Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
570s -
max time network
592s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
22/08/2024, 15:26
General
-
Target
f4d2c9470b322af29b9188a3a590cbe85bacb9cc8fcd7c2e94d82271ded3f659.dll
-
Size
155KB
-
MD5
7a799f4f9aa63745a75b901a392aff29
-
SHA1
b9983463f637191ba12c2270ac52a547676a7037
-
SHA256
f4d2c9470b322af29b9188a3a590cbe85bacb9cc8fcd7c2e94d82271ded3f659
-
SHA512
e9eeb340dd620256d543ab43d08ccc23b555afa332c744c629fd8f40760f20a24e234955fc8d2e78a150f09028ca7a11650e0da157fff64833f13ce89a208c23
-
SSDEEP
3072:0lCt2jrijQEjnMUWzsjhVPbuGHUluQj6vkZD4vP5iZWyLr:QCIrijNMv6XPbr0kuNr
Malware Config
Extracted
warmcookie
72.5.43.29
-
mutex
a208f030-25f9-4f41-8b57-6b0b7ecccf29
-
user_agent
Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Signatures
-
Warmcookie, Badspace
Warmcookie aka Badspace is a backdoor written in C++.
-
Blocklisted process makes network request 9 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in Windows directory 1 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\f4d2c9470b322af29b9188a3a590cbe85bacb9cc8fcd7c2e94d82271ded3f659.dll1⤵
- Drops file in Windows directory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe "C:\ProgramData\Tandem\Updater.dll",Start /u1⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
155KB
MD57a799f4f9aa63745a75b901a392aff29
SHA1b9983463f637191ba12c2270ac52a547676a7037
SHA256f4d2c9470b322af29b9188a3a590cbe85bacb9cc8fcd7c2e94d82271ded3f659
SHA512e9eeb340dd620256d543ab43d08ccc23b555afa332c744c629fd8f40760f20a24e234955fc8d2e78a150f09028ca7a11650e0da157fff64833f13ce89a208c23