Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/05/2024, 00:16
Static task
static1
Behavioral task
behavioral1
Sample
8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe
Resource
win10v2004-20240508-en
General
-
Target
8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe
-
Size
86KB
-
MD5
7202600ab0929595c6fb059f6a353466
-
SHA1
1afc916bc125ff8c779419b6f8642f9879a85182
-
SHA256
8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256
-
SHA512
25474643e00c4607b8c1fe24c153568613308273165a83e7c8d988df5f393fee1515c24efbac86692e9c90d0f603a886afe8a0bfae827939be7838abf024e821
-
SSDEEP
1536:8gDktLw4rO10tMrlk3SJDlf98jqP+8il3CxOeZIckWlmypn:uLRrO10TiJD9yjqrilyxOuPpn
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 18 1004 rundll32.exe 19 1004 rundll32.exe 25 1004 rundll32.exe -
Deletes itself 1 IoCs
pid Process 4828 rcyia.exe -
Executes dropped EXE 1 IoCs
pid Process 4828 rcyia.exe -
Loads dropped DLL 1 IoCs
pid Process 1004 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\fudki\\rppmm.dll\",QueryPluginInterface" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\t: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5052 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1004 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4012 8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe 4828 rcyia.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4012 wrote to memory of 3824 4012 8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe 83 PID 4012 wrote to memory of 3824 4012 8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe 83 PID 4012 wrote to memory of 3824 4012 8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe 83 PID 3824 wrote to memory of 5052 3824 cmd.exe 86 PID 3824 wrote to memory of 5052 3824 cmd.exe 86 PID 3824 wrote to memory of 5052 3824 cmd.exe 86 PID 3824 wrote to memory of 4828 3824 cmd.exe 89 PID 3824 wrote to memory of 4828 3824 cmd.exe 89 PID 3824 wrote to memory of 4828 3824 cmd.exe 89 PID 4828 wrote to memory of 1004 4828 rcyia.exe 90 PID 4828 wrote to memory of 1004 4828 rcyia.exe 90 PID 4828 wrote to memory of 1004 4828 rcyia.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe"C:\Users\Admin\AppData\Local\Temp\8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\rcyia.exe "C:\Users\Admin\AppData\Local\Temp\8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:5052
-
-
C:\Users\Admin\AppData\Local\Temp\rcyia.exeC:\Users\Admin\AppData\Local\Temp\\rcyia.exe "C:\Users\Admin\AppData\Local\Temp\8bca905961c18b34b9b567083dc243c9024c2767cf2057656b91335f09ed4256.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\fudki\rppmm.dll",QueryPluginInterface C:\Users\Admin\AppData\Local\Temp\rcyia.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD564bff9abcaa73d1841aaa7bf7ba7686c
SHA177e6819632a69adafe80fd76094e0ef057072c0c
SHA2563ecfd0199faeb405dd40613c8da99006d411a220aa8a386555b73a7c4de074ed
SHA51208463043f60f5afa8c89cc7d7fdbd0b05b3b288dd9c6e58f798b85b8832c8b4339f0d8557ab6f993787cfd4caae79240b7abcdb652319e35d757e30d67a70932
-
Filesize
44KB
MD50f12a7d509b2c9bb9b4cd6d8a0325e86
SHA1f5fb59ad4f0633d115b06f35a2dc161dc4367157
SHA2569111c1eb1f0b59dcd49cfd5a0abc0ba100ac59a3bcae8623ff091dfdc46fed3c
SHA512e3c84a643ff0a2627daba8a056221985a472aaf07bade61b3e9459db4bfc8792c1347606911e3fcc01581508004b18b5435bcccd5e7617cc6d091f37a5f42e7f