Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

4ba112cc4c...6b.dll

windows7-x64

7

4ba112cc4c...6b.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    01/06/2024, 21:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ba112cc4ce872bdfa046d4ceccb7ed9f44d701505bb2b41a3a5428a231c396b.dll

  • Size

    1.1MB

  • MD5

    4ed6c48e50b91d3c6993889d7722eee9

  • SHA1

    2128dfcda57a5a4743db141beddd415612a15dc8

  • SHA256

    4ba112cc4ce872bdfa046d4ceccb7ed9f44d701505bb2b41a3a5428a231c396b

  • SHA512

    f605539e9dab2779405c9296dae164d9e90e151ce56e60e5fc49228d2510b1a7d15885cff13f3ac64ab566445f912aab455b5483900195f835e10735dc591929

  • SSDEEP

    6144:Ci05kH9OyU2uv5SRf/FWgFgtBgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:trHGPv5Smpt6DmUWuVZkxikdXcq

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ba112cc4ce872bdfa046d4ceccb7ed9f44d701505bb2b41a3a5428a231c396b.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1620
  • C:\Windows\system32\vds.exe
    C:\Windows\system32\vds.exe
    1⤵
      PID:2692
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\RQGXn.cmd
      1⤵
        PID:2380
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{eb3fdd8c-c4d0-a1e3-7171-c34cc90f52e3}"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{eb3fdd8c-c4d0-a1e3-7171-c34cc90f52e3}"
          2⤵
            PID:2888
        • C:\Windows\system32\dpapimig.exe
          C:\Windows\system32\dpapimig.exe
          1⤵
            PID:856
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\bEtW.cmd
            1⤵
            • Drops file in System32 directory
            PID:2672
          • C:\Windows\System32\eventvwr.exe
            "C:\Windows\System32\eventvwr.exe"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:1444
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\98t1.cmd
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2340
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /Create /F /TN "Kbysivkqsduf" /SC minute /MO 60 /TR "C:\Windows\system32\3430\dpapimig.exe" /RL highest
                3⤵
                • Creates scheduled task(s)
                PID:1840

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\98t1.cmd
            Filesize

            131B

            MD5

            1513895775be245ea43f7d480832392e

            SHA1

            ab19a939d98ffb403e1e8d39485a0cd08e2c1348

            SHA256

            fee3ce495cb5129f287a5f3570c41442a64abe4182a65a176b0f287ec0110bc9

            SHA512

            e3a545b64d859bdb9dec1e4b2b7591f8d7dff690d6b3ad6743a665dc15f692764d593ec31a4952ce4a1c0cf907521e179fc9c003e70e4986982ffc9f2ee1ca4e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\B2897.tmp
            Filesize

            1.3MB

            MD5

            f89c957c24c37486af3f3b0b327c23ff

            SHA1

            873f0636d0aa25bee4533dc1534ad7689ed002c2

            SHA256

            2a0f2e5114710da435f3d7e658132033486f76b01a1cab32eaca7a83fca7c59f

            SHA512

            69d3808c64393bbcbfea7654013ada943ada52854058e3b843195863d34b879b54fdf75e6d33e982a78a2b3195654a735a51a5c18951c77db32212e3904aae68

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RQGXn.cmd
            Filesize

            228B

            MD5

            2a4b2a46d7911378bd10171d1ded5fbd

            SHA1

            ee938f5088efa11b3b3754a313b27cb97361deb3

            SHA256

            5677b56a389cb2c5075739d678ce9cc5a12de5f94a4a5404011e1e9284f33149

            SHA512

            5ea9536cc9bcf92fdfd69a9b64d04fcb1eca31d099d2ef321fd7a81618de3aade069496a24c46ca92e879cf61d78a475f8b3458bc3311d1e8f572213b2c6aae5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\bEtW.cmd
            Filesize

            191B

            MD5

            1c5b5075d4104493a422b0fa42b2aefa

            SHA1

            d3f41e63c16d1fa9a8a2aa09a7a9ed3be3cc1ce0

            SHA256

            596ce3c2bfcb1c995c2d873f5726205f82f3e2dc1fe52b5dcf6b5db1638ff3d3

            SHA512

            258ae90571f3bf79d41f3e207a02d3abebb314676c06de597f2898053b4de88235859115fec8f5b450dfcf5bdcf9d2f727ba7f8f6edd27d7cd20df43dbd49ddb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\lUS205C.tmp
            Filesize

            1.1MB

            MD5

            0c7e7d9c292f4a3cca5ebaf658fd3942

            SHA1

            11ae1318eb85b613d5d68b8784ce3fcba8019156

            SHA256

            3a9869b84f1010717a43b2da2a7aea5ae12f6ea43ab26082a8f126487dd3b64c

            SHA512

            d2c3773e949edbed6ec649998266849ace9af97c971e7928fb348b2361ccc067ece01c4c0ae8f3162ddf92d38128887cb7bf0b0c730969ad2576b0b406eb46a6

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ydmmtcuy.lnk
            Filesize

            864B

            MD5

            0978c1a8bbbca806223fd5d49871f369

            SHA1

            9d041e82147fb49436d70d086abc6a0d49a23b45

            SHA256

            6af876c1231c3b04c57b0c6175c82ad6e986184d36ae16038207dfa13beada54

            SHA512

            ea93ea2f4a1da4d88022ab5ab39aab87270a996d1fd01b012596fc45ab49eba3ede250c852f93d739f2d4f57c0682baede72f36a5adf15f4a4c4b18eb0db7190

            Download Submit

          • C:\Users\Admin\AppData\Roaming\stURfYx\vds.exe
            Filesize

            521KB

            MD5

            8d6b481601d01a456e75c3210f1830be

            SHA1

            3b513b3cf3ed7b5bc248403a87d0ab9322af8213

            SHA256

            a2cef483f4231367138eef7e67fd5be5364fc0780c44ca1368e36ce4aa3d0633

            SHA512

            e5f00449313b8be6dbdb313211a7970e0a4dc1be9a9fbb921ef1047eb9ce46b6c6bddd1e40a792af09616c095dd7685dd6ac21c9d340cbbce99d87e77fb68a81

            Download Submit

          • memory/1136-23-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-19-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-9-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-11-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-12-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-26-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-14-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-16-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-28-0x0000000002D50000-0x0000000002D57000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1136-35-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-27-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-25-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-24-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-96-0x0000000076D76000-0x0000000076D77000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1136-22-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-21-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-20-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-10-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-18-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-15-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-13-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-36-0x0000000076F81000-0x0000000076F82000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1136-46-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-50-0x00000000770E0000-0x00000000770E2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1136-51-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-17-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-8-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-7-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1136-3-0x0000000076D76000-0x0000000076D77000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1136-4-0x0000000002D70000-0x0000000002D71000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1620-6-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1620-2-0x0000000000110000-0x0000000000117000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1620-0-0x0000000140000000-0x000000014010E000-memory.dmp

            Filesize

            1.1MB

            Download