Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2024, 23:48
Static task
static1
Behavioral task
behavioral1
Sample
8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe
Resource
win10v2004-20240426-en
General
-
Target
8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe
-
Size
86KB
-
MD5
7202600ab0929595c6fb059f6a353466
-
SHA1
1afc916bc125ff8c779419b6f8642f9879a85182
-
SHA256
8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256
-
SHA512
25474643e00c4607b8c1fe24c153568613308273165a83e7c8d988df5f393fee1515c24efbac86692e9c90d0f603a886afe8a0bfae827939be7838abf024e821
-
SSDEEP
1536:8gDktLw4rO10tMrlk3SJDlf98jqP+8il3CxOeZIckWlmypn:uLRrO10TiJD9yjqrilyxOuPpn
Malware Config
Signatures
-
Detects executables containing base64 encoded User Agent 3 IoCs
resource yara_rule behavioral2/memory/3116-11-0x0000000010000000-0x0000000010023000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/3116-13-0x0000000010000000-0x0000000010023000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/3116-15-0x0000000010000000-0x0000000010023000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent -
Blocklisted process makes network request 3 IoCs
flow pid Process 26 3116 rundll32.exe 27 3116 rundll32.exe 36 3116 rundll32.exe -
Deletes itself 1 IoCs
pid Process 1992 izkhj.exe -
Executes dropped EXE 1 IoCs
pid Process 1992 izkhj.exe -
Loads dropped DLL 1 IoCs
pid Process 3116 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\xisdjsgii\\ugzdzwzo.dll\",QueryPluginInterface" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\s: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5060 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3116 rundll32.exe 3116 rundll32.exe 3116 rundll32.exe 3116 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3116 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 880 8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe 1992 izkhj.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 880 wrote to memory of 1484 880 8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe 83 PID 880 wrote to memory of 1484 880 8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe 83 PID 880 wrote to memory of 1484 880 8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe 83 PID 1484 wrote to memory of 5060 1484 cmd.exe 86 PID 1484 wrote to memory of 5060 1484 cmd.exe 86 PID 1484 wrote to memory of 5060 1484 cmd.exe 86 PID 1484 wrote to memory of 1992 1484 cmd.exe 89 PID 1484 wrote to memory of 1992 1484 cmd.exe 89 PID 1484 wrote to memory of 1992 1484 cmd.exe 89 PID 1992 wrote to memory of 3116 1992 izkhj.exe 90 PID 1992 wrote to memory of 3116 1992 izkhj.exe 90 PID 1992 wrote to memory of 3116 1992 izkhj.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe"C:\Users\Admin\AppData\Local\Temp\8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\izkhj.exe "C:\Users\Admin\AppData\Local\Temp\8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:5060
-
-
C:\Users\Admin\AppData\Local\Temp\izkhj.exeC:\Users\Admin\AppData\Local\Temp\\izkhj.exe "C:\Users\Admin\AppData\Local\Temp\8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\xisdjsgii\ugzdzwzo.dll",QueryPluginInterface C:\Users\Admin\AppData\Local\Temp\izkhj.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD5933de0d6636c9ed607f31c1bf8ddc163
SHA13c017b8bc46bef83030aca371e8431337948d662
SHA2567e891eebcc951444907ac1f7d6af33341ed18212c369d5ec1703196fee6a4940
SHA5125cd1b92e5d13f7ec5f02a18371bacbd5e7f592f65ac447df29b528e85abaf749d9c6f397ce58671b609bc18319bc52d767bf76ef344dfc72fcf7ee5ad0481b73
-
Filesize
44KB
MD50f12a7d509b2c9bb9b4cd6d8a0325e86
SHA1f5fb59ad4f0633d115b06f35a2dc161dc4367157
SHA2569111c1eb1f0b59dcd49cfd5a0abc0ba100ac59a3bcae8623ff091dfdc46fed3c
SHA512e3c84a643ff0a2627daba8a056221985a472aaf07bade61b3e9459db4bfc8792c1347606911e3fcc01581508004b18b5435bcccd5e7617cc6d091f37a5f42e7f