Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

4ba112cc4c...6b.dll

windows7-x64

7

4ba112cc4c...6b.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/06/2024, 21:06 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ba112cc4ce872bdfa046d4ceccb7ed9f44d701505bb2b41a3a5428a231c396b.dll

  • Size

    1.1MB

  • MD5

    4ed6c48e50b91d3c6993889d7722eee9

  • SHA1

    2128dfcda57a5a4743db141beddd415612a15dc8

  • SHA256

    4ba112cc4ce872bdfa046d4ceccb7ed9f44d701505bb2b41a3a5428a231c396b

  • SHA512

    f605539e9dab2779405c9296dae164d9e90e151ce56e60e5fc49228d2510b1a7d15885cff13f3ac64ab566445f912aab455b5483900195f835e10735dc591929

  • SSDEEP

    6144:Ci05kH9OyU2uv5SRf/FWgFgtBgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:trHGPv5Smpt6DmUWuVZkxikdXcq

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ba112cc4ce872bdfa046d4ceccb7ed9f44d701505bb2b41a3a5428a231c396b.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1760
  • C:\Windows\system32\PrintBrmUi.exe
    C:\Windows\system32\PrintBrmUi.exe
    1⤵
      PID:4184
    • C:\Windows\system32\MicrosoftEdgeSH.exe
      C:\Windows\system32\MicrosoftEdgeSH.exe
      1⤵
        PID:4120
      • C:\Windows\system32\fixmapi.exe
        C:\Windows\system32\fixmapi.exe
        1⤵
          PID:4504
        • C:\Windows\system32\AppHostRegistrationVerifier.exe
          C:\Windows\system32\AppHostRegistrationVerifier.exe
          1⤵
            PID:3508
          • C:\Windows\system32\newdev.exe
            C:\Windows\system32\newdev.exe
            1⤵
              PID:4716
            • C:\Windows\system32\MicrosoftEdgeCP.exe
              C:\Windows\system32\MicrosoftEdgeCP.exe
              1⤵
                PID:3532
              • C:\Windows\system32\PresentationHost.exe
                C:\Windows\system32\PresentationHost.exe
                1⤵
                  PID:4004
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\xlL2A.cmd
                  1⤵
                    PID:3896
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{5ad6d10e-57ab-26f6-20b7-72f3d4024a3d}"
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4616
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{5ad6d10e-57ab-26f6-20b7-72f3d4024a3d}"
                      2⤵
                        PID:2184
                    • C:\Windows\system32\LogonUI.exe
                      C:\Windows\system32\LogonUI.exe
                      1⤵
                        PID:868
                      • C:\Windows\system32\rekeywiz.exe
                        C:\Windows\system32\rekeywiz.exe
                        1⤵
                          PID:4828
                        • C:\Windows\system32\dllhost.exe
                          C:\Windows\system32\dllhost.exe
                          1⤵
                            PID:1912
                          • C:\Windows\system32\MultiDigiMon.exe
                            C:\Windows\system32\MultiDigiMon.exe
                            1⤵
                              PID:2988
                            • C:\Windows\system32\baaupdate.exe
                              C:\Windows\system32\baaupdate.exe
                              1⤵
                                PID:1120
                              • C:\Windows\system32\VSSVC.exe
                                C:\Windows\system32\VSSVC.exe
                                1⤵
                                  PID:1104
                                • C:\Windows\system32\RdpSa.exe
                                  C:\Windows\system32\RdpSa.exe
                                  1⤵
                                    PID:3456
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\GmZd1h1.cmd
                                    1⤵
                                    • Drops file in System32 directory
                                    PID:1220
                                  • C:\Windows\System32\fodhelper.exe
                                    "C:\Windows\System32\fodhelper.exe"
                                    1⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:1780
                                    • C:\Windows\system32\cmd.exe
                                      "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\8m1QWvb.cmd
                                      2⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:2712
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /Create /F /TN "Hukrqpujurvgmz" /SC minute /MO 60 /TR "C:\Windows\system32\2458\RdpSa.exe" /RL highest
                                        3⤵
                                        • Creates scheduled task(s)
                                        PID:4056

                                  Network

                                  • flag-us
                                    DNS
                                    241.150.49.20.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    241.150.49.20.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    4.159.190.20.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    4.159.190.20.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    144.107.17.2.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    144.107.17.2.in-addr.arpa
                                    IN PTR
                                    Response
                                    144.107.17.2.in-addr.arpa
                                    IN PTR
                                    a2-17-107-144deploystaticakamaitechnologiescom
                                  • flag-us
                                    DNS
                                    95.221.229.192.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    95.221.229.192.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    183.59.114.20.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    183.59.114.20.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    198.187.3.20.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    198.187.3.20.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    25.140.123.92.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    25.140.123.92.in-addr.arpa
                                    IN PTR
                                    Response
                                    25.140.123.92.in-addr.arpa
                                    IN PTR
                                    a92-123-140-25deploystaticakamaitechnologiescom
                                  • flag-us
                                    DNS
                                    240.221.184.93.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    240.221.184.93.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    14.227.111.52.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    14.227.111.52.in-addr.arpa
                                    IN PTR
                                    Response
                                  No results found
                                  • 8.8.8.8:53
                                    241.150.49.20.in-addr.arpa
                                    dns
                                    72 B
                                     158 B
                                     1
                                    1

                                    DNS Request

                                    241.150.49.20.in-addr.arpa

                                  • 8.8.8.8:53
                                    4.159.190.20.in-addr.arpa
                                    dns
                                    71 B
                                     157 B
                                     1
                                    1

                                    DNS Request

                                    4.159.190.20.in-addr.arpa

                                  • 8.8.8.8:53
                                    144.107.17.2.in-addr.arpa
                                    dns
                                    71 B
                                     135 B
                                     1
                                    1

                                    DNS Request

                                    144.107.17.2.in-addr.arpa

                                  • 8.8.8.8:53
                                    95.221.229.192.in-addr.arpa
                                    dns
                                    73 B
                                     144 B
                                     1
                                    1

                                    DNS Request

                                    95.221.229.192.in-addr.arpa

                                  • 8.8.8.8:53
                                    183.59.114.20.in-addr.arpa
                                    dns
                                    72 B
                                     158 B
                                     1
                                    1

                                    DNS Request

                                    183.59.114.20.in-addr.arpa

                                  • 8.8.8.8:53
                                    198.187.3.20.in-addr.arpa
                                    dns
                                    71 B
                                     157 B
                                     1
                                    1

                                    DNS Request

                                    198.187.3.20.in-addr.arpa

                                  • 8.8.8.8:53
                                    25.140.123.92.in-addr.arpa
                                    dns
                                    72 B
                                     137 B
                                     1
                                    1

                                    DNS Request

                                    25.140.123.92.in-addr.arpa

                                  • 8.8.8.8:53
                                    240.221.184.93.in-addr.arpa
                                    dns
                                    73 B
                                     144 B
                                     1
                                    1

                                    DNS Request

                                    240.221.184.93.in-addr.arpa

                                  • 8.8.8.8:53
                                    14.227.111.52.in-addr.arpa
                                    dns
                                    72 B
                                     158 B
                                     1
                                    1

                                    DNS Request

                                    14.227.111.52.in-addr.arpa

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\8m1QWvb.cmd
                                    Filesize

                                    130B

                                    MD5

                                    dde9040c0879741d320797f74ec9c93a

                                    SHA1

                                    0d12a0383a3990a37494776884616e2c820b02d2

                                    SHA256

                                    49ed29efd0e31bee0ade4ba7cb10ceed84cd7e50f8e155df8424d266d673fa66

                                    SHA512

                                    f334c8b8bf88c72e6d54e2bb4fab48521d4a8bea3668afdedeae3fa3d1d333e12620468c87221e0a537cbba53392214f8be54043f1cbd1352d78d5973190e0d1

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\GmZd1h1.cmd
                                    Filesize

                                    189B

                                    MD5

                                    5b5512d97b32afabacd3d0e6d32c54c9

                                    SHA1

                                    c67d3ab8c0d64e6e1c5fdab484361abea43ed9ab

                                    SHA256

                                    5d28e969d3cea8f1b2314c86000018a5b83b6e894124fdb5520d4656c5e36444

                                    SHA512

                                    771a3230da29e6b1458cedb80b34e8cd16fc24065d3f62b278c5578b834715fa3bc2c7eed16a663783e2b95a184456f2a392774939a3ae340b2fc963dd6a4143

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\f4C1D.tmp
                                    Filesize

                                    1.1MB

                                    MD5

                                    1b65b9308353191ac7eef9ccec5afdb2

                                    SHA1

                                    67618c5d10435b3e052066ef4dd8a3b1326e14ce

                                    SHA256

                                    35431200e14d7681cb24e93d0fa45c297cd873d3db30765471eb8db8981b7e82

                                    SHA512

                                    8a0d157e8d5188008002af389ca2f6488693bde93d615cc6402577a73cfa7298176c2d05677e97ac0eeaab34ea281b5215405f6dc84185faf2441f4dfe0a8117

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\qPR499C.tmp
                                    Filesize

                                    1.1MB

                                    MD5

                                    c579631af9bc0a105bdec26692f0dcf6

                                    SHA1

                                    8baeaf51fc7bcdd426bbd1795510aa651710a694

                                    SHA256

                                    54e8efb8a7b653a28097668e28a0490d0644cc1e8a8d7bcda39996e48d81629e

                                    SHA512

                                    3a23b7571c0e7decb67f4894f0a28016236987455f22f18545feee119f5050a05e50237486b7b2f3a9243deb627aa00ea508f9a27268999a84b5bee891b6682f

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\xlL2A.cmd
                                    Filesize

                                    245B

                                    MD5

                                    127604d48d171a6b43f3148a0658fbc5

                                    SHA1

                                    23eb8d939518037ca350ab56b324fed548dd40f8

                                    SHA256

                                    c34d35fd9f2dba60b4de06eff58be7261132e4924a2ac51a1ba6ed021c94672e

                                    SHA512

                                    ee0c4f440f20c5c0d94b545bff02fc9d7c88011ce18895194d8a47d5063ffeb1b44c60a34ea54853b36147bd6ff5ae250a1ae404c16588c7e769745fe5d312df

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ovnmkkvrgnxhq.lnk
                                    Filesize

                                    954B

                                    MD5

                                    761b6de3a836d6eb017665ccdc8bb3b6

                                    SHA1

                                    62f6fcca5b5228aeda5b3cddd1ffb4676f436f57

                                    SHA256

                                    2b2ccc14fb5c71bb4a33dd986f3c095569ab1f6cc6c1fbe0e72bf915b70142ee

                                    SHA512

                                    bfb709fc0b5e3b7023d4ae6c670458833f22098007df600cbcd06a3356e600683e66d9af9ac2fcacc53441f69456d30cd97fa225dc258285e426bbbd9353e446

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\OykX47G\PresentationHost.exe
                                    Filesize

                                    276KB

                                    MD5

                                    ef27d65b92d89e8175e6751a57ed9d93

                                    SHA1

                                    7279b58e711b459434f047e9098f9131391c3778

                                    SHA256

                                    17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

                                    SHA512

                                    40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

                                    Download Submit

                                  • memory/1760-0-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/1760-2-0x00000170D0510000-0x00000170D0517000-memory.dmp

                                    Filesize

                                    28KB

                                    Download

                                  • memory/1760-5-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-22-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-16-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-46-0x00007FFF2F040000-0x00007FFF2F050000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/3416-45-0x0000000000B70000-0x0000000000B77000-memory.dmp

                                    Filesize

                                    28KB

                                    Download

                                  • memory/3416-34-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-27-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-25-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-23-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-26-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-20-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-19-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-18-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-17-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-43-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-15-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-11-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-10-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-9-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-8-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-7-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-13-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-12-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-14-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-55-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-21-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-24-0x0000000140000000-0x000000014010E000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/3416-6-0x00007FFF2EF4A000-0x00007FFF2EF4B000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/3416-3-0x0000000001150000-0x0000000001151000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  We care about your privacy.

                                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.