Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

07d859dfbc...18.exe

windows7-x64

7

07d859dfbc...18.exe

windows10-2004-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...rb.dll

windows7-x64

3

$PLUGINSDI...rb.dll

windows10-2004-x64

3

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...la.rtf

windows7-x64

4

$PLUGINSDI...la.rtf

windows10-2004-x64

1

$PLUGINSDI...ay.dll

windows7-x64

7

$PLUGINSDI...ay.dll

windows10-2004-x64

7

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...ML.dll

windows7-x64

3

$PLUGINSDI...ML.dll

windows10-2004-x64

3

$PLUGINSDI...ry.dll

windows7-x64

3

$PLUGINSDI...ry.dll

windows10-2004-x64

3

$R1/$_1_/U...ll.exe

windows7-x64

7

$R1/$_1_/U...ll.exe

windows10-2004-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/04/2024, 14:09 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/UAC.dll

  • Size

    13KB

  • MD5

    a88baad3461d2e9928a15753b1d93fd7

  • SHA1

    bb826e35264968bbc3b981d8430ac55df1e6d4a6

  • SHA256

    c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af

  • SHA512

    5edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a

  • SSDEEP

    192:qP6KdXy+Yo7e1J8qC25a5mDFmCLGUCVGpU6uNck87I0S/TDqwyTq+:q/q3Pgd5mx6VkEck87ILCTN

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3792
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
      2⤵
        PID:3932
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 624
          3⤵
          • Program crash
          PID:688
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3932 -ip 3932
      1⤵
        PID:4956

      Network

      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
        Response
        g.bing.com
        IN CNAME
        g-bing-com.dual-a-0034.a-msedge.net
        g-bing-com.dual-a-0034.a-msedge.net
        IN CNAME
        dual-a-0034.a-msedge.net
        dual-a-0034.a-msedge.net
        IN A
        204.79.197.237
        dual-a-0034.a-msedge.net
        IN A
        13.107.21.237
      • flag-us
        GET
        https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ul_n1-sTZbfWSkqh2uMCaTVUCUwOyTtLtIFc8z8b9FuK1s9rlt4rmaaVOvr5E4YT7mEjYTTMWQRNV9BqM39KcmC20NAZPKS03LuKU8zs-AZYgDQrdXHK07H42FIUb8OHL-rgSWRw919piD42mJ-DJdSJ5x7qATkqOzt52EeZ8NDclfAL%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc08d68ad621c16fb595e0e86cc34c76e&TIME=20240426T133810Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ul_n1-sTZbfWSkqh2uMCaTVUCUwOyTtLtIFc8z8b9FuK1s9rlt4rmaaVOvr5E4YT7mEjYTTMWQRNV9BqM39KcmC20NAZPKS03LuKU8zs-AZYgDQrdXHK07H42FIUb8OHL-rgSWRw919piD42mJ-DJdSJ5x7qATkqOzt52EeZ8NDclfAL%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc08d68ad621c16fb595e0e86cc34c76e&TIME=20240426T133810Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4 HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MUID=0167778AAC7F66811EB563FAADC4672C; domain=.bing.com; expires=Sat, 24-May-2025 14:09:45 GMT; path=/; SameSite=None; Secure; Priority=High;
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 9E024CEA04BC471D9A9A3B2BC6114C83 Ref B: LON04EDGE0808 Ref C: 2024-04-29T14:09:45Z
        date: Mon, 29 Apr 2024 14:09:44 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ul_n1-sTZbfWSkqh2uMCaTVUCUwOyTtLtIFc8z8b9FuK1s9rlt4rmaaVOvr5E4YT7mEjYTTMWQRNV9BqM39KcmC20NAZPKS03LuKU8zs-AZYgDQrdXHK07H42FIUb8OHL-rgSWRw919piD42mJ-DJdSJ5x7qATkqOzt52EeZ8NDclfAL%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc08d68ad621c16fb595e0e86cc34c76e&TIME=20240426T133810Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ul_n1-sTZbfWSkqh2uMCaTVUCUwOyTtLtIFc8z8b9FuK1s9rlt4rmaaVOvr5E4YT7mEjYTTMWQRNV9BqM39KcmC20NAZPKS03LuKU8zs-AZYgDQrdXHK07H42FIUb8OHL-rgSWRw919piD42mJ-DJdSJ5x7qATkqOzt52EeZ8NDclfAL%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc08d68ad621c16fb595e0e86cc34c76e&TIME=20240426T133810Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4 HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=0167778AAC7F66811EB563FAADC4672C; _EDGE_S=SID=263C4D3E477E693F1E7A594E4629688A
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MSPTC=x9EE13rNOZvxxCy4wJF_VhB6_j9H_ki63tinZTS5MUo; domain=.bing.com; expires=Sat, 24-May-2025 14:09:45 GMT; path=/; Partitioned; secure; SameSite=None
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 800598C6243B423F93DF5EA8D155BD10 Ref B: LON04EDGE0808 Ref C: 2024-04-29T14:09:45Z
        date: Mon, 29 Apr 2024 14:09:45 GMT
      • flag-nl
        GET
        https://www.bing.com/aes/c.gif?RG=d7e1ac4b0ef64a67a661149082ec248f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T133810Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644
        Remote address:
        23.62.61.187:443
        Request
        GET /aes/c.gif?RG=d7e1ac4b0ef64a67a661149082ec248f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T133810Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644 HTTP/2.0
        host: www.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=0167778AAC7F66811EB563FAADC4672C
        Response
        HTTP/2.0 200
        cache-control: private,no-store
        pragma: no-cache
        vary: Origin
        p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: DFF11CC4851F46AC92CE05AAD29BF45F Ref B: AMS04EDGE1519 Ref C: 2024-04-29T14:09:45Z
        content-length: 0
        date: Mon, 29 Apr 2024 14:09:45 GMT
        set-cookie: _EDGE_S=SID=263C4D3E477E693F1E7A594E4629688A; path=/; httponly; domain=bing.com
        set-cookie: MUIDB=0167778AAC7F66811EB563FAADC4672C; path=/; httponly; expires=Sat, 24-May-2025 14:09:45 GMT
        alt-svc: h3=":443"; ma=93600
        x-cdn-traceid: 0.b73d3e17.1714399785.3fe33bf9
      • flag-us
        DNS
        237.197.79.204.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        237.197.79.204.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        187.61.62.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        187.61.62.23.in-addr.arpa
        IN PTR
        Response
        187.61.62.23.in-addr.arpa
        IN PTR
        a23-62-61-187deploystaticakamaitechnologiescom
      • flag-us
        DNS
        37.56.20.217.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        37.56.20.217.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        22.160.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        22.160.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        157.123.68.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        157.123.68.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        56.126.166.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        56.126.166.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        17.143.109.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        17.143.109.104.in-addr.arpa
        IN PTR
        Response
        17.143.109.104.in-addr.arpa
        IN PTR
        a104-109-143-17deploystaticakamaitechnologiescom
      • flag-us
        DNS
        30.243.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        30.243.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        133.190.18.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        133.190.18.2.in-addr.arpa
        IN PTR
        Response
        133.190.18.2.in-addr.arpa
        IN PTR
        a2-18-190-133deploystaticakamaitechnologiescom
      • flag-us
        DNS
        131.72.42.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        131.72.42.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        131.72.42.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        131.72.42.20.in-addr.arpa
        IN PTR
      • 204.79.197.237:443
        https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ul_n1-sTZbfWSkqh2uMCaTVUCUwOyTtLtIFc8z8b9FuK1s9rlt4rmaaVOvr5E4YT7mEjYTTMWQRNV9BqM39KcmC20NAZPKS03LuKU8zs-AZYgDQrdXHK07H42FIUb8OHL-rgSWRw919piD42mJ-DJdSJ5x7qATkqOzt52EeZ8NDclfAL%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc08d68ad621c16fb595e0e86cc34c76e&TIME=20240426T133810Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4
        tls, http2
        2.5kB
         9.0kB
         20
        17

        HTTP Request

        GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ul_n1-sTZbfWSkqh2uMCaTVUCUwOyTtLtIFc8z8b9FuK1s9rlt4rmaaVOvr5E4YT7mEjYTTMWQRNV9BqM39KcmC20NAZPKS03LuKU8zs-AZYgDQrdXHK07H42FIUb8OHL-rgSWRw919piD42mJ-DJdSJ5x7qATkqOzt52EeZ8NDclfAL%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc08d68ad621c16fb595e0e86cc34c76e&TIME=20240426T133810Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ul_n1-sTZbfWSkqh2uMCaTVUCUwOyTtLtIFc8z8b9FuK1s9rlt4rmaaVOvr5E4YT7mEjYTTMWQRNV9BqM39KcmC20NAZPKS03LuKU8zs-AZYgDQrdXHK07H42FIUb8OHL-rgSWRw919piD42mJ-DJdSJ5x7qATkqOzt52EeZ8NDclfAL%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc08d68ad621c16fb595e0e86cc34c76e&TIME=20240426T133810Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

        HTTP Response

        204
      • 23.62.61.187:443
        https://www.bing.com/aes/c.gif?RG=d7e1ac4b0ef64a67a661149082ec248f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T133810Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644
        tls, http2
        1.4kB
         5.3kB
         16
        11

        HTTP Request

        GET https://www.bing.com/aes/c.gif?RG=d7e1ac4b0ef64a67a661149082ec248f&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T133810Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644

        HTTP Response

        200
      • 8.8.8.8:53
        g.bing.com
        dns
        56 B
         151 B
         1
        1

        DNS Request

        g.bing.com

        DNS Response

        204.79.197.237
        13.107.21.237

      • 8.8.8.8:53
        237.197.79.204.in-addr.arpa
        dns
        73 B
         143 B
         1
        1

        DNS Request

        237.197.79.204.in-addr.arpa

      • 8.8.8.8:53
        187.61.62.23.in-addr.arpa
        dns
        71 B
         135 B
         1
        1

        DNS Request

        187.61.62.23.in-addr.arpa

      • 8.8.8.8:53
        37.56.20.217.in-addr.arpa
        dns
        71 B
         131 B
         1
        1

        DNS Request

        37.56.20.217.in-addr.arpa

      • 8.8.8.8:53
        22.160.190.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        22.160.190.20.in-addr.arpa

      • 8.8.8.8:53
        157.123.68.40.in-addr.arpa
        dns
        72 B
         146 B
         1
        1

        DNS Request

        157.123.68.40.in-addr.arpa

      • 8.8.8.8:53
        56.126.166.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        56.126.166.20.in-addr.arpa

      • 8.8.8.8:53
        17.143.109.104.in-addr.arpa
        dns
        73 B
         139 B
         1
        1

        DNS Request

        17.143.109.104.in-addr.arpa

      • 8.8.8.8:53
        30.243.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        30.243.111.52.in-addr.arpa

      • 8.8.8.8:53
        133.190.18.2.in-addr.arpa
        dns
        71 B
         135 B
         1
        1

        DNS Request

        133.190.18.2.in-addr.arpa

      • 8.8.8.8:53
        131.72.42.20.in-addr.arpa
        dns
        142 B
         157 B
         2
        1

        DNS Request

        131.72.42.20.in-addr.arpa

        DNS Request

        131.72.42.20.in-addr.arpa

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.