Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 05:05
Static task
static1
Behavioral task
behavioral1
Sample
e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce.dll
Resource
win10v2004-20240508-en
General
-
Target
e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce.dll
-
Size
524KB
-
MD5
a8afce658328a86009031a7cafc625bb
-
SHA1
8443583d9b66f5d2db692030f6a687841cfb1d2c
-
SHA256
e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce
-
SHA512
c34fb48a249ddb68d6ab285125ea1e3a2a0130b3d1e8ab5bfc9942e6edaf3ece411aa5221a5af6a3c673cfe224c61ff1681e5cabe45988f334b7ee8c27e40621
-
SSDEEP
6144:mi05kH9OyU2uv5SRf/FWgFgt2gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukTL:ZrHGPv5Smpt7DmUWuVZkxikdXcq
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "\"C:\\Users\\Admin\\AppData\\Roaming\\LRknwnN\\BitLockerWizard.exe\"" Process not Found -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\5126\SndVol.exe cmd.exe File created C:\Windows\system32\5126\SndVol.exe cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4892 schtasks.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\6py.cmd" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command\DelegateExecute Process not Found Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command Process not Found Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings Process not Found Key deleted \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open Process not Found Key deleted \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell Process not Found Key deleted \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings Process not Found Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell Process not Found Key deleted \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4796 rundll32.exe 4796 rundll32.exe 4796 rundll32.exe 4796 rundll32.exe 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found 3500 Process not Found -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeShutdownPrivilege 3500 Process not Found Token: SeCreatePagefilePrivilege 3500 Process not Found Token: SeShutdownPrivilege 3500 Process not Found Token: SeCreatePagefilePrivilege 3500 Process not Found Token: SeShutdownPrivilege 3500 Process not Found Token: SeCreatePagefilePrivilege 3500 Process not Found Token: SeShutdownPrivilege 3500 Process not Found Token: SeCreatePagefilePrivilege 3500 Process not Found Token: SeShutdownPrivilege 3500 Process not Found Token: SeCreatePagefilePrivilege 3500 Process not Found Token: SeShutdownPrivilege 3500 Process not Found Token: SeCreatePagefilePrivilege 3500 Process not Found Token: SeShutdownPrivilege 3500 Process not Found Token: SeCreatePagefilePrivilege 3500 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3500 Process not Found -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3500 wrote to memory of 3812 3500 Process not Found 90 PID 3500 wrote to memory of 3812 3500 Process not Found 90 PID 3500 wrote to memory of 5108 3500 Process not Found 91 PID 3500 wrote to memory of 5108 3500 Process not Found 91 PID 3500 wrote to memory of 2716 3500 Process not Found 92 PID 3500 wrote to memory of 2716 3500 Process not Found 92 PID 3500 wrote to memory of 5104 3500 Process not Found 93 PID 3500 wrote to memory of 5104 3500 Process not Found 93 PID 3500 wrote to memory of 728 3500 Process not Found 95 PID 3500 wrote to memory of 728 3500 Process not Found 95 PID 728 wrote to memory of 3112 728 cmd.exe 97 PID 728 wrote to memory of 3112 728 cmd.exe 97 PID 3500 wrote to memory of 716 3500 Process not Found 98 PID 3500 wrote to memory of 716 3500 Process not Found 98 PID 3500 wrote to memory of 3836 3500 Process not Found 99 PID 3500 wrote to memory of 3836 3500 Process not Found 99 PID 3500 wrote to memory of 3192 3500 Process not Found 100 PID 3500 wrote to memory of 3192 3500 Process not Found 100 PID 3500 wrote to memory of 4732 3500 Process not Found 102 PID 3500 wrote to memory of 4732 3500 Process not Found 102 PID 4732 wrote to memory of 3512 4732 fodhelper.exe 103 PID 4732 wrote to memory of 3512 4732 fodhelper.exe 103 PID 3512 wrote to memory of 4892 3512 cmd.exe 105 PID 3512 wrote to memory of 4892 3512 cmd.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4796
-
C:\Windows\system32\TSTheme.exeC:\Windows\system32\TSTheme.exe1⤵PID:3812
-
C:\Windows\system32\RmClient.exeC:\Windows\system32\RmClient.exe1⤵PID:5108
-
C:\Windows\system32\BitLockerWizard.exeC:\Windows\system32\BitLockerWizard.exe1⤵PID:2716
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\aKXLPQl.cmd1⤵PID:5104
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{662183c3-7773-ee8a-f0a9-0ccd273a9b7a}"1⤵
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\system32\schtasks.exeschtasks.exe /Delete /F /TN "User_Feed_Synchronization-{662183c3-7773-ee8a-f0a9-0ccd273a9b7a}"2⤵PID:3112
-
-
C:\Windows\system32\UIMgrBroker.exeC:\Windows\system32\UIMgrBroker.exe1⤵PID:716
-
C:\Windows\system32\SndVol.exeC:\Windows\system32\SndVol.exe1⤵PID:3836
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\mPEGq0.cmd1⤵
- Drops file in System32 directory
PID:3192
-
C:\Windows\System32\fodhelper.exe"C:\Windows\System32\fodhelper.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\6py.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\system32\schtasks.exeschtasks.exe /Create /F /TN "Fdxhngjjnp" /SC minute /MO 60 /TR "C:\Windows\system32\5126\SndVol.exe" /RL highest3⤵
- Creates scheduled task(s)
PID:4892
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
528KB
MD5517fb5c637eb9e0a53926998b85bde8e
SHA1574e81f3cb2f37aee2087bbe75c33f81779a9128
SHA25691c9d56d48d6d35d668e74c17a7d2a1d88b96e18ac449d908dfdc75fc8206b1d
SHA51219962b4db4705504e30a130a4cfb6f7c9b891f76ac9854baa1f1471a3ad739d4477d94016953b4b824842f59a653c34f5f575ba9e080e70d0b7bf1cc1780572e
-
Filesize
127B
MD5d3e52e132cec5afee05e3a822cdee50b
SHA138109f39817cc95e6e245929032428e4c51b1a67
SHA25639522953cea12991cc7f26327bb77dfc53579c1b9acf2ddb4322d5787693d056
SHA5126732fa9b3250a59770d9e2bf942b77a540a9a6d75bf51e82157eae198422e435afec7ca2f903f1049535fee62ce0e752101c55d68402e0d894c2d8b414c18346
-
Filesize
243B
MD59021153768c640924ae5b4b52031ec1d
SHA19dd2f3b6a1978eec40bccf4907d5cd5b81bf0ee2
SHA2564cf58101e9fb8e74e4eda0677817c8533f18f4236950b9b0cf5797aeba3d6fef
SHA512206ea3608aa812753da152b34f8ff1f90d526b015a166d893d78839b0045db223051a357b64a7654e36d42c7cb246744e46e1e238f652e61c6214c62da3c914f
-
Filesize
528KB
MD51d649482fce95f3b8e05e8b1098692ee
SHA1a8125d02e3965972bebc9a01fb227849cd140e06
SHA25655b4c4727f2d7118fa951b8502fc517914ca37f8aabce1ff8d51d52adfc76a8c
SHA512306de546a12e90b4532053e1c432e8dc6b54d5e36db1152bb47f5954d2b626748bbe56fd0dc7044f263aab461e91a29313a8a0c684410bab6e0ed31cdac11418
-
Filesize
192B
MD5a19de6e6dd8fa90f757f4d06c37954e9
SHA1e210e4814d36b044a5fb8be6399fb34112d646ea
SHA256c0102fa98fbe242501707b3a5fda266a58b2a26990ab61ee23514768cf4c45d5
SHA512d93d98f64c728f539fa5cbfe2d3f6808c4aeccd279fc88466f13d7ca4d75e920d1591a769e26ae7148f19e71c07c86dcbd9986df68c5b2018f3eaa6b02b6f865
-
Filesize
100KB
MD56d30c96f29f64b34bc98e4c81d9b0ee8
SHA14a3adc355f02b9c69bdbe391bfb01469dee15cf0
SHA2567758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74
SHA51225471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8
-
Filesize
952B
MD57cd24dd1ebdc7a33d895df24f5035b97
SHA1b40b1a64c064327f4c91a110ee41d961837e5e03
SHA256fc8acba1e93ba688cac803a9374e3cf50480b154d3df0266662d08449781c448
SHA512faf49e99a5a9e416b3f12fd264554a546752ed33bcfedc3f6c26abe24fb53ea6884e58d531f202f99cdca186cc338736fbbbc4333e1d341bb9199fa67c13faa7