Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
46s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2024, 10:00
Static task
static1
Behavioral task
behavioral1
Sample
3c8f6d0c77309ecced7ae3efd472eb4a.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3c8f6d0c77309ecced7ae3efd472eb4a.dll
Resource
win10v2004-20231222-en
General
-
Target
3c8f6d0c77309ecced7ae3efd472eb4a.dll
-
Size
33KB
-
MD5
3c8f6d0c77309ecced7ae3efd472eb4a
-
SHA1
32d589ad80fd6a6c850d82101a48064309f122bc
-
SHA256
edfb4dbba9dfcc35942031468815f604d0a04ded79b0872f14aff6f51faed43e
-
SHA512
e0c9ee36f7d894c3100a137400d7e5d43dde7907714994981828c849a8438164499da81770bd41f93c967a664aee4b33011ea386cd36295d558f696efdbf64ec
-
SSDEEP
768:EReSZXXIvhzkZW4dyJ56ShX895UAJZNvxwA9vuJ:ERD4v2dyJ5lsUAJZNvx19vi
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 1976 rundll32.exe 1976 rundll32.exe 3652 rundll32.exe -
resource yara_rule behavioral2/memory/1976-4-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral2/memory/1976-13-0x00000000009D0000-0x00000000009E4000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\fcccbcaB.dll,#1" rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\fcccbcaB.dll rundll32.exe File opened for modification C:\Windows\SysWOW64\fcccbcaB.dll rundll32.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CDFCB9-37D6-4C1D-A31D-AA2DD56F637B} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CDFCB9-37D6-4C1D-A31D-AA2DD56F637B}\InprocServer32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CDFCB9-37D6-4C1D-A31D-AA2DD56F637B}\InprocServer32\ = "C:\\Windows\\SysWow64\\fcccbcaB.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CDFCB9-37D6-4C1D-A31D-AA2DD56F637B}\InprocServer32\ThreadingModel = "Both" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 1976 rundll32.exe 1976 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe 3652 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1976 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1976 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1976 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2412 wrote to memory of 1976 2412 rundll32.exe 14 PID 2412 wrote to memory of 1976 2412 rundll32.exe 14 PID 2412 wrote to memory of 1976 2412 rundll32.exe 14 PID 1976 wrote to memory of 616 1976 rundll32.exe 3 PID 1976 wrote to memory of 3652 1976 rundll32.exe 102 PID 1976 wrote to memory of 3652 1976 rundll32.exe 102 PID 1976 wrote to memory of 3652 1976 rundll32.exe 102
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3c8f6d0c77309ecced7ae3efd472eb4a.dll,#11⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\system32\fcccbcaB.dll,a2⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3652
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3c8f6d0c77309ecced7ae3efd472eb4a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD53c8f6d0c77309ecced7ae3efd472eb4a
SHA132d589ad80fd6a6c850d82101a48064309f122bc
SHA256edfb4dbba9dfcc35942031468815f604d0a04ded79b0872f14aff6f51faed43e
SHA512e0c9ee36f7d894c3100a137400d7e5d43dde7907714994981828c849a8438164499da81770bd41f93c967a664aee4b33011ea386cd36295d558f696efdbf64ec
-
Filesize
1KB
MD51c883f7d24ab11e1508acbc85a464950
SHA1297080af9696b00b0d8bdb6958110ef53d4e8643
SHA25686f01c2164fc3c46081fa6be865417afee592a31343018f4dfb0fb8c97e542d3
SHA512737cc33ceba82543646642b7bfba138420166d7ce55f8c354e503f7e8a15829ff428dc0eafb5649213721b81633fbda67eff06c070b23966c73bb260ca6511b2