Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
3ec4a958ab7...dd.exe
windows11-21h2-x64
8rptcache64.dll
windows11-21h2-x64
1rtfile32.dll
windows11-21h2-x64
1rtfile64.dll
windows11-21h2-x64
1rtinfo32.dll
windows11-21h2-x64
4rtinfo64.dll
windows11-21h2-x64
4screenhooks32.dll
windows11-21h2-x64
1scrnrcd32.dll
windows11-21h2-x64
1scrnrcd64.dll
windows11-21h2-x64
1sensinfo32.dll
windows11-21h2-x64
1sensinfo64.dll
windows11-21h2-x64
1setuphlpr.dll
windows11-21h2-x64
1shlext32.dll
windows11-21h2-x64
1shlext64.dll
windows11-21h2-x64
7siriuv32.dll
windows11-21h2-x64
1siriuv64.dll
windows11-21h2-x64
1sqlcipher32.dll
windows11-21h2-x64
3sqlcipher64.dll
windows11-21h2-x64
1sscanner32.dll
windows11-21h2-x64
1sscanner64.dll
windows11-21h2-x64
1ssleay32.dll
windows11-21h2-x64
1ssleay64.dll
windows11-21h2-x64
1swvv32.sys
windows11-21h2-x64
1swvv64.sys
windows11-21h2-x64
1swvv64_win7.sys
windows11-21h2-x64
1unrar32.dll
windows11-21h2-x64
3unrar64.dll
windows11-21h2-x64
1usbmgr32.dll
windows11-21h2-x64
1usbmgr64.dll
windows11-21h2-x64
1winpcap_inst.exe
windows11-21h2-x64
8workflow32.dll
windows11-21h2-x64
1workflow64.dll
windows11-21h2-x64
1Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
28/04/2024, 10:49
Static task
static1
Behavioral task
behavioral1
Sample
ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
rptcache64.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
rtfile32.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
rtfile64.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
rtinfo32.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
rtinfo64.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
screenhooks32.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
scrnrcd32.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
scrnrcd64.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
sensinfo32.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
sensinfo64.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
setuphlpr.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
shlext32.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral14
Sample
shlext64.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
siriuv32.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
siriuv64.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
sqlcipher32.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral18
Sample
sqlcipher64.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral19
Sample
sscanner32.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral20
Sample
sscanner64.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
ssleay32.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral22
Sample
ssleay64.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral23
Sample
swvv32.sys
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral24
Sample
swvv64.sys
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral25
Sample
swvv64_win7.sys
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral26
Sample
unrar32.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral27
Sample
unrar64.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral28
Sample
usbmgr32.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral29
Sample
usbmgr64.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral30
Sample
winpcap_inst.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral31
Sample
workflow32.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral32
Sample
workflow64.dll
Resource
win11-20240419-en
windows11-21h2-x64
General
-
Target
rtinfo32.dll
-
Size
492KB
-
MD5
2e7becfa5a8431cdc7b0de522c5a96a4
-
SHA1
ae949e3082a95c8a92a21c6935a486f61701952e
-
SHA256
52f6aefb309ab0429538525c9137aa1973589f770dc7f8b358e49c1fcd385514
-
SHA512
c707148c37a9dbd2793a3a82e7625dc86c03ef64ef463de363cebdd7a95c72929af56ef69de6a7e20983c1917dc486705e01442da9b192ec961992ca6bf617bb
-
SSDEEP
12288:O3He1ceSlj0NSczfwFpBwtCtm1ChZHl7MQxlEcB:3wFzZHlFxlt
Malware Config
Signatures
-
Drops file in Windows directory 59 IoCs
description ioc Process File created C:\Windows\INF\PerceptionSimulationSixDof.PNF rundll32.exe File created C:\Windows\INF\c_fsvirtualization.PNF rundll32.exe File created C:\Windows\INF\c_display.PNF rundll32.exe File created C:\Windows\INF\c_media.PNF rundll32.exe File created C:\Windows\INF\c_smrvolume.PNF rundll32.exe File created C:\Windows\INF\c_fsquotamgmt.PNF rundll32.exe File created C:\Windows\INF\rdcameradriver.PNF rundll32.exe File created C:\Windows\INF\c_fsreplication.PNF rundll32.exe File created C:\Windows\INF\c_swcomponent.PNF rundll32.exe File created C:\Windows\INF\c_nvmedisk.PNF rundll32.exe File created C:\Windows\INF\c_cashdrawer.PNF rundll32.exe File created C:\Windows\INF\wsdprint.PNF rundll32.exe File created C:\Windows\INF\c_fsopenfilebackup.PNF rundll32.exe File created C:\Windows\INF\c_monitor.PNF rundll32.exe File created C:\Windows\INF\c_mcx.PNF rundll32.exe File created C:\Windows\INF\c_fssystem.PNF rundll32.exe File created C:\Windows\INF\c_fssystemrecovery.PNF rundll32.exe File created C:\Windows\INF\c_netdriver.PNF rundll32.exe File created C:\Windows\INF\c_fscopyprotection.PNF rundll32.exe File created C:\Windows\INF\c_fshsm.PNF rundll32.exe File created C:\Windows\INF\xusb22.PNF rundll32.exe File created C:\Windows\INF\remoteposdrv.PNF rundll32.exe File created C:\Windows\INF\c_processor.PNF rundll32.exe File created C:\Windows\INF\c_sslaccel.PNF rundll32.exe File created C:\Windows\INF\c_fsphysicalquotamgmt.PNF rundll32.exe File created C:\Windows\INF\c_receiptprinter.PNF rundll32.exe File created C:\Windows\INF\c_extension.PNF rundll32.exe File created C:\Windows\INF\c_ucm.PNF rundll32.exe File created C:\Windows\INF\c_computeaccelerator.PNF rundll32.exe File created C:\Windows\INF\c_diskdrive.PNF rundll32.exe File created C:\Windows\INF\c_volume.PNF rundll32.exe File created C:\Windows\INF\c_fsactivitymonitor.PNF rundll32.exe File created C:\Windows\INF\c_fscfsmetadataserver.PNF rundll32.exe File created C:\Windows\INF\c_apo.PNF rundll32.exe File created C:\Windows\INF\miradisp.PNF rundll32.exe File created C:\Windows\INF\c_fssecurityenhancer.PNF rundll32.exe File created C:\Windows\INF\c_magneticstripereader.PNF rundll32.exe File created C:\Windows\INF\c_proximity.PNF rundll32.exe File created C:\Windows\INF\rawsilo.PNF rundll32.exe File created C:\Windows\INF\c_fsencryption.PNF rundll32.exe File created C:\Windows\INF\c_firmware.PNF rundll32.exe File created C:\Windows\INF\c_fsundelete.PNF rundll32.exe File created C:\Windows\INF\digitalmediadevice.PNF rundll32.exe File created C:\Windows\INF\ts_generic.PNF rundll32.exe File created C:\Windows\INF\c_scmdisk.PNF rundll32.exe File created C:\Windows\INF\oposdrv.PNF rundll32.exe File created C:\Windows\INF\c_fscontentscreener.PNF rundll32.exe File created C:\Windows\INF\c_barcodescanner.PNF rundll32.exe File created C:\Windows\INF\c_holographic.PNF rundll32.exe File created C:\Windows\INF\c_primitive.PNF rundll32.exe File created C:\Windows\INF\c_linedisplay.PNF rundll32.exe File created C:\Windows\INF\c_smrdisk.PNF rundll32.exe File created C:\Windows\INF\c_scmvolume.PNF rundll32.exe File created C:\Windows\INF\c_camera.PNF rundll32.exe File created C:\Windows\INF\dc1-controller.PNF rundll32.exe File created C:\Windows\INF\c_fsantivirus.PNF rundll32.exe File created C:\Windows\INF\c_fsinfrastructure.PNF rundll32.exe File created C:\Windows\INF\c_fscompression.PNF rundll32.exe File created C:\Windows\INF\c_fscontinuousbackup.PNF rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 16 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3036 wrote to memory of 3156 3036 rundll32.exe 78 PID 3036 wrote to memory of 3156 3036 rundll32.exe 78 PID 3036 wrote to memory of 3156 3036 rundll32.exe 78
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\rtinfo32.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\rtinfo32.dll,#12⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:3156
-