Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2024, 05:05

General

  • Target

    e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce.dll

  • Size

    524KB

  • MD5

    a8afce658328a86009031a7cafc625bb

  • SHA1

    8443583d9b66f5d2db692030f6a687841cfb1d2c

  • SHA256

    e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce

  • SHA512

    c34fb48a249ddb68d6ab285125ea1e3a2a0130b3d1e8ab5bfc9942e6edaf3ece411aa5221a5af6a3c673cfe224c61ff1681e5cabe45988f334b7ee8c27e40621

  • SSDEEP

    6144:mi05kH9OyU2uv5SRf/FWgFgt2gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukTL:ZrHGPv5Smpt7DmUWuVZkxikdXcq

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4796
  • C:\Windows\system32\TSTheme.exe
    C:\Windows\system32\TSTheme.exe
    1⤵
      PID:3812
    • C:\Windows\system32\RmClient.exe
      C:\Windows\system32\RmClient.exe
      1⤵
        PID:5108
      • C:\Windows\system32\BitLockerWizard.exe
        C:\Windows\system32\BitLockerWizard.exe
        1⤵
          PID:2716
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\aKXLPQl.cmd
          1⤵
            PID:5104
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{662183c3-7773-ee8a-f0a9-0ccd273a9b7a}"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:728
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{662183c3-7773-ee8a-f0a9-0ccd273a9b7a}"
              2⤵
                PID:3112
            • C:\Windows\system32\UIMgrBroker.exe
              C:\Windows\system32\UIMgrBroker.exe
              1⤵
                PID:716
              • C:\Windows\system32\SndVol.exe
                C:\Windows\system32\SndVol.exe
                1⤵
                  PID:3836
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\mPEGq0.cmd
                  1⤵
                  • Drops file in System32 directory
                  PID:3192
                • C:\Windows\System32\fodhelper.exe
                  "C:\Windows\System32\fodhelper.exe"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4732
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\6py.cmd
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3512
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /Create /F /TN "Fdxhngjjnp" /SC minute /MO 60 /TR "C:\Windows\system32\5126\SndVol.exe" /RL highest
                      3⤵
                      • Creates scheduled task(s)
                      PID:4892

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\0t65767.tmp

                  Filesize

                  528KB

                  MD5

                  517fb5c637eb9e0a53926998b85bde8e

                  SHA1

                  574e81f3cb2f37aee2087bbe75c33f81779a9128

                  SHA256

                  91c9d56d48d6d35d668e74c17a7d2a1d88b96e18ac449d908dfdc75fc8206b1d

                  SHA512

                  19962b4db4705504e30a130a4cfb6f7c9b891f76ac9854baa1f1471a3ad739d4477d94016953b4b824842f59a653c34f5f575ba9e080e70d0b7bf1cc1780572e

                • C:\Users\Admin\AppData\Local\Temp\6py.cmd

                  Filesize

                  127B

                  MD5

                  d3e52e132cec5afee05e3a822cdee50b

                  SHA1

                  38109f39817cc95e6e245929032428e4c51b1a67

                  SHA256

                  39522953cea12991cc7f26327bb77dfc53579c1b9acf2ddb4322d5787693d056

                  SHA512

                  6732fa9b3250a59770d9e2bf942b77a540a9a6d75bf51e82157eae198422e435afec7ca2f903f1049535fee62ce0e752101c55d68402e0d894c2d8b414c18346

                • C:\Users\Admin\AppData\Local\Temp\aKXLPQl.cmd

                  Filesize

                  243B

                  MD5

                  9021153768c640924ae5b4b52031ec1d

                  SHA1

                  9dd2f3b6a1978eec40bccf4907d5cd5b81bf0ee2

                  SHA256

                  4cf58101e9fb8e74e4eda0677817c8533f18f4236950b9b0cf5797aeba3d6fef

                  SHA512

                  206ea3608aa812753da152b34f8ff1f90d526b015a166d893d78839b0045db223051a357b64a7654e36d42c7cb246744e46e1e238f652e61c6214c62da3c914f

                • C:\Users\Admin\AppData\Local\Temp\htr5843.tmp

                  Filesize

                  528KB

                  MD5

                  1d649482fce95f3b8e05e8b1098692ee

                  SHA1

                  a8125d02e3965972bebc9a01fb227849cd140e06

                  SHA256

                  55b4c4727f2d7118fa951b8502fc517914ca37f8aabce1ff8d51d52adfc76a8c

                  SHA512

                  306de546a12e90b4532053e1c432e8dc6b54d5e36db1152bb47f5954d2b626748bbe56fd0dc7044f263aab461e91a29313a8a0c684410bab6e0ed31cdac11418

                • C:\Users\Admin\AppData\Local\Temp\mPEGq0.cmd

                  Filesize

                  192B

                  MD5

                  a19de6e6dd8fa90f757f4d06c37954e9

                  SHA1

                  e210e4814d36b044a5fb8be6399fb34112d646ea

                  SHA256

                  c0102fa98fbe242501707b3a5fda266a58b2a26990ab61ee23514768cf4c45d5

                  SHA512

                  d93d98f64c728f539fa5cbfe2d3f6808c4aeccd279fc88466f13d7ca4d75e920d1591a769e26ae7148f19e71c07c86dcbd9986df68c5b2018f3eaa6b02b6f865

                • C:\Users\Admin\AppData\Roaming\LRknwnN\BitLockerWizard.exe

                  Filesize

                  100KB

                  MD5

                  6d30c96f29f64b34bc98e4c81d9b0ee8

                  SHA1

                  4a3adc355f02b9c69bdbe391bfb01469dee15cf0

                  SHA256

                  7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

                  SHA512

                  25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

                • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pruztwesow.lnk

                  Filesize

                  952B

                  MD5

                  7cd24dd1ebdc7a33d895df24f5035b97

                  SHA1

                  b40b1a64c064327f4c91a110ee41d961837e5e03

                  SHA256

                  fc8acba1e93ba688cac803a9374e3cf50480b154d3df0266662d08449781c448

                  SHA512

                  faf49e99a5a9e416b3f12fd264554a546752ed33bcfedc3f6c26abe24fb53ea6884e58d531f202f99cdca186cc338736fbbbc4333e1d341bb9199fa67c13faa7

                • memory/3500-27-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-22-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-44-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-34-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-23-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-7-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-55-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-8-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-6-0x00007FFAF74EA000-0x00007FFAF74EB000-memory.dmp

                  Filesize

                  4KB

                • memory/3500-3-0x0000000000710000-0x0000000000711000-memory.dmp

                  Filesize

                  4KB

                • memory/3500-38-0x00000000006B0000-0x00000000006B7000-memory.dmp

                  Filesize

                  28KB

                • memory/3500-9-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-26-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-25-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-24-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-46-0x00007FFAF8000000-0x00007FFAF8010000-memory.dmp

                  Filesize

                  64KB

                • memory/3500-21-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-20-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-19-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-18-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-17-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-16-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-15-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-14-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-13-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-12-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-11-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/3500-10-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/4796-0-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/4796-5-0x0000000140000000-0x0000000140083000-memory.dmp

                  Filesize

                  524KB

                • memory/4796-2-0x000002368D9E0000-0x000002368D9E7000-memory.dmp

                  Filesize

                  28KB