Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
97s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
21/04/2024, 07:57
Static task
static1
Behavioral task
behavioral1
Sample
93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe
Resource
win11-20240412-en
General
-
Target
93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe
-
Size
2.7MB
-
MD5
53f70c63e11b5b2592cc2760fa9f7ee0
-
SHA1
cd2c69037ce17669d30db004a4723b49d652735a
-
SHA256
93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640
-
SHA512
8ba0a65d0cbae880818d3f6d3a24c3448066cf9fcdb3e1b754881f2cea650f489ca0b573a9b2622b8129e0f18994a7590a9471e5d933dee506779e01c9235e99
-
SSDEEP
49152:jmoGDAgI3W2saAWO9aYB74+pK7CB1x4IF+A5iD9A1TK36A85v8:jmoaI3sa4O+oCSj/sO6A8i
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 2872 rundll32.exe 916 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\Local Settings 93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3000 wrote to memory of 4312 3000 93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe 80 PID 3000 wrote to memory of 4312 3000 93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe 80 PID 3000 wrote to memory of 4312 3000 93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe 80 PID 4312 wrote to memory of 2872 4312 control.exe 83 PID 4312 wrote to memory of 2872 4312 control.exe 83 PID 4312 wrote to memory of 2872 4312 control.exe 83 PID 2872 wrote to memory of 2116 2872 rundll32.exe 84 PID 2872 wrote to memory of 2116 2872 rundll32.exe 84 PID 2116 wrote to memory of 916 2116 RunDll32.exe 85 PID 2116 wrote to memory of 916 2116 RunDll32.exe 85 PID 2116 wrote to memory of 916 2116 RunDll32.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe"C:\Users\Admin\AppData\Local\Temp\93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\DsVk3.cPl",2⤵
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\DsVk3.cPl",3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\DsVk3.cPl",4⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\DsVk3.cPl",5⤵
- Loads dropped DLL
PID:916
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5dd67d27c548f4a84fffa7ef1dfd05cf6
SHA11e5b28747eb11a0d1b3486a97f0b66066222c3d2
SHA256044bde60642d879badd2b050ced2227c474d72c53bb88a43fb12424f97581ad9
SHA512a25775c112c34c0edcb82319ca19ea22572827870780137376b324e191877e6c827f44ada4fa3eabf5c34339ade78933a2430b8192a12ec2f7d69a68741de8d3