Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2024, 09:30
Static task
static1
Behavioral task
behavioral1
Sample
380232c4d78e4c015ab8469ff62c8f2d4d44f2ebbc3aca0baf26d785402d87dc.dll
Resource
win7-20240221-en
General
-
Target
380232c4d78e4c015ab8469ff62c8f2d4d44f2ebbc3aca0baf26d785402d87dc.dll
-
Size
353KB
-
MD5
c04f67210a558c26d0132036cb2d0c25
-
SHA1
5896f685f25d4908826960d5dd3e0e82ce2e00c1
-
SHA256
380232c4d78e4c015ab8469ff62c8f2d4d44f2ebbc3aca0baf26d785402d87dc
-
SHA512
825857f3e8020003cd6bf2acac6be61e3174be77ed9aeea77f8cfb6e277d601abdb575f84fac5df3683d225df9902e048a05c10254519170bf811e5917d9b2cd
-
SSDEEP
6144:O1HCQc7/p7NthksJroUcdp1bw/uu+eLDXfbrTrzDIPS0iYrp1Hfmn1T:O1HCQOTthksJroUmp1bw/5DXfbzz0PSn
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1272 rundll32Srv.exe 4620 DesktopLayer.exe -
resource yara_rule behavioral2/memory/1272-4-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/files/0x000600000001da78-3.dat upx behavioral2/memory/1272-7-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4620-12-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4620-15-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4620-17-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\px6FA2.tmp rundll32Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1284 3556 WerFault.exe 85 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1D23F6CA-FC9D-11EE-AD03-5A63910E382D} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31101097" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4053518770" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4080396357" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4053518770" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31101097" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31101097" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420111199" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4620 DesktopLayer.exe 4620 DesktopLayer.exe 4620 DesktopLayer.exe 4620 DesktopLayer.exe 4620 DesktopLayer.exe 4620 DesktopLayer.exe 4620 DesktopLayer.exe 4620 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1952 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1952 iexplore.exe 1952 iexplore.exe 3740 IEXPLORE.EXE 3740 IEXPLORE.EXE 3740 IEXPLORE.EXE 3740 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1724 wrote to memory of 3556 1724 rundll32.exe 85 PID 1724 wrote to memory of 3556 1724 rundll32.exe 85 PID 1724 wrote to memory of 3556 1724 rundll32.exe 85 PID 3556 wrote to memory of 1272 3556 rundll32.exe 87 PID 3556 wrote to memory of 1272 3556 rundll32.exe 87 PID 3556 wrote to memory of 1272 3556 rundll32.exe 87 PID 1272 wrote to memory of 4620 1272 rundll32Srv.exe 90 PID 1272 wrote to memory of 4620 1272 rundll32Srv.exe 90 PID 1272 wrote to memory of 4620 1272 rundll32Srv.exe 90 PID 4620 wrote to memory of 1952 4620 DesktopLayer.exe 91 PID 4620 wrote to memory of 1952 4620 DesktopLayer.exe 91 PID 1952 wrote to memory of 3740 1952 iexplore.exe 94 PID 1952 wrote to memory of 3740 1952 iexplore.exe 94 PID 1952 wrote to memory of 3740 1952 iexplore.exe 94
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\380232c4d78e4c015ab8469ff62c8f2d4d44f2ebbc3aca0baf26d785402d87dc.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\380232c4d78e4c015ab8469ff62c8f2d4d44f2ebbc3aca0baf26d785402d87dc.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3740
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 6323⤵
- Program crash
PID:1284
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3556 -ip 35561⤵PID:3876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
55KB
MD542bacbdf56184c2fa5fe6770857e2c2d
SHA1521a63ee9ce2f615eda692c382b16fc1b1d57cac
SHA256d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0
SHA5120ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71