000000010014000-memory.dmp

      Filesize

      80KB

      Download