Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

98cdf9280f...eN.dll

windows7-x64

8

98cdf9280f...eN.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    111s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    98cdf9280fd6449b15e2b3d519841439bd60e3198e471dbbae8ecbba35339b2eN.dll

  • Size

    56KB

  • MD5

    8fbd55a5c56d992a67250188dea506f0

  • SHA1

    1b8387cd4701c84ce21f24a5d873752f02dbde09

  • SHA256

    98cdf9280fd6449b15e2b3d519841439bd60e3198e471dbbae8ecbba35339b2e

  • SHA512

    d2af17d34e6a1bff287eb585c66bc99c6dd01bb325eb96eabd6a41b55cdc75fb49547777ac4d6461e18b256e5a759b33460f1174473468841db488b6608d04fc

  • SSDEEP

    768:PlGGcRxO4sksBUEm1Hk3CjV3dBEsZy1I+58tsW4pahGmItOxL+KnoRuk3yv4Avjf:PEa4LJkSjVjEsoy+58clmItOxL3dv4

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\98cdf9280fd6449b15e2b3d519841439bd60e3198e471dbbae8ecbba35339b2eN.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\98cdf9280fd6449b15e2b3d519841439bd60e3198e471dbbae8ecbba35339b2eN.dll,#1
      2⤵
      • Server Software Component: Terminal Services DLL
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3620
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k DcomSec -s ifixshooxlSv
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:1424

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lse8107.tmp
    Filesize

    56KB

    MD5

    3287d7ceb277d895974df2fcad5050fd

    SHA1

    6279281acfbc197941004721f7d816561a11a116

    SHA256

    e22c589025de4535be1de6fd66518889b4adca531042416309f7a855be7bd461

    SHA512

    0a452301ddf92e16493f642d3eb72ecc7e267bd2d78fe4a9d3843e5329fe36e281536a51f0622fc0cbd7f2e55c19cbe2b45c6baaf2986855b6a79cdba7e8ff7f

    Download Submit

  • C:\logbot.txt
    Filesize

    2KB

    MD5

    6ed079d5d0eeae8eb155592f31a9172e

    SHA1

    3a570d01029393536c3ad1b910eb187822922819

    SHA256

    8763dff6b2bcf0c5601b435cc5b0eb249d63ea046322b6c7317dd034de0262a8

    SHA512

    f111ab14db1918904fc0387ad6faf623e957f570fc440ca306257eca74d4161060c5c478d4ecb6c1bc1d750f3a4fc0862063aa87fdd162f66dbbe78a309256bc

    Download Submit

  • \??\c:\logbot.txt
    Filesize

    3KB

    MD5

    e2351b2442e4653a05ffe3f06f83f0c4

    SHA1

    acdfa63853a2a63ef797780622789774e968a1ee

    SHA256

    5165ad0a58a9e819c701406c44b94ac03318cc33ceb1291d06644802ab18f891

    SHA512

    87718b3939674719313de339ac5ab55480257eb8391eb3241fe0980eb439a91dd2d7e41f0a74154e98ca5f5cccb4faef9f21812b8b6b6a90861f80b7161dd42b

    Download Submit

  • \??\c:\logbot.txt
    Filesize

    4KB

    MD5

    f62a3448cafcadc847ccc11d2c9eb914

    SHA1

    4cdd313667d7052614399c6fdb76d81f69c668ba

    SHA256

    7bfe189601eece10b54cc2d83917cac8bb359f2f6b5accac899229e8395288da

    SHA512

    483c4db5d6b59319fc2e15fc0be7be4d840e18a2b7c53ffc64d20016bed9be944d11b38cdaaa0052782e8182d8d5cc6f7774fa65b182e95aa665b92b1afdbdf6

    Download Submit

  • \??\c:\windows\SysWOW64\svcifixsho.dll
    Filesize

    56KB

    MD5

    9cb22834df30bde2b237d1f8c6ac3984

    SHA1

    838dd20105dd767c4dadd0f9b7c7b7db836e6f6f

    SHA256

    9e4b294dec4c9a97423cd095edace1e07ded5c378727501291c8f13e9fc86eee

    SHA512

    baf8a8d5516f3fddb55e3944097b7eb2f65b821d7d381390aef66a02bc6720c5bc4c5af98b3abe4052d5b2ef7285e7fc4573912ae79ae3d47840cb4d1c52fc51

    Download Submit

  • memory/1424-34-0x0000000074D60000-0x0000000074D71000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1424-53-0x0000000074D60000-0x0000000074D71000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3620-0-0x0000000074F50000-0x0000000074F61000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3620-18-0x0000000074D80000-0x0000000074D91000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3620-51-0x0000000074F50000-0x0000000074F61000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3620-52-0x0000000074D80000-0x0000000074D91000-memory.dmp

    Filesize

    68KB

    Download