Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 03:19
Static task
static1
Behavioral task
behavioral1
Sample
64556fba96511df8b7449e7247008886.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
64556fba96511df8b7449e7247008886.exe
Resource
win10v2004-20231215-en
General
-
Target
64556fba96511df8b7449e7247008886.exe
-
Size
34KB
-
MD5
64556fba96511df8b7449e7247008886
-
SHA1
fc9c01795b3badc3d9402034609417a4f59c0e9a
-
SHA256
390b1a58816baeddb270bb8f58e42136f1f4cb0636be5fd5c427e30eac59f9eb
-
SHA512
d4d2338cda5851ee81547f7fda1e8f32b2e42bec5b7835accba42eeebe3826a1d54b9c0d1bc0492785aca8dda1da89ddb52ed14fa02e8dea8dc4eb1f5f4b5bff
-
SSDEEP
384:Z7MO04loobMxJNlf7HG6t1mC8bMWYtwWCnrm0A9EFqGVlz6b1iFOVCYBJPHS/7SC:n0GofNd7XHmC8lpQn+Xy1yOgaH1d0WB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2240 rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 2240 rundll32.exe 2240 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rzt = "C:\\Windows\\Intel\\rundll32.exe" 64556fba96511df8b7449e7247008886.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\ztdll.dll rundll32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Intel\rundll32.exe 64556fba96511df8b7449e7247008886.exe File opened for modification C:\Windows\Intel\rundll32.exe 64556fba96511df8b7449e7247008886.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 3556 64556fba96511df8b7449e7247008886.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2240 rundll32.exe 2240 rundll32.exe 2240 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3556 wrote to memory of 1460 3556 64556fba96511df8b7449e7247008886.exe 89 PID 3556 wrote to memory of 1460 3556 64556fba96511df8b7449e7247008886.exe 89 PID 3556 wrote to memory of 1460 3556 64556fba96511df8b7449e7247008886.exe 89 PID 3556 wrote to memory of 2240 3556 64556fba96511df8b7449e7247008886.exe 91 PID 3556 wrote to memory of 2240 3556 64556fba96511df8b7449e7247008886.exe 91 PID 3556 wrote to memory of 2240 3556 64556fba96511df8b7449e7247008886.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\64556fba96511df8b7449e7247008886.exe"C:\Users\Admin\AppData\Local\Temp\64556fba96511df8b7449e7247008886.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$c43B0.tmp.bat2⤵PID:1460
-
-
C:\Windows\Intel\rundll32.exeC:\Windows\Intel\rundll32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
233B
MD5f5085936841d5d6db1156f765f5ce202
SHA1439bd78a1ec6cd1f5a609dbc2a1a329329d87f9c
SHA2568f1cf3ed53ad04bd535a819d84396b30da2a2d1af03481dfd7127036efe51da3
SHA51245d3e46a02fa1276d733c25858ac77aab38d1a820100849eb6c4c3ce46842aeaeb85787689a9b19680d6037d8ca97e350c7668212dc856bbb4c99b8b73055f11
-
Filesize
34KB
MD564556fba96511df8b7449e7247008886
SHA1fc9c01795b3badc3d9402034609417a4f59c0e9a
SHA256390b1a58816baeddb270bb8f58e42136f1f4cb0636be5fd5c427e30eac59f9eb
SHA512d4d2338cda5851ee81547f7fda1e8f32b2e42bec5b7835accba42eeebe3826a1d54b9c0d1bc0492785aca8dda1da89ddb52ed14fa02e8dea8dc4eb1f5f4b5bff
-
Filesize
42KB
MD508ff261f78012e5e7e8141f754ad10cc
SHA17fe186485e0f0193494c315e2ca0979a8a6ae069
SHA256edec8b512da71e0ba3ec0404b795cbcb7f674ebd0b820590be77c1cbf1c745c3
SHA51212e58e12a1248c363ae45c78ff2146dfb9b6dbc8022e456b87da35534052ffb14536a751ea78e5f14eec0f461a7bfa90284a8345265cad8f16f87ebe27283283