Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

0f20cba240...a8.dll

windows7-x64

1

0f20cba240...a8.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 21:48 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f20cba24057d513019003126999cdeea3c81b9ee06aec5d3dad95d4c7cff3a8.dll

  • Size

    51KB

  • MD5

    329c4e66bb9620a4ef6b24a0243ba527

  • SHA1

    ed0819b46b4b63554c9f0704e489d554b418dce2

  • SHA256

    0f20cba24057d513019003126999cdeea3c81b9ee06aec5d3dad95d4c7cff3a8

  • SHA512

    95af25017255666d97049487b53354c8417b48b08a3d305163b3ad6d5978dcbab6d1147ebf302b25e4d56a299171271ccff7aeb823c12dbc4d8b3d50670a95cc

  • SSDEEP

    1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoLfJYH5:1dWubF3n9S91BF3fbo7JYH5

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f20cba24057d513019003126999cdeea3c81b9ee06aec5d3dad95d4c7cff3a8.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3696
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f20cba24057d513019003126999cdeea3c81b9ee06aec5d3dad95d4c7cff3a8.dll,#1
      2⤵
      • Suspicious behavior: RenamesItself
      PID:3060

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=007866bb84a8446185601dfca4c5f42f&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=007866bb84a8446185601dfca4c5f42f&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=00485B2622C862A608A24F4223EF63E8; domain=.bing.com; expires=Mon, 12-May-2025 21:48:36 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 215481A2976748CA8A803FE58941311C Ref B: LON04EDGE0707 Ref C: 2024-04-17T21:48:36Z
    date: Wed, 17 Apr 2024 21:48:36 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=007866bb84a8446185601dfca4c5f42f&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=007866bb84a8446185601dfca4c5f42f&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=00485B2622C862A608A24F4223EF63E8
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=ab1aVQ7gmu5agv1W-luefKZ2NLLuHF6pLPvbU-sq-AU; domain=.bing.com; expires=Mon, 12-May-2025 21:48:36 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: AAE667FC3485473FA8C4D30D74597C59 Ref B: LON04EDGE0707 Ref C: 2024-04-17T21:48:36Z
    date: Wed, 17 Apr 2024 21:48:36 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=007866bb84a8446185601dfca4c5f42f&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=007866bb84a8446185601dfca4c5f42f&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=00485B2622C862A608A24F4223EF63E8; MSPTC=ab1aVQ7gmu5agv1W-luefKZ2NLLuHF6pLPvbU-sq-AU
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 09C56F128A804058B1D28CC0ECBABD6A Ref B: LON04EDGE0707 Ref C: 2024-04-17T21:48:36Z
    date: Wed, 17 Apr 2024 21:48:36 GMT
  • flag-us
    DNS
    249.197.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    249.197.17.2.in-addr.arpa
    IN PTR
    Response
    249.197.17.2.in-addr.arpa
    IN PTR
    a2-17-197-249deploystaticakamaitechnologiescom
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    156.33.209.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    156.33.209.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    132.250.30.184.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    132.250.30.184.in-addr.arpa
    IN PTR
    Response
    132.250.30.184.in-addr.arpa
    IN PTR
    a184-30-250-132deploystaticakamaitechnologiescom
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.197.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.197.17.2.in-addr.arpa
    IN PTR
    Response
    240.197.17.2.in-addr.arpa
    IN PTR
    a2-17-197-240deploystaticakamaitechnologiescom
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=007866bb84a8446185601dfca4c5f42f&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=
    tls, http2
    2.0kB
     9.2kB
     21
    18

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=007866bb84a8446185601dfca4c5f42f&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=007866bb84a8446185601dfca4c5f42f&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=007866bb84a8446185601dfca4c5f42f&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    249.197.17.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    249.197.17.2.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    156.33.209.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    156.33.209.4.in-addr.arpa

  • 8.8.8.8:53
    132.250.30.184.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    132.250.30.184.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    240.197.17.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    240.197.17.2.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.