Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2024, 16:12
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_849c748f9a37d4125779f6b31435d220.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
VirusShare_849c748f9a37d4125779f6b31435d220.dll
Resource
win10v2004-20231215-en
General
-
Target
VirusShare_849c748f9a37d4125779f6b31435d220.dll
-
Size
156KB
-
MD5
849c748f9a37d4125779f6b31435d220
-
SHA1
ab26f79f3726b2a066f73f2711d8362486ff93ce
-
SHA256
a7d1e0426d5ec9205c571cbafa558475f0a8fb701500a1353fd8fd5ad5a91c89
-
SHA512
131d7c664211b581d061005ad6686e4dd2191727ced66b371dbc34895f2f426bc57d93c97da2ed39bd47b00154c96827d7d4868001a62e7f1027d0aea621468c
-
SSDEEP
3072:NLkD7BY9kS2O0to3IzwtVgHtWt8PgIJY7Ctp:NLS7BCk1tWIiV0Wq3JY7C
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 11 IoCs
resource yara_rule behavioral2/memory/2400-0-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral2/memory/2400-3-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral2/memory/2400-4-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral2/memory/4744-10-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral2/memory/4744-11-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral2/memory/2400-17-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral2/memory/4744-23-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral2/memory/4744-34-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral2/memory/4744-51-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral2/memory/4744-86-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral2/memory/4744-230-0x000000000B000000-0x000000000B031000-memory.dmp UPX -
Blocklisted process makes network request 3 IoCs
flow pid Process 14 4744 rundll32.exe 43 4744 rundll32.exe 61 4744 rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 4744 rundll32.exe -
resource yara_rule behavioral2/memory/2400-0-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral2/memory/2400-3-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral2/memory/2400-4-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral2/memory/4744-10-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral2/memory/4744-11-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral2/memory/2400-17-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral2/memory/4744-23-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral2/memory/4744-34-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral2/memory/4744-51-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral2/memory/4744-86-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral2/memory/4744-230-0x000000000B000000-0x000000000B031000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\PROGRA~3\j61g7t81.fee rundll32.exe File created C:\PROGRA~3\18t7g16j.cpp rundll32.exe File created C:\PROGRA~3\j61g7t81.fee rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4432 wrote to memory of 2400 4432 rundll32.exe 83 PID 4432 wrote to memory of 2400 4432 rundll32.exe 83 PID 4432 wrote to memory of 2400 4432 rundll32.exe 83 PID 2400 wrote to memory of 4744 2400 rundll32.exe 84 PID 2400 wrote to memory of 4744 2400 rundll32.exe 84 PID 2400 wrote to memory of 4744 2400 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_849c748f9a37d4125779f6b31435d220.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_849c748f9a37d4125779f6b31435d220.dll,#12⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\PROGRA~3\18t7g16j.cpp,XXS13⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
PID:4744
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD5849c748f9a37d4125779f6b31435d220
SHA1ab26f79f3726b2a066f73f2711d8362486ff93ce
SHA256a7d1e0426d5ec9205c571cbafa558475f0a8fb701500a1353fd8fd5ad5a91c89
SHA512131d7c664211b581d061005ad6686e4dd2191727ced66b371dbc34895f2f426bc57d93c97da2ed39bd47b00154c96827d7d4868001a62e7f1027d0aea621468c
-
Filesize
90.6MB
MD55c71fe6debed22caf033932e729f4e2d
SHA1851e007322f8f63cdfbe062c686c0f6cae175926
SHA256af15c00cb1ebd8c5cfb4925d78fea1a2bc632f14b1cafd166271f8c23454ddc3
SHA51233367fc939df13a3864b1a7ec85a457e9b3002c3946beff60dec0fb7c7707b0f7d034b9b443f81c2d8d3eaa3a06ad924fc272b1a006dbea8bc00993f4ecbb66e