Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 17:28
Behavioral task
behavioral1
Sample
elfbot.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
elfbot.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
elfload.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
elfload.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
elfload2.dll
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
elfload2.dll
Resource
win10v2004-20240802-en
General
-
Target
elfload2.dll
-
Size
35KB
-
MD5
962687402f3ff0259618a668f9baca6d
-
SHA1
9a06c69fc674c03dd0515feb24853403e15833f2
-
SHA256
4d6980fec7777a4557a08eceda8f77e8cad70e56f4da563ec4e3fac1b4e423f1
-
SHA512
497852d2deb3ecddbc10ac07a6153b9bd7d31abcdaea30ae19dc0792eee2f77e34d5547357d0a43dee26111f6edfa83c9372f4ff42917fc378daed3252e70528
-
SSDEEP
768:+ho2807sCQC7WiwJjKegezHsIvqZhmfKkap0AfTWRewFAdI0bdc:a7sCX7WiwJjKegezHsIvAJJ0ACRzAG0O
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F97D07F-1A7E-1F74-4259-375779F76D41}\InprocServer32\ThreadingModel = "Apartment" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F97D07F-1A7E-1F74-4259-375779F76D41} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F97D07F-1A7E-1F74-4259-375779F76D41}\ = "CLSID_ContactUserAccountChangeCallback" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F97D07F-1A7E-1F74-4259-375779F76D41}\InprocServer32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F97D07F-1A7E-1F74-4259-375779F76D41}\InprocServer32\ = "%CommonProgramFiles%\\System\\wab32.dll" rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2412 rundll32.exe Token: SeIncBasePriorityPrivilege 2412 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 804 wrote to memory of 2412 804 rundll32.exe 84 PID 804 wrote to memory of 2412 804 rundll32.exe 84 PID 804 wrote to memory of 2412 804 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\elfload2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\elfload2.dll,#12⤵
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2412
-