Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

fe4dffba11...be.dll

windows7-x64

7

fe4dffba11...be.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/06/2024, 05:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe4dffba118410b2e1b57bef1b099ac643e338b2e8b34ee8252b5672038b7fbe.dll

  • Size

    992KB

  • MD5

    97cc324c3e119a1e92d47865a2e821be

  • SHA1

    d95f93e8b18b901a3454370e35c2172cd47149da

  • SHA256

    fe4dffba118410b2e1b57bef1b099ac643e338b2e8b34ee8252b5672038b7fbe

  • SHA512

    f806756c4ccb464ec2866e9aee8ee21cf81bb88cfa906e0055ebb352e287280b8f75b06bef987a524b401a935f0b7dd81be3221716edfe6dda59e9fad7f0dcc4

  • SSDEEP

    12288:nrHGPv5SmptEDmUWuVZkxikdXcqifhqq:6PvQmptPUBDkxBdXcHfhq

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fe4dffba118410b2e1b57bef1b099ac643e338b2e8b34ee8252b5672038b7fbe.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2752
  • C:\Windows\system32\MdSched.exe
    C:\Windows\system32\MdSched.exe
    1⤵
      PID:3044
    • C:\Windows\system32\ResetEngine.exe
      C:\Windows\system32\ResetEngine.exe
      1⤵
        PID:3312
      • C:\Windows\system32\cleanmgr.exe
        C:\Windows\system32\cleanmgr.exe
        1⤵
          PID:952
        • C:\Windows\system32\MdRes.exe
          C:\Windows\system32\MdRes.exe
          1⤵
            PID:2708
          • C:\Windows\system32\mavinject.exe
            C:\Windows\system32\mavinject.exe
            1⤵
              PID:2984
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe
              1⤵
                PID:3012
              • C:\Windows\system32\mstsc.exe
                C:\Windows\system32\mstsc.exe
                1⤵
                  PID:2020
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\IFtQW.cmd
                  1⤵
                    PID:4928
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{3a9698a7-8b59-5789-8186-33aeee771cee}"
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:804
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{3a9698a7-8b59-5789-8186-33aeee771cee}"
                      2⤵
                        PID:1904
                    • C:\Windows\system32\DTUHandler.exe
                      C:\Windows\system32\DTUHandler.exe
                      1⤵
                        PID:888
                      • C:\Windows\system32\printui.exe
                        C:\Windows\system32\printui.exe
                        1⤵
                          PID:2204
                        • C:\Windows\system32\RdpSaProxy.exe
                          C:\Windows\system32\RdpSaProxy.exe
                          1⤵
                            PID:624
                          • C:\Windows\system32\BitLockerDeviceEncryption.exe
                            C:\Windows\system32\BitLockerDeviceEncryption.exe
                            1⤵
                              PID:4652
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\zhYP.cmd
                              1⤵
                              • Drops file in System32 directory
                              PID:4180
                            • C:\Windows\System32\fodhelper.exe
                              "C:\Windows\System32\fodhelper.exe"
                              1⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2572
                              • C:\Windows\system32\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\0azG20t.cmd
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2044
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /Create /F /TN "Niazd" /SC minute /MO 60 /TR "C:\Windows\system32\4064\BitLockerDeviceEncryption.exe" /RL highest
                                  3⤵
                                  • Creates scheduled task(s)
                                  PID:3020

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\0azG20t.cmd
                              Filesize

                              141B

                              MD5

                              2870586af24bb4d0a35b96a1cd285b6d

                              SHA1

                              31e0f5434710a0de35dde06b92a2453b32491912

                              SHA256

                              2c443f1c00e10fbd0c240b44f783c9ea0342b47a67ee71b5a1a2a59f79963a9a

                              SHA512

                              738f5ed861a9c57224f97b29df55c465000e6da18be9bb865c717332fe276fdc35443f7abd8fe7fd58fc76bba08647870c1e4bf232397531945ba35b48fc66d1

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\G5890.tmp
                              Filesize

                              996KB

                              MD5

                              a47bb5f75d25fafae3427e67e53cc0ae

                              SHA1

                              fd5043c734b409f65764c8810d21d5df36355639

                              SHA256

                              8e6183b1a9b49fcb609e2e8a52662551dc2ba185b31a7272ca71f4e236aa6109

                              SHA512

                              20f569cda64abc323762037e2aca6ba7021703ffc628800fcd28360d634df60851577d505159c53183b6829c9a597a69db75bcba3e025267ed8d0aeb2b68a259

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\IFtQW.cmd
                              Filesize

                              226B

                              MD5

                              ad7b4fd6929ed12ba001e65597fd0e51

                              SHA1

                              16128e6dd4655df11fbb114043596092283ce0e6

                              SHA256

                              9e47e984003ecde432cc5fff9620759de15df3f5a0844c96b54036290327a9b7

                              SHA512

                              713392e53d427d6b0501b011a4fb806e0548d5fadce3ea2ff73b246e4a199d718e9741881b49b26dff7444600315ac325ac7c525dbd7a9f625fff7d77d746c9f

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\zG59BA.tmp
                              Filesize

                              996KB

                              MD5

                              7fa8ae0fb2c324f68d77e6bd3a7f6d74

                              SHA1

                              c86fecbf718d722a2b5e5db9f2a12933a8d8c4ee

                              SHA256

                              73716db138302cec9a0d1c7c5abc00a26e54c3b20b5e50de976bbb08103d0fc4

                              SHA512

                              f5441b597b64fa0724d751ee3c3462ef05b0b6b663a9ab767d02fce19dc0a4088153b8b2b5cc5690a5a2ad9367e3f6598ad381371be2b1ff6aa133f0bb8285a4

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\zhYP.cmd
                              Filesize

                              210B

                              MD5

                              47a903184848b493a250ba2911627728

                              SHA1

                              1a163135a185a9e495907ad728e3a245204aecde

                              SHA256

                              106980cc47dd60f7501665e7688439446f0ef04fb1c86f7077a268a3ccb28ffd

                              SHA512

                              5b35c8b4db2428ff1fe8ea8c834d10ddcec747ef86810ece80652c40d49fbe654db9676229420c5afa196d30702661b7c58249c4151d90503a9c797673ffeea5

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iphtcfjrejti.lnk
                              Filesize

                              892B

                              MD5

                              222ec960fb9549ff48ea46dfef760e96

                              SHA1

                              4a72825f78f4d9a08d2a07577ea064158e394b46

                              SHA256

                              27148177ef5829c817b31dccc51fb66ce6f62a1d3cd72c17d9ee714cc8b6832d

                              SHA512

                              41a6cd789829c5e70e165259fec926baa662e89e0d0aa8441b3ebf7efe995cc51d4496a52d5c5c767d4205a5b886763606268f6f8bcf15c86a4d0da5e8c99989

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\ZcygL\mstsc.exe
                              Filesize

                              1.5MB

                              MD5

                              3a26640414cee37ff5b36154b1a0b261

                              SHA1

                              e0c28b5fdf53a202a7543b67bbc97214bad490ed

                              SHA256

                              1d1b6b2edac7ac6494c9eecda3afb804f679d7190f4d1a80929380e85743823f

                              SHA512

                              76fc70ead57ddacd3dbcec1a4772bd46924d30b30018a36b13052d2f7272cc86b63bf85d5e4ec04aac08630d4b2637ca6e7d35c08ce6b675d63ed011f7d95ba2

                              Download Submit

                            • memory/2752-2-0x000002BA7A7B0000-0x000002BA7A7B7000-memory.dmp

                              Filesize

                              28KB

                              Download

                            • memory/2752-0-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/2752-5-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-31-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-25-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-47-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-26-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-10-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-59-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-16-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-19-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-49-0x00000000087F0000-0x00000000087F7000-memory.dmp

                              Filesize

                              28KB

                              Download

                            • memory/3488-38-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-6-0x00007FF80C3AA000-0x00007FF80C3AB000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3488-30-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-29-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-28-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-27-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-50-0x00007FF80DF40000-0x00007FF80DF50000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/3488-24-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-23-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-22-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-21-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-20-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-18-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-17-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-15-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-14-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-13-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-12-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-11-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-9-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-8-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-7-0x0000000140000000-0x00000001400F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3488-3-0x00000000089B0000-0x00000000089B1000-memory.dmp

                              Filesize

                              4KB

                              Download