Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2024, 18:39
Static task
static1
Behavioral task
behavioral1
Sample
7539b7c60f36f8827b19b2334ce26f3f.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7539b7c60f36f8827b19b2334ce26f3f.dll
Resource
win10v2004-20231215-en
General
-
Target
7539b7c60f36f8827b19b2334ce26f3f.dll
-
Size
36KB
-
MD5
7539b7c60f36f8827b19b2334ce26f3f
-
SHA1
418b82cccc4ad6fdfdb293177ef058769be1be41
-
SHA256
8114ae7a0547da7b58adc3bd870b07cdd95646d4693c14984fffe1d1d8a9eabf
-
SHA512
0c0b8f8915678edc237c4f7970cb88c7a436c425b9354bded449dbd6ef11f713fd290f7efa77afebeebf39d92261e95d960e8fb6affdaa03671bd9bcc04f6800
-
SSDEEP
768:7862HBRoQO8sNMor19b9qAWQo31NwvfK4tErbT/j0/F:A908syO+Qo31Ng5tErj0/F
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 2936 rundll32.exe 2936 rundll32.exe 4068 rundll32.exe -
resource yara_rule behavioral2/memory/2936-1-0x0000000010000000-0x000000001001B000-memory.dmp upx behavioral2/memory/2936-0-0x0000000010000000-0x000000001001B000-memory.dmp upx behavioral2/memory/2936-2-0x0000000010000000-0x000000001001B000-memory.dmp upx behavioral2/memory/2936-4-0x0000000010000000-0x000000001001B000-memory.dmp upx behavioral2/memory/2936-13-0x0000000000AF0000-0x0000000000B0B000-memory.dmp upx behavioral2/memory/4068-22-0x0000000010000000-0x000000001001B000-memory.dmp upx behavioral2/memory/4068-24-0x0000000010000000-0x000000001001B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\iiffGYqR.dll,#1" rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\iiffGYqR.dll rundll32.exe File opened for modification C:\Windows\SysWOW64\iiffGYqR.dll rundll32.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ThreadingModel = "Both" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ = "C:\\Windows\\SysWow64\\iiffGYqR.dll" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2936 rundll32.exe 2936 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2936 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2936 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2936 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3940 wrote to memory of 2936 3940 rundll32.exe 18 PID 3940 wrote to memory of 2936 3940 rundll32.exe 18 PID 3940 wrote to memory of 2936 3940 rundll32.exe 18 PID 2936 wrote to memory of 624 2936 rundll32.exe 85 PID 2936 wrote to memory of 4068 2936 rundll32.exe 99 PID 2936 wrote to memory of 4068 2936 rundll32.exe 99 PID 2936 wrote to memory of 4068 2936 rundll32.exe 99
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7539b7c60f36f8827b19b2334ce26f3f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7539b7c60f36f8827b19b2334ce26f3f.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\system32\iiffGYqR.dll,a3⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4068
-
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD57539b7c60f36f8827b19b2334ce26f3f
SHA1418b82cccc4ad6fdfdb293177ef058769be1be41
SHA2568114ae7a0547da7b58adc3bd870b07cdd95646d4693c14984fffe1d1d8a9eabf
SHA5120c0b8f8915678edc237c4f7970cb88c7a436c425b9354bded449dbd6ef11f713fd290f7efa77afebeebf39d92261e95d960e8fb6affdaa03671bd9bcc04f6800