Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3~x64__x32_...__.zip
windows7-x64
1~x64__x32_...__.zip
windows10-2004-x64
1fh/HalExtI...MA.dll
windows10-2004-x64
1fh/fh.dll
windows10-2004-x64
1fh/gpsvc.dll
windows10-2004-x64
1fh/msftedit.dll
windows10-2004-x64
1rmclient/SEMgrSvc.dll
windows10-2004-x64
1rmclient/SRH.dll
windows10-2004-x64
1rmclient/rilproxy.dll
windows10-2004-x64
1rmclient/rmclient.dll
windows10-2004-x64
1vdsbas/Tok...er.dll
windows10-2004-x64
1vdsbas/Vault.dll
windows10-2004-x64
1vdsbas/tquery.dll
windows10-2004-x64
1vdsbas/vdsbas.dll
windows10-2004-x64
1winspool/wdmaud.dll
windows10-2004-x64
1winspool/winspool.dll
windows10-2004-x64
1winspool/wvc.dll
windows10-2004-x64
7x64__insta....5.msi
windows7-x64
6x64__insta....5.msi
windows10-2004-x64
6Analysis
-
max time kernel
0s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 14:17
Static task
static1
Behavioral task
behavioral1
Sample
~x64__x32__installer__.zip
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral2
Sample
~x64__x32__installer__.zip
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
fh/HalExtIntcLpioDMA.dll
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
fh/fh.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
fh/gpsvc.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
fh/msftedit.dll
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
rmclient/SEMgrSvc.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
rmclient/SRH.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
rmclient/rilproxy.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
rmclient/rmclient.dll
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
vdsbas/TokenBroker.dll
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
vdsbas/Vault.dll
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
vdsbas/tquery.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
vdsbas/vdsbas.dll
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
winspool/wdmaud.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
winspool/winspool.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
winspool/wvc.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
x64__installer__v2.0.5.msi
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral19
Sample
x64__installer__v2.0.5.msi
Resource
win10v2004-20240730-en
windows10-2004-x64
General
-
Target
winspool/wvc.dll
-
Size
566KB
-
MD5
5458c03d999412dfc5572a5382143319
-
SHA1
6460d719858580d9a8d8e326a244101bfa1ca7d4
-
SHA256
a006717da8c564af956f5e49586cacdaada23fb5b96e0d0134e56c510546162b
-
SHA512
0291160ddb65f98631c639e6a0d8994c3ae8e1b42eb2b62e1b19349e2988684976e1462e98721fa8093dc142f01fed162a1997d584de3980a3158de80c0c54ae
-
SSDEEP
6144:USZghpaCpkXQmZ5K667Ncv5KbL69joiBDoq7oLrynrwqD8u4GkOoiO2:VahpaCSXh67Y5i45V98Hp2
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BA4-01DC-11D4-AE77-00C04F613171}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1C16-01DC-11D4-AE77-00C04F613171} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1C1C-01DC-11D4-AE77-00C04F613171}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BE9-01DC-11D4-AE77-00C04F613171}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1C1D-01DC-11D4-AE77-00C04F613171} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BF2-01DC-11D4-AE77-00C04F613171}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BF6-01DC-11D4-AE77-00C04F613171}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1C1B-01DC-11D4-AE77-00C04F613171}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5CCE1B98-01DC-11D4-AE77-00C04F613171}\1.0\ = "Windows Visual Components 9.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BB4-01DC-11D4-AE77-00C04F613171} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1BF0-01DC-11D4-AE77-00C04F613171}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1BEB-01DC-11D4-AE77-00C04F613171} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BEF-01DC-11D4-AE77-00C04F613171}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BF3-01DC-11D4-AE77-00C04F613171}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1B9C-01DC-11D4-AE77-00C04F613171}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1C1E-01DC-11D4-AE77-00C04F613171}\TypeLib\ = "{5CCE1B98-01DC-11D4-AE77-00C04F613171}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BEB-01DC-11D4-AE77-00C04F613171}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1C1C-01DC-11D4-AE77-00C04F613171}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1C1A-01DC-11D4-AE77-00C04F613171}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1BF8-01DC-11D4-AE77-00C04F613171} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1BA4-01DC-11D4-AE77-00C04F613171}\ = "WCBorder" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1BEF-01DC-11D4-AE77-00C04F613171}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1BF1-01DC-11D4-AE77-00C04F613171}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BF2-01DC-11D4-AE77-00C04F613171}\ = "WCTrendlines" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BB4-01DC-11D4-AE77-00C04F613171}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1BB4-01DC-11D4-AE77-00C04F613171}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1BED-01DC-11D4-AE77-00C04F613171}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1C1D-01DC-11D4-AE77-00C04F613171}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BAC-01DC-11D4-AE77-00C04F613171}\ = "IWinChartEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1C16-01DC-11D4-AE77-00C04F613171}\ = "WCCharts" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BED-01DC-11D4-AE77-00C04F613171}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1BE9-01DC-11D4-AE77-00C04F613171}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1C15-01DC-11D4-AE77-00C04F613171}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1C19-01DC-11D4-AE77-00C04F613171}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1BEF-01DC-11D4-AE77-00C04F613171}\ = "WCSeriesCollection" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BF4-01DC-11D4-AE77-00C04F613171}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1BF4-01DC-11D4-AE77-00C04F613171}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1BAC-01DC-11D4-AE77-00C04F613171}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1BF6-01DC-11D4-AE77-00C04F613171} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1B9C-01DC-11D4-AE77-00C04F613171} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1C1B-01DC-11D4-AE77-00C04F613171}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BB4-01DC-11D4-AE77-00C04F613171}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BB4-01DC-11D4-AE77-00C04F613171}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1BF0-01DC-11D4-AE77-00C04F613171}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BF2-01DC-11D4-AE77-00C04F613171}\TypeLib\ = "{5CCE1B98-01DC-11D4-AE77-00C04F613171}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1C15-01DC-11D4-AE77-00C04F613171}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BB4-01DC-11D4-AE77-00C04F613171}\TypeLib\ = "{5CCE1B98-01DC-11D4-AE77-00C04F613171}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1C16-01DC-11D4-AE77-00C04F613171}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1C17-01DC-11D4-AE77-00C04F613171}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BED-01DC-11D4-AE77-00C04F613171}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BE9-01DC-11D4-AE77-00C04F613171}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1BA4-01DC-11D4-AE77-00C04F613171} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BED-01DC-11D4-AE77-00C04F613171}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BA4-01DC-11D4-AE77-00C04F613171}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BB8-01DC-11D4-AE77-00C04F613171}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1C1E-01DC-11D4-AE77-00C04F613171}\TypeLib\ = "{5CCE1B98-01DC-11D4-AE77-00C04F613171}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BF3-01DC-11D4-AE77-00C04F613171} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1BF6-01DC-11D4-AE77-00C04F613171}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1C19-01DC-11D4-AE77-00C04F613171}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1BB8-01DC-11D4-AE77-00C04F613171} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1B9C-01DC-11D4-AE77-00C04F613171}\ = "WCInterior" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1C1B-01DC-11D4-AE77-00C04F613171} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCE1BAC-01DC-11D4-AE77-00C04F613171}\TypeLib\ = "{5CCE1B98-01DC-11D4-AE77-00C04F613171}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCE1BF8-01DC-11D4-AE77-00C04F613171}\ProxyStubClsid32 regsvr32.exe