Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

72db19a5cc...bf.dll

windows10-1703-x64

1

72db19a5cc...bf.dll

windows10-2004-x64

8

72db19a5cc...bf.dll

windows11-21h2-x64

8

Analysis

  • max time kernel
    599s
  • max time network
    601s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231215-en
  • resource tags

    arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14/02/2024, 16:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72db19a5ccc7e378e72bd3cf8339280fc47f05b5ff65b1fb3893be6369a5c8bf.dll

  • Size

    59KB

  • MD5

    128f2c45abb340712b5bdb9787664877

  • SHA1

    e49dc6a12c76c9adf7a66e753b835fcd1cb48083

  • SHA256

    72db19a5ccc7e378e72bd3cf8339280fc47f05b5ff65b1fb3893be6369a5c8bf

  • SHA512

    6a2a4a1c4a5cc6ca2155ffd7f8849e73dba149e3b32beec13a37e68295f5f384195f7fc88eb2d4f1c3692ed3e4230b0383630842a8950b636e6a21806553fc70

  • SSDEEP

    768:xiC/DyfvDF9JN1O7zub7+IJSuCMajTiAmPbjQLMf8shs1Fw9Dy:oC/DivXkOJSuwjFmz0Lchs1FAG

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 64 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\72db19a5ccc7e378e72bd3cf8339280fc47f05b5ff65b1fb3893be6369a5c8bf.dll,#1
    1⤵
    • Deletes itself
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3264
    • C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_4ca9dd3.dll", #1
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:3312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Custom_update\Update_4ca9dd3.dll
    Filesize

    59KB

    MD5

    128f2c45abb340712b5bdb9787664877

    SHA1

    e49dc6a12c76c9adf7a66e753b835fcd1cb48083

    SHA256

    72db19a5ccc7e378e72bd3cf8339280fc47f05b5ff65b1fb3893be6369a5c8bf

    SHA512

    6a2a4a1c4a5cc6ca2155ffd7f8849e73dba149e3b32beec13a37e68295f5f384195f7fc88eb2d4f1c3692ed3e4230b0383630842a8950b636e6a21806553fc70

    Download Submit

  • memory/3264-3-0x00007FFC382D0000-0x00007FFC382E3000-memory.dmp

    Filesize

    76KB

    Download