Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 05:05

General

  • Target

    e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce.dll

  • Size

    524KB

  • MD5

    a8afce658328a86009031a7cafc625bb

  • SHA1

    8443583d9b66f5d2db692030f6a687841cfb1d2c

  • SHA256

    e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce

  • SHA512

    c34fb48a249ddb68d6ab285125ea1e3a2a0130b3d1e8ab5bfc9942e6edaf3ece411aa5221a5af6a3c673cfe224c61ff1681e5cabe45988f334b7ee8c27e40621

  • SSDEEP

    6144:mi05kH9OyU2uv5SRf/FWgFgt2gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukTL:ZrHGPv5Smpt7DmUWuVZkxikdXcq

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2224
  • C:\Windows\system32\LogonUI.exe
    C:\Windows\system32\LogonUI.exe
    1⤵
      PID:2716
    • C:\Windows\system32\StikyNot.exe
      C:\Windows\system32\StikyNot.exe
      1⤵
        PID:2664
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\RC8.cmd
        1⤵
          PID:2948
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2262e400-a0a9-2d5f-1946-aa1a0d59cbbd}"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2468
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2262e400-a0a9-2d5f-1946-aa1a0d59cbbd}"
            2⤵
              PID:2952
          • C:\Windows\system32\sdchange.exe
            C:\Windows\system32\sdchange.exe
            1⤵
              PID:2484
            • C:\Windows\system32\BdeUISrv.exe
              C:\Windows\system32\BdeUISrv.exe
              1⤵
                PID:2120
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\W6VlA.cmd
                1⤵
                • Drops file in System32 directory
                PID:2596
              • C:\Windows\System32\eventvwr.exe
                "C:\Windows\System32\eventvwr.exe"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:2688
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\G5SUW.cmd
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2696
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /Create /F /TN "Kzcfjezwvyzrv" /SC minute /MO 60 /TR "C:\Windows\system32\2073\BdeUISrv.exe" /RL highest
                    3⤵
                    • Creates scheduled task(s)
                    PID:2748

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\G5SUW.cmd

                Filesize

                132B

                MD5

                bb3148182c7237b0f0bbd186ea78fab9

                SHA1

                2774e9b54d60f4934a750722e875aa2149e45c7c

                SHA256

                2ac8cef263ca229c029894e027fa1d2d7ba4c51dd5012890483f4be3be31a796

                SHA512

                03c9caeb65c35bf2dcf086b7a71be744eb6c09f9dd43b27418de62eb8f237b0dfa0204ded934a27d188ddf7cef141d578c254fdde41a1ed9408fcc0433aef283

              • C:\Users\Admin\AppData\Local\Temp\RC8.cmd

                Filesize

                234B

                MD5

                4be5f38252f91de9bb27a470159930d7

                SHA1

                014666fc72328efeee6078ac40a074b89b09e0e5

                SHA256

                afeff5488c66fa5ff7697f7b00229e02bd98aa35c08ca3c55c276344961dfce9

                SHA512

                96df2ebb722aacbd3cb675ab7a29d34625b2ebc8b3669b93d60e072058fc8f9bc2e9d63fbd64404dec55d8050a0f2a5e7f4ad6cc01884c26e341a0a2917e8af5

              • C:\Users\Admin\AppData\Local\Temp\W6VlA.cmd

                Filesize

                196B

                MD5

                85f8df5de710b5ce098bf386926ff594

                SHA1

                a0203e6480c9d66396cd8228804b66e4cbe260ab

                SHA256

                6ed6bfdbfbd105c21f8ddbf8de2b50f94785e634b55d8be7136f3ffea17d141b

                SHA512

                aa913d09683e1c5bb7bb53fbab74fc2f483e15bcb81de534b0f116ec6487b53764034e90220fdf12d5cb461eb4d10ef7743055c7350d41e7062c7dad965036db

              • C:\Users\Admin\AppData\Local\Temp\s5M3BD9.tmp

                Filesize

                528KB

                MD5

                1e7a71b520031d49587eaef20b7353d0

                SHA1

                e86b305cef93ad980beb5ca3f12ea01b62220284

                SHA256

                e4e37d75838769df23777167adc785709f8c35e874d8b06fb0b47efdc787ec0e

                SHA512

                1d624249ad72ccf04c163456099b4158a900248cf966cd713d685e0c3fe43ea7da864fdc7f4f3dd3f78840dafac52a53e408d515510b2fbab85c779e3d660f37

              • C:\Users\Admin\AppData\Local\Temp\y3B5B.tmp

                Filesize

                528KB

                MD5

                decfafbb276f47b9b1ea8ccae6ff43a8

                SHA1

                091747ddd6b00f06e3a815638b319972406f8154

                SHA256

                d12de875acfddbf80ee07e71fbf42fb3003ff437cea09d7a3998323290431016

                SHA512

                ab25f3f95be30e718ebd312c866b47bbec18eff0fc78a9693397afb999269209c863e7f8f1c7ef8500fcc5df0ebc2792051811e33214695c3dd9f31ba8169758

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yyeybzteybdsbj.lnk

                Filesize

                894B

                MD5

                3730745838ccd1c5ad3eca8d44273a05

                SHA1

                91a33fc7aa1329ba37bc0d5c58c76c636df588a7

                SHA256

                33cace0c94d7db518eb56d3b5dcff61048998affcf3068a87bd1e9912483555d

                SHA512

                913461c52502872e0553566fac13a70869286aec593abb738589b82c117f6c7e018bc129e4a81a222e6db48d27532875e44c7d572cdd7d615613b7cec8477111

              • \Users\Admin\AppData\Roaming\usve2sZ\StikyNot.exe

                Filesize

                417KB

                MD5

                b22cb67919ebad88b0e8bb9cda446010

                SHA1

                423a794d26d96d9f812d76d75fa89bffdc07d468

                SHA256

                2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

                SHA512

                f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

              • memory/1224-34-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-14-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-35-0x0000000002970000-0x0000000002977000-memory.dmp

                Filesize

                28KB

              • memory/1224-100-0x0000000077316000-0x0000000077317000-memory.dmp

                Filesize

                4KB

              • memory/1224-27-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-26-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-25-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-24-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-36-0x0000000077421000-0x0000000077422000-memory.dmp

                Filesize

                4KB

              • memory/1224-23-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-22-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-21-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-20-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-19-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-18-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-17-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-15-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-16-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-13-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-12-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-11-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-9-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-51-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-8-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-10-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-7-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-45-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-4-0x0000000002990000-0x0000000002991000-memory.dmp

                Filesize

                4KB

              • memory/1224-3-0x0000000077316000-0x0000000077317000-memory.dmp

                Filesize

                4KB

              • memory/1224-50-0x0000000077580000-0x0000000077582000-memory.dmp

                Filesize

                8KB

              • memory/1224-49-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/1224-48-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/2224-6-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB

              • memory/2224-2-0x0000000000290000-0x0000000000297000-memory.dmp

                Filesize

                28KB

              • memory/2224-1-0x0000000140000000-0x0000000140083000-memory.dmp

                Filesize

                524KB