Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2024, 09:40
Static task
static1
Behavioral task
behavioral1
Sample
9b57bbeb7a77e9ff4256defe7141bab3.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9b57bbeb7a77e9ff4256defe7141bab3.dll
Resource
win10v2004-20231215-en
General
-
Target
9b57bbeb7a77e9ff4256defe7141bab3.dll
-
Size
424KB
-
MD5
9b57bbeb7a77e9ff4256defe7141bab3
-
SHA1
3d2adf3e0ebac41aadfd122f119786127ea42e0c
-
SHA256
bb947e54137e56040819eefd51990978b28ac3291fb729447470a67f240be1ad
-
SHA512
d3efd3ddaa265f7e1e5b8cd496738a7a4799ec5f479f87c9cbdfd3177f9085e378891345515a7c26e8802b1a7be8158e72a35e006a24c842e76d73683c3b7f53
-
SSDEEP
6144:i/0z/2rEZgcwPDHTSNT/rANdYdtGinqRfvTqDeFul0Mh5TBWQOX6JHY2DbAV0Zg:007/XwboTzAN2tnqRfCevM7TBw0Z4
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 7 4704 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation rundll32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9b57bbeb7a77e9ff4256defe7141bab3.dll = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\9b57bbeb7a77e9ff4256defe7141bab3.dll\",watch" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9b57bbeb7a77e9ff4256defe7141bab3.dll_xserve = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\9b57bbeb7a77e9ff4256defe7141bab3.dll\",xserve" rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2280 wrote to memory of 4900 2280 rundll32.exe 63 PID 2280 wrote to memory of 4900 2280 rundll32.exe 63 PID 2280 wrote to memory of 4900 2280 rundll32.exe 63 PID 4900 wrote to memory of 1856 4900 rundll32.exe 86 PID 4900 wrote to memory of 1856 4900 rundll32.exe 86 PID 4900 wrote to memory of 1856 4900 rundll32.exe 86 PID 4900 wrote to memory of 4704 4900 rundll32.exe 87 PID 4900 wrote to memory of 4704 4900 rundll32.exe 87 PID 4900 wrote to memory of 4704 4900 rundll32.exe 87
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9b57bbeb7a77e9ff4256defe7141bab3.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9b57bbeb7a77e9ff4256defe7141bab3.dll,#12⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\9b57bbeb7a77e9ff4256defe7141bab3.dll",watch3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1856
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\9b57bbeb7a77e9ff4256defe7141bab3.dll",xserve3⤵
- Blocklisted process makes network request
PID:4704
-
-