Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

fe4dffba11...be.dll

windows7-x64

7

fe4dffba11...be.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    04/06/2024, 05:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe4dffba118410b2e1b57bef1b099ac643e338b2e8b34ee8252b5672038b7fbe.dll

  • Size

    992KB

  • MD5

    97cc324c3e119a1e92d47865a2e821be

  • SHA1

    d95f93e8b18b901a3454370e35c2172cd47149da

  • SHA256

    fe4dffba118410b2e1b57bef1b099ac643e338b2e8b34ee8252b5672038b7fbe

  • SHA512

    f806756c4ccb464ec2866e9aee8ee21cf81bb88cfa906e0055ebb352e287280b8f75b06bef987a524b401a935f0b7dd81be3221716edfe6dda59e9fad7f0dcc4

  • SSDEEP

    12288:nrHGPv5SmptEDmUWuVZkxikdXcqifhqq:6PvQmptPUBDkxBdXcHfhq

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fe4dffba118410b2e1b57bef1b099ac643e338b2e8b34ee8252b5672038b7fbe.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2932
  • C:\Windows\system32\dpapimig.exe
    C:\Windows\system32\dpapimig.exe
    1⤵
      PID:2784
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\eTJVZry.cmd
      1⤵
        PID:2680
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{7b98aa95-b212-23e5-3cc8-426819761c96}"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{7b98aa95-b212-23e5-3cc8-426819761c96}"
          2⤵
            PID:1916
        • C:\Windows\system32\logagent.exe
          C:\Windows\system32\logagent.exe
          1⤵
            PID:1404
          • C:\Windows\system32\cleanmgr.exe
            C:\Windows\system32\cleanmgr.exe
            1⤵
              PID:1616
            • C:\Windows\system32\dpapimig.exe
              C:\Windows\system32\dpapimig.exe
              1⤵
                PID:2804
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\j78Arn.cmd
                1⤵
                • Drops file in System32 directory
                PID:2844
              • C:\Windows\System32\eventvwr.exe
                "C:\Windows\System32\eventvwr.exe"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:2868
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Agjmqv.cmd
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2908
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /Create /F /TN "Rkbail" /SC minute /MO 60 /TR "C:\Windows\system32\0502\dpapimig.exe" /RL highest
                    3⤵
                    • Creates scheduled task(s)
                    PID:352

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\Agjmqv.cmd
                Filesize

                125B

                MD5

                93beeaad16691e686d81ce955663c40a

                SHA1

                c9bab67abbb9121c112dd2cfadb1bdb971437229

                SHA256

                c0a85ad82eb391d658ca4c94a501cc931c88f683f5350cbe95db5abac19df583

                SHA512

                efad09d85c0c3e9ab9097ee0cfb29c2c4574722a6d877c060cf8343434a4d5faa277d66dfa9efe292c1396735bc2fd09ee724bea17dc83dd8f3054bb9e66411b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\U338E.tmp
                Filesize

                1.2MB

                MD5

                81ca88ae2655695ab6728fff5db92371

                SHA1

                0489c0153e92adf8393ea3d8137436ae12046419

                SHA256

                3f4253e02f445cd7315f044e9b59d345a39ae641a8d061207c3fe05b4240a9b5

                SHA512

                3d0cb431d6c9bbda31ada5ef9e3a40320fb7d2309dacbfba975af05a41c7ce1be57e31ad953c2f98a007253cb5460133d0770095c20c29834edb01be0e7645c2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\eTJVZry.cmd
                Filesize

                227B

                MD5

                6c68127cf224e228f3ecd97857c1c094

                SHA1

                dde71d781785e9015e0fd8c5f80faa6c6d2c2df7

                SHA256

                b660fb15efd1945bc6a02261b6be13706769ab5049324dcd417aae098177641a

                SHA512

                af5c1c87ac924ee374da8fdbdb9d343dbd2d3c606bd94c5df70a495bf57d3c6af63267f183e76c04a900b1b1779010c3ef235b255b5eae81a6a8153cc6474426

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\f35D1.tmp
                Filesize

                1.2MB

                MD5

                283f73f0127dfc7749a1fa7017209a1a

                SHA1

                105b8e8b629f8251ebd71170263c6d9ac55b0bab

                SHA256

                393799f88c256fa41bea730af81ef5273ce07f8ad918374dc78b1bcd1515cc5e

                SHA512

                106c8c07bec1b7592d0c5105f9fead70300488a2b1b68772cc558b2a8a678c24972b7ad837b3facf24bc550cfa0f08c0cdb70d8ecba7e51695643cd8884ec5dc

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\j78Arn.cmd
                Filesize

                191B

                MD5

                38a838baab6a4cdee81bc70a5ba5fc78

                SHA1

                be9467e61cb20503ee6cce6cb42ea9c798c20fa8

                SHA256

                726201df45310074a2abe21ebaf89fb1e769c897dea8b3295c1091b683efc283

                SHA512

                9829a347f19ea33e12616aa042ab3e05cc2d22d59ce3fe74af0fd8bbdcab46959c6567c8359d843040399588f8d76287ee8cae99fad726ca8a05cc53913194dc

                Download Submit

              • C:\Users\Admin\AppData\Roaming\DGgkf\dpapimig.exe
                Filesize

                73KB

                MD5

                0e8b8abea4e23ddc9a70614f3f651303

                SHA1

                6d332ba4e7a78039f75b211845514ab35ab467b2

                SHA256

                66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1

                SHA512

                4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

                Download Submit

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mqdbvnnwgmqj.lnk
                Filesize

                884B

                MD5

                e104744bb07a2b9bd48e8c177c636521

                SHA1

                0dc795ac6d8a8814a80abab440f4aac59ceca292

                SHA256

                97b6d14e0c7bc81cf0aa4876da96256536ecea920204cd3b14de3a49d13ea5ad

                SHA512

                df4335fc1eb203ceef59b64c9fccac328e297257082f76a48b853c4bc7992edc8eafc481a438d9c7549d9a4fa7deec5ee5a2bfc59388b2e6d7d09f2e441ea5a0

                Download Submit

              • memory/1232-30-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-26-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-10-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-11-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-12-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-13-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-15-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-16-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-14-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-18-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-22-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-34-0x0000000002CE0000-0x0000000002CE7000-memory.dmp

                Filesize

                28KB

                Download

              • memory/1232-40-0x00000000777D1000-0x00000000777D2000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1232-39-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-31-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-103-0x00000000776C6000-0x00000000776C7000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1232-29-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-28-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-27-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-9-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-25-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-24-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-23-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-21-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-20-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-19-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-49-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-51-0x0000000077930000-0x0000000077932000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1232-54-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-55-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-17-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-8-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-7-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/1232-3-0x00000000776C6000-0x00000000776C7000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1232-4-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2932-6-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/2932-1-0x0000000140000000-0x00000001400F8000-memory.dmp

                Filesize

                992KB

                Download

              • memory/2932-0-0x0000000000190000-0x0000000000197000-memory.dmp

                Filesize

                28KB

                Download