Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 21:32 UTC

General

  • Target

    $PLUGINSDIR/NSISdl.dll

  • Size

    14KB

  • MD5

    a5f8399a743ab7f9c88c645c35b1ebb5

  • SHA1

    168f3c158913b0367bf79fa413357fbe97018191

  • SHA256

    dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

  • SHA512

    824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

  • SSDEEP

    192:tUZTobBDJ68r67wmsvJI5ad9cXzFOVu+mZ/P3p+57CvpVqDxVp01Dwn2GRPgsfA:6Bo/680dCI5adOjFOg9//p27uNw2Go

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4136
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
      2⤵
        PID:3848
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 624
          3⤵
          • Program crash
          PID:1704
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3848 -ip 3848
      1⤵
        PID:1268
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4584 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:3952

        Network

        • flag-us
          DNS
          97.17.167.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          97.17.167.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          79.190.18.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          79.190.18.2.in-addr.arpa
          IN PTR
          Response
          79.190.18.2.in-addr.arpa
          IN PTR
          a2-18-190-79deploystaticakamaitechnologiescom
        • flag-us
          DNS
          74.32.126.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          74.32.126.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          133.211.185.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          133.211.185.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          chromewebstore.googleapis.com
          Remote address:
          8.8.8.8:53
          Request
          chromewebstore.googleapis.com
          IN A
          Response
          chromewebstore.googleapis.com
          IN A
          142.250.200.10
          chromewebstore.googleapis.com
          IN A
          142.250.200.42
          chromewebstore.googleapis.com
          IN A
          216.58.201.106
          chromewebstore.googleapis.com
          IN A
          216.58.204.74
          chromewebstore.googleapis.com
          IN A
          216.58.212.202
          chromewebstore.googleapis.com
          IN A
          216.58.212.234
          chromewebstore.googleapis.com
          IN A
          172.217.169.74
          chromewebstore.googleapis.com
          IN A
          142.250.179.234
          chromewebstore.googleapis.com
          IN A
          142.250.180.10
          chromewebstore.googleapis.com
          IN A
          142.250.187.202
          chromewebstore.googleapis.com
          IN A
          142.250.187.234
          chromewebstore.googleapis.com
          IN A
          142.250.178.10
          chromewebstore.googleapis.com
          IN A
          172.217.16.234
        • flag-us
          DNS
          chromewebstore.googleapis.com
          Remote address:
          8.8.8.8:53
          Request
          chromewebstore.googleapis.com
          IN Unknown
          Response
        • flag-us
          DNS
          pki.goog
          Remote address:
          8.8.8.8:53
          Request
          pki.goog
          IN A
          Response
          pki.goog
          IN A
          216.239.32.29
        • flag-us
          DNS
          pki.goog
          Remote address:
          8.8.8.8:53
          Request
          pki.goog
          IN Unknown
          Response
        • flag-us
          GET
          http://pki.goog/gsr1/gsr1.crt
          Remote address:
          216.239.32.29:80
          Request
          GET /gsr1/gsr1.crt HTTP/1.1
          Host: pki.goog
          Connection: keep-alive
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
          Accept-Encoding: gzip, deflate
          Accept-Language: en-US,en;q=0.9
          Response
          HTTP/1.1 200 OK
          Accept-Ranges: bytes
          Content-Encoding: gzip
          Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
          Cross-Origin-Resource-Policy: cross-origin
          Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
          Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
          Content-Length: 797
          X-Content-Type-Options: nosniff
          Server: sffe
          X-XSS-Protection: 0
          Date: Wed, 08 May 2024 21:03:54 GMT
          Expires: Wed, 08 May 2024 21:53:54 GMT
          Cache-Control: public, max-age=3000
          Age: 1736
          Last-Modified: Wed, 20 May 2020 16:45:00 GMT
          Content-Type: application/pkix-cert
          Vary: Accept-Encoding
        • flag-us
          GET
          http://pki.goog/repo/certs/gtsr1.der
          Remote address:
          216.239.32.29:80
          Request
          GET /repo/certs/gtsr1.der HTTP/1.1
          Host: pki.goog
          Connection: keep-alive
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
          Accept-Encoding: gzip, deflate
          Accept-Language: en-US,en;q=0.9
          Response
          HTTP/1.1 200 OK
          Accept-Ranges: bytes
          Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
          Cross-Origin-Resource-Policy: cross-origin
          Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
          Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
          Content-Length: 1371
          X-Content-Type-Options: nosniff
          Server: sffe
          X-XSS-Protection: 0
          Date: Wed, 08 May 2024 21:00:30 GMT
          Expires: Wed, 08 May 2024 21:50:30 GMT
          Cache-Control: public, max-age=3000
          Age: 1940
          Last-Modified: Sun, 25 Jun 2023 02:58:00 GMT
          Content-Type: application/pkix-cert
          Vary: Accept-Encoding
        • flag-us
          GET
          http://pki.goog/repo/certs/gts1c3.der
          Remote address:
          216.239.32.29:80
          Request
          GET /repo/certs/gts1c3.der HTTP/1.1
          Host: pki.goog
          Connection: keep-alive
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
          Accept-Encoding: gzip, deflate
          Accept-Language: en-US,en;q=0.9
          Response
          HTTP/1.1 200 OK
          Accept-Ranges: bytes
          Content-Encoding: gzip
          Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
          Cross-Origin-Resource-Policy: cross-origin
          Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
          Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
          Content-Length: 1304
          X-Content-Type-Options: nosniff
          Server: sffe
          X-XSS-Protection: 0
          Date: Wed, 08 May 2024 21:09:18 GMT
          Expires: Wed, 08 May 2024 21:59:18 GMT
          Cache-Control: public, max-age=3000
          Age: 1412
          Last-Modified: Mon, 17 Aug 2020 09:45:00 GMT
          Content-Type: application/pkix-cert
          Vary: Accept-Encoding
        • flag-us
          DNS
          10.200.250.142.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          10.200.250.142.in-addr.arpa
          IN PTR
          Response
          10.200.250.142.in-addr.arpa
          IN PTR
          lhr48s29-in-f101e100net
        • flag-us
          DNS
          29.32.239.216.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          29.32.239.216.in-addr.arpa
          IN PTR
          Response
          29.32.239.216.in-addr.arpa
          IN PTR
          any-in-201d1e100net
        • flag-us
          DNS
          196.249.167.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          196.249.167.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          50.23.12.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          50.23.12.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          206.23.85.13.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          206.23.85.13.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          172.210.232.199.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          172.210.232.199.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          77.190.18.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          77.190.18.2.in-addr.arpa
          IN PTR
          Response
          77.190.18.2.in-addr.arpa
          IN PTR
          a2-18-190-77deploystaticakamaitechnologiescom
        • flag-us
          DNS
          30.243.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          30.243.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          201.64.52.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          201.64.52.20.in-addr.arpa
          IN PTR
          Response
        • 142.250.200.10:443
          chromewebstore.googleapis.com
          tls
          909 B
          5.2kB
          8
          8
        • 216.239.32.29:80
          http://pki.goog/repo/certs/gts1c3.der
          http
          1.3kB
          6.1kB
          10
          10

          HTTP Request

          GET http://pki.goog/gsr1/gsr1.crt

          HTTP Response

          200

          HTTP Request

          GET http://pki.goog/repo/certs/gtsr1.der

          HTTP Response

          200

          HTTP Request

          GET http://pki.goog/repo/certs/gts1c3.der

          HTTP Response

          200
        • 13.107.246.64:443
          46 B
          40 B
          1
          1
        • 8.8.8.8:53
          97.17.167.52.in-addr.arpa
          dns
          71 B
          145 B
          1
          1

          DNS Request

          97.17.167.52.in-addr.arpa

        • 8.8.8.8:53
          79.190.18.2.in-addr.arpa
          dns
          70 B
          133 B
          1
          1

          DNS Request

          79.190.18.2.in-addr.arpa

        • 8.8.8.8:53
          74.32.126.40.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          74.32.126.40.in-addr.arpa

        • 8.8.8.8:53
          133.211.185.52.in-addr.arpa
          dns
          73 B
          147 B
          1
          1

          DNS Request

          133.211.185.52.in-addr.arpa

        • 8.8.8.8:53
          chromewebstore.googleapis.com
          dns
          75 B
          283 B
          1
          1

          DNS Request

          chromewebstore.googleapis.com

          DNS Response

          142.250.200.10
          142.250.200.42
          216.58.201.106
          216.58.204.74
          216.58.212.202
          216.58.212.234
          172.217.169.74
          142.250.179.234
          142.250.180.10
          142.250.187.202
          142.250.187.234
          142.250.178.10
          172.217.16.234

        • 8.8.8.8:53
          chromewebstore.googleapis.com
          dns
          75 B
          132 B
          1
          1

          DNS Request

          chromewebstore.googleapis.com

        • 8.8.8.8:53
          pki.goog
          dns
          54 B
          70 B
          1
          1

          DNS Request

          pki.goog

          DNS Response

          216.239.32.29

        • 8.8.8.8:53
          pki.goog
          dns
          54 B
          128 B
          1
          1

          DNS Request

          pki.goog

        • 8.8.8.8:53
          10.200.250.142.in-addr.arpa
          dns
          73 B
          112 B
          1
          1

          DNS Request

          10.200.250.142.in-addr.arpa

        • 8.8.8.8:53
          29.32.239.216.in-addr.arpa
          dns
          72 B
          107 B
          1
          1

          DNS Request

          29.32.239.216.in-addr.arpa

        • 8.8.8.8:53
          196.249.167.52.in-addr.arpa
          dns
          73 B
          147 B
          1
          1

          DNS Request

          196.249.167.52.in-addr.arpa

        • 8.8.8.8:53
          50.23.12.20.in-addr.arpa
          dns
          70 B
          156 B
          1
          1

          DNS Request

          50.23.12.20.in-addr.arpa

        • 8.8.8.8:53
          206.23.85.13.in-addr.arpa
          dns
          71 B
          145 B
          1
          1

          DNS Request

          206.23.85.13.in-addr.arpa

        • 8.8.8.8:53
          172.210.232.199.in-addr.arpa
          dns
          74 B
          128 B
          1
          1

          DNS Request

          172.210.232.199.in-addr.arpa

        • 8.8.8.8:53
          77.190.18.2.in-addr.arpa
          dns
          70 B
          133 B
          1
          1

          DNS Request

          77.190.18.2.in-addr.arpa

        • 8.8.8.8:53
          30.243.111.52.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          30.243.111.52.in-addr.arpa

        • 8.8.8.8:53
          201.64.52.20.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          201.64.52.20.in-addr.arpa

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.