Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2024, 22:25

General

  • Target

    65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1.dll

  • Size

    1.1MB

  • MD5

    f165e88e25102d19f8f2c955686ce88d

  • SHA1

    cd678ad3cd82144c5861470abf4cc40820a0d831

  • SHA256

    65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1

  • SHA512

    26c3f6e797b8cc9ff0a3b9c8031d67a0e0d70b76c23da452ca92824ca0bee552b83abcc69738759d5e88f0a218d9426206e390e5a9d5e385bb165712c6de3e2e

  • SSDEEP

    6144:Ni05kH9OyU2uv5SRf/FWgFgt0gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:4rHGPv5SmptZDmUWuVZkxikdXcq

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:3108
  • C:\Windows\system32\dllhost.exe
    C:\Windows\system32\dllhost.exe
    1⤵
      PID:760
    • C:\Windows\system32\cleanmgr.exe
      C:\Windows\system32\cleanmgr.exe
      1⤵
        PID:912
      • C:\Windows\system32\WallpaperHost.exe
        C:\Windows\system32\WallpaperHost.exe
        1⤵
          PID:3660
        • C:\Windows\system32\provtool.exe
          C:\Windows\system32\provtool.exe
          1⤵
            PID:3652
          • C:\Windows\system32\LaunchTM.exe
            C:\Windows\system32\LaunchTM.exe
            1⤵
              PID:2800
            • C:\Windows\system32\bdechangepin.exe
              C:\Windows\system32\bdechangepin.exe
              1⤵
                PID:2616
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\rt9B.cmd
                1⤵
                  PID:448
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2876edf9-11ce-6726-5bde-f751084e1399}"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3812
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2876edf9-11ce-6726-5bde-f751084e1399}"
                    2⤵
                      PID:776
                  • C:\Windows\system32\DTUHandler.exe
                    C:\Windows\system32\DTUHandler.exe
                    1⤵
                      PID:4820
                    • C:\Windows\system32\GamePanel.exe
                      C:\Windows\system32\GamePanel.exe
                      1⤵
                        PID:4136
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\5dAm9bi.cmd
                        1⤵
                        • Drops file in System32 directory
                        PID:4292
                      • C:\Windows\System32\fodhelper.exe
                        "C:\Windows\System32\fodhelper.exe"
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3876
                        • C:\Windows\system32\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\MWwAox1.cmd
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4092
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /Create /F /TN "Eofvjgiti" /SC minute /MO 60 /TR "C:\Windows\system32\9569\GamePanel.exe" /RL highest
                            3⤵
                            • Creates scheduled task(s)
                            PID:996
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
                        1⤵
                          PID:5012

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\5dAm9bi.cmd

                          Filesize

                          193B

                          MD5

                          ad23f93f258aa0ed654a4530d592d38c

                          SHA1

                          588a722136ac1e888a6361b97ac8d0127175c09a

                          SHA256

                          16f3f71e5c95ac552073aa290547b07e46a9654727c379708038a758f15d34db

                          SHA512

                          b46af54ae7028cc1ff15c1e34788ba5f27bfb2d5a36d92abf4043e3e462a580f23202e06c606fde75360e6a00648bb7814ac1f046c41616d43f1ee39e2c59887

                        • C:\Users\Admin\AppData\Local\Temp\H1F3B.tmp

                          Filesize

                          1.3MB

                          MD5

                          497e02f8361d1a0f2601a4f87b7dd874

                          SHA1

                          879cfce82adc3cb4cb58c717847b7a69fd777481

                          SHA256

                          32e4b63cff23718f0b82486fb220584881a45583ffeff132fc607feccd7c8293

                          SHA512

                          47320a4a34bc006f7da0e1b7d4ac1d64080404f067cbe5af9debdee97e6634bd5331e91ef713fd19b353fa3b330fc36ab4824ee04811db303795133593614f72

                        • C:\Users\Admin\AppData\Local\Temp\MWwAox1.cmd

                          Filesize

                          129B

                          MD5

                          3071ff351ca6198e1a1a01b9692f3345

                          SHA1

                          0fece473ba23f22fdd303d7dd92a80c40515b5af

                          SHA256

                          323547a4e220a0a432b50d0608abaa28bcb081ff93bd43974f0dbd7b89a40b2b

                          SHA512

                          0d3cf2dd13db55512cda2c7165ca02c3c7407c2519ef00a881092a9562a775482491fae4a52e275b3177f6162f8491e5714517bdb8c0321c11c3f3d77dae147d

                        • C:\Users\Admin\AppData\Local\Temp\r27F6.tmp

                          Filesize

                          1.1MB

                          MD5

                          11b756f01a2bf09165ee1a6636318c20

                          SHA1

                          9570ce74fc951d7c4521d0787c1b5a640f21ec80

                          SHA256

                          c5f30dfe2846d725d768a84bb3aad7610616c94d4ce4f4a5451f3ee847254190

                          SHA512

                          db2db09e5839d47d2d085ed6157dd8e0c31710b3ea21794855aa444c23d101135c2284b61e7047bd90c0413983f87340cad474006c641ca88aaddedc122e3eaa

                        • C:\Users\Admin\AppData\Local\Temp\rt9B.cmd

                          Filesize

                          234B

                          MD5

                          13b59cf968048ccc46f512c24c7c3f96

                          SHA1

                          8d387c1ae5d241d9d42ca5b3b2e54ef84e8bfc0a

                          SHA256

                          56f6407a8d87e722b4d67ac7fc023de1591bbb6a05c2e3399abf771417bc649b

                          SHA512

                          ca44700dafae7482d3ecf2582ba071914ef97087c48504e3f2a624f22a32d61ecddbc40c100ad62f47e65bfcbe4b4e4eaac46cc5c5dc47ab3ebb5c40c1ddc6f8

                        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xcdbzlxvqxxhz.lnk

                          Filesize

                          934B

                          MD5

                          a82fe305e7fae5d7d90f8f0e55a265eb

                          SHA1

                          ac3b820fb4bbd2d201f12e2b9ac14a5c7788202c

                          SHA256

                          809ed4b95cae66a0f551c1b5bab76c36cb40a1e7912d051ed800de543df16b25

                          SHA512

                          f1fbe72ba88d81b9b581c0f5110187ab4a747f2dd5f3aa629ddac101dac2312b8ad3903d090059d8f65854b92c7d82187e5f9a0e4834cc9d4b18989e202edc7c

                        • C:\Users\Admin\AppData\Roaming\gT482P\bdechangepin.exe

                          Filesize

                          373KB

                          MD5

                          601a28eb2d845d729ddd7330cbae6fd6

                          SHA1

                          5cf9f6f9135c903d42a7756c638333db8621e642

                          SHA256

                          4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

                          SHA512

                          1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

                        • memory/3108-0-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3108-1-0x000001D795210000-0x000001D795217000-memory.dmp

                          Filesize

                          28KB

                        • memory/3108-6-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-18-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-8-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-44-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-24-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-23-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-21-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-20-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-19-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-25-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-17-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-12-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-11-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-10-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-46-0x00007FFC0E580000-0x00007FFC0E590000-memory.dmp

                          Filesize

                          64KB

                        • memory/3164-16-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-15-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-13-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-14-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-9-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-7-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-26-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-34-0x0000000000560000-0x0000000000567000-memory.dmp

                          Filesize

                          28KB

                        • memory/3164-35-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-55-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-27-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-22-0x0000000140000000-0x0000000140112000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3164-5-0x00007FFC0C71A000-0x00007FFC0C71B000-memory.dmp

                          Filesize

                          4KB

                        • memory/3164-3-0x0000000002380000-0x0000000002381000-memory.dmp

                          Filesize

                          4KB