Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2024, 03:48
Static task
static1
Behavioral task
behavioral1
Sample
5c0e7f727e34fa05c53079d6c627ec4b.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5c0e7f727e34fa05c53079d6c627ec4b.dll
Resource
win10v2004-20231222-en
General
-
Target
5c0e7f727e34fa05c53079d6c627ec4b.dll
-
Size
40KB
-
MD5
5c0e7f727e34fa05c53079d6c627ec4b
-
SHA1
ff9b5befa708f7b7787266c5e8c675a837351ff4
-
SHA256
73b73575c956610488e0c2b9c5676c2fd27e37a0b0519b6ae29fd09c72e3a8ab
-
SHA512
24ea894b3b8b00265d9f1018f4924e1b6aa7715f0bd7763515a469c6c571b3f7037fa2a2669d2b1e73264f63dbe83dc5f64e8252598b86afb13dc9b2e99801b8
-
SSDEEP
768:v5YiE+jL/zq8AjxiH/TCqUXWx3qylsVsQ4XrKjgbqJYf1U:vdE+PIMHG1XYHGWpmjeE3
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 1732 rundll32.exe 1732 rundll32.exe 5356 rundll32.exe -
resource yara_rule behavioral2/memory/1732-1-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral2/memory/1732-3-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral2/memory/1732-0-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral2/memory/1732-4-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral2/memory/1732-14-0x0000000000B20000-0x0000000000B34000-memory.dmp upx behavioral2/memory/5356-23-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral2/memory/5356-24-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral2/memory/5356-25-0x0000000010000000-0x0000000010014000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\wvUoLcyA.dll,#1" rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\wvUoLcyA.dll rundll32.exe File opened for modification C:\Windows\SysWOW64\wvUoLcyA.dll rundll32.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA1EDBD4-8003-4BBC-A1F1-E93A0FAC31BB} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA1EDBD4-8003-4BBC-A1F1-E93A0FAC31BB}\InprocServer32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA1EDBD4-8003-4BBC-A1F1-E93A0FAC31BB}\InprocServer32\ = "C:\\Windows\\SysWow64\\wvUoLcyA.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA1EDBD4-8003-4BBC-A1F1-E93A0FAC31BB}\InprocServer32\ThreadingModel = "Both" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1732 rundll32.exe 1732 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe 5356 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1732 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1732 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1732 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1636 wrote to memory of 1732 1636 rundll32.exe 35 PID 1636 wrote to memory of 1732 1636 rundll32.exe 35 PID 1636 wrote to memory of 1732 1636 rundll32.exe 35 PID 1732 wrote to memory of 608 1732 rundll32.exe 87 PID 1732 wrote to memory of 5356 1732 rundll32.exe 101 PID 1732 wrote to memory of 5356 1732 rundll32.exe 101 PID 1732 wrote to memory of 5356 1732 rundll32.exe 101
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c0e7f727e34fa05c53079d6c627ec4b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c0e7f727e34fa05c53079d6c627ec4b.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\system32\wvUoLcyA.dll,a3⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5356
-
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD55c0e7f727e34fa05c53079d6c627ec4b
SHA1ff9b5befa708f7b7787266c5e8c675a837351ff4
SHA25673b73575c956610488e0c2b9c5676c2fd27e37a0b0519b6ae29fd09c72e3a8ab
SHA51224ea894b3b8b00265d9f1018f4924e1b6aa7715f0bd7763515a469c6c571b3f7037fa2a2669d2b1e73264f63dbe83dc5f64e8252598b86afb13dc9b2e99801b8