Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

29509d8869...18.exe

windows7-x64

7

29509d8869...18.exe

windows10-2004-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...wc.dll

windows7-x64

3

$PLUGINSDI...wc.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    91s
  • max time network
    92s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 09:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/ZipDLL.dll

  • Size

    163KB

  • MD5

    2dc35ddcabcb2b24919b9afae4ec3091

  • SHA1

    9eeed33c3abc656353a7ebd1c66af38cccadd939

  • SHA256

    6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

  • SHA512

    0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

  • SSDEEP

    3072:8CkSJJ30k1pn2T4ISnUGN+E8KnCOxA17jxLmRtWHyPDQFllOdJiSg:tkSJy+c30UxbKnA1hLKWSVdk

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ZipDLL.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ZipDLL.dll,#1
      2⤵
        PID:3412
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 600
          3⤵
          • Program crash
          PID:4968
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3412 -ip 3412
      1⤵
        PID:932

      Network

      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
        Response
        g.bing.com
        IN CNAME
        g-bing-com.dual-a-0034.a-msedge.net
        g-bing-com.dual-a-0034.a-msedge.net
        IN CNAME
        dual-a-0034.a-msedge.net
        dual-a-0034.a-msedge.net
        IN A
        204.79.197.237
        dual-a-0034.a-msedge.net
        IN A
        13.107.21.237
      • flag-us
        GET
        https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QCpwGoL7Ax0H2AqVwZ-6fzVUCUznWyM9ADww0j10NOlvfCc2EM3HhZZ7VmQ-ofuw9s_8hSXFkINdMpWZO5VPzByklFF6e79JN6GwfI0O_7xqx4gCfeZdrZi3QblV1I9uj_ZryHX7iWQunM8BVjM8csb_6yrr94ItiuP09u7lTyetNsIf%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dbe6ad905af2710b1346cbf3ecfbdd33a&TIME=20240508T112335Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QCpwGoL7Ax0H2AqVwZ-6fzVUCUznWyM9ADww0j10NOlvfCc2EM3HhZZ7VmQ-ofuw9s_8hSXFkINdMpWZO5VPzByklFF6e79JN6GwfI0O_7xqx4gCfeZdrZi3QblV1I9uj_ZryHX7iWQunM8BVjM8csb_6yrr94ItiuP09u7lTyetNsIf%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dbe6ad905af2710b1346cbf3ecfbdd33a&TIME=20240508T112335Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MUID=20459700CDD0636A17A8837ACC6B62BF; domain=.bing.com; expires=Tue, 03-Jun-2025 09:25:11 GMT; path=/; SameSite=None; Secure; Priority=High;
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 9EAC2722B9C94D5F803768994F0509AD Ref B: LON04EDGE0918 Ref C: 2024-05-09T09:25:11Z
        date: Thu, 09 May 2024 09:25:11 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QCpwGoL7Ax0H2AqVwZ-6fzVUCUznWyM9ADww0j10NOlvfCc2EM3HhZZ7VmQ-ofuw9s_8hSXFkINdMpWZO5VPzByklFF6e79JN6GwfI0O_7xqx4gCfeZdrZi3QblV1I9uj_ZryHX7iWQunM8BVjM8csb_6yrr94ItiuP09u7lTyetNsIf%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dbe6ad905af2710b1346cbf3ecfbdd33a&TIME=20240508T112335Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QCpwGoL7Ax0H2AqVwZ-6fzVUCUznWyM9ADww0j10NOlvfCc2EM3HhZZ7VmQ-ofuw9s_8hSXFkINdMpWZO5VPzByklFF6e79JN6GwfI0O_7xqx4gCfeZdrZi3QblV1I9uj_ZryHX7iWQunM8BVjM8csb_6yrr94ItiuP09u7lTyetNsIf%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dbe6ad905af2710b1346cbf3ecfbdd33a&TIME=20240508T112335Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=20459700CDD0636A17A8837ACC6B62BF; _EDGE_S=SID=30513CEA4D0764A0329528904C4F653D
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MSPTC=zDsqmo0MFrF3791kgIZzO0Mwp34PNmfnKafLHRwx46U; domain=.bing.com; expires=Tue, 03-Jun-2025 09:25:11 GMT; path=/; Partitioned; secure; SameSite=None
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 9BE45283624A46B286C90E01AC0C6A8B Ref B: LON04EDGE0918 Ref C: 2024-05-09T09:25:11Z
        date: Thu, 09 May 2024 09:25:11 GMT
      • flag-be
        GET
        https://www.bing.com/aes/c.gif?RG=ce39d1eab14f444ab5f6c56e53ae605e&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112335Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981
        Remote address:
        88.221.83.195:443
        Request
        GET /aes/c.gif?RG=ce39d1eab14f444ab5f6c56e53ae605e&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112335Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981 HTTP/2.0
        host: www.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=20459700CDD0636A17A8837ACC6B62BF
        Response
        HTTP/2.0 200
        cache-control: private,no-store
        pragma: no-cache
        vary: Origin
        p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: B846C6FCDAE64553AC92A49CCD9AE533 Ref B: BRU30EDGE0912 Ref C: 2024-05-09T09:25:11Z
        content-length: 0
        date: Thu, 09 May 2024 09:25:11 GMT
        set-cookie: _EDGE_S=SID=30513CEA4D0764A0329528904C4F653D; path=/; httponly; domain=bing.com
        set-cookie: MUIDB=20459700CDD0636A17A8837ACC6B62BF; path=/; httponly; expires=Tue, 03-Jun-2025 09:25:11 GMT
        alt-svc: h3=":443"; ma=93600
        x-cdn-traceid: 0.bf53dd58.1715246711.aff9f0f
      • flag-be
        GET
        https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
        Remote address:
        88.221.83.195:443
        Request
        GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
        host: www.bing.com
        accept: */*
        cookie: MUID=20459700CDD0636A17A8837ACC6B62BF; _EDGE_S=SID=30513CEA4D0764A0329528904C4F653D; MSPTC=zDsqmo0MFrF3791kgIZzO0Mwp34PNmfnKafLHRwx46U; MUIDB=20459700CDD0636A17A8837ACC6B62BF
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-type: image/png
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        content-length: 1107
        date: Thu, 09 May 2024 09:25:12 GMT
        alt-svc: h3=":443"; ma=93600
        x-cdn-traceid: 0.bf53dd58.1715246712.affa0f1
      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        2.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        2.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        237.197.79.204.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        237.197.79.204.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        195.83.221.88.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        195.83.221.88.in-addr.arpa
        IN PTR
        Response
        195.83.221.88.in-addr.arpa
        IN PTR
        a88-221-83-195deploystaticakamaitechnologiescom
      • flag-us
        DNS
        50.23.12.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        50.23.12.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        171.39.242.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        171.39.242.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        79.190.18.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        79.190.18.2.in-addr.arpa
        IN PTR
        Response
        79.190.18.2.in-addr.arpa
        IN PTR
        a2-18-190-79deploystaticakamaitechnologiescom
      • 204.79.197.237:443
        https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QCpwGoL7Ax0H2AqVwZ-6fzVUCUznWyM9ADww0j10NOlvfCc2EM3HhZZ7VmQ-ofuw9s_8hSXFkINdMpWZO5VPzByklFF6e79JN6GwfI0O_7xqx4gCfeZdrZi3QblV1I9uj_ZryHX7iWQunM8BVjM8csb_6yrr94ItiuP09u7lTyetNsIf%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dbe6ad905af2710b1346cbf3ecfbdd33a&TIME=20240508T112335Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB
        tls, http2
        2.5kB
         9.0kB
         19
        16

        HTTP Request

        GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QCpwGoL7Ax0H2AqVwZ-6fzVUCUznWyM9ADww0j10NOlvfCc2EM3HhZZ7VmQ-ofuw9s_8hSXFkINdMpWZO5VPzByklFF6e79JN6GwfI0O_7xqx4gCfeZdrZi3QblV1I9uj_ZryHX7iWQunM8BVjM8csb_6yrr94ItiuP09u7lTyetNsIf%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dbe6ad905af2710b1346cbf3ecfbdd33a&TIME=20240508T112335Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8QCpwGoL7Ax0H2AqVwZ-6fzVUCUznWyM9ADww0j10NOlvfCc2EM3HhZZ7VmQ-ofuw9s_8hSXFkINdMpWZO5VPzByklFF6e79JN6GwfI0O_7xqx4gCfeZdrZi3QblV1I9uj_ZryHX7iWQunM8BVjM8csb_6yrr94ItiuP09u7lTyetNsIf%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dbe6ad905af2710b1346cbf3ecfbdd33a&TIME=20240508T112335Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

        HTTP Response

        204
      • 88.221.83.195:443
        https://www.bing.com/aes/c.gif?RG=ce39d1eab14f444ab5f6c56e53ae605e&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112335Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981
        tls, http2
        1.4kB
         5.3kB
         16
        11

        HTTP Request

        GET https://www.bing.com/aes/c.gif?RG=ce39d1eab14f444ab5f6c56e53ae605e&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112335Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

        HTTP Response

        200
      • 88.221.83.195:443
        https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
        tls, http2
        1.6kB
         6.4kB
         17
        12

        HTTP Request

        GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

        HTTP Response

        200
      • 8.8.8.8:53
        g.bing.com
        dns
        56 B
         151 B
         1
        1

        DNS Request

        g.bing.com

        DNS Response

        204.79.197.237
        13.107.21.237

      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
         90 B
         1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        2.159.190.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        2.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        237.197.79.204.in-addr.arpa
        dns
        73 B
         143 B
         1
        1

        DNS Request

        237.197.79.204.in-addr.arpa

      • 8.8.8.8:53
        195.83.221.88.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        195.83.221.88.in-addr.arpa

      • 8.8.8.8:53
        50.23.12.20.in-addr.arpa
        dns
        70 B
         156 B
         1
        1

        DNS Request

        50.23.12.20.in-addr.arpa

      • 8.8.8.8:53
        171.39.242.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        171.39.242.20.in-addr.arpa

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        74 B
         128 B
         1
        1

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        79.190.18.2.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        79.190.18.2.in-addr.arpa

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.