Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

Delta V3.61.zip

windows10-2004-x64

7

Delta V3.61.zip

windows10-ltsc 2021-x64

1

Delta V3.61/Delta.exe

windows10-2004-x64

6

Delta V3.61/Delta.exe

windows10-ltsc 2021-x64

6

Delta V3.6...it.dll

windows10-2004-x64

1

Delta V3.6...it.dll

windows10-ltsc 2021-x64

1

Delta V3.6...on.dll

windows10-2004-x64

1

Delta V3.6...on.dll

windows10-ltsc 2021-x64

1

Delta V3.6...90.dll

windows10-2004-x64

3

Delta V3.6...90.dll

windows10-ltsc 2021-x64

3

Delta V3.6...92.dll

windows10-2004-x64

3

Delta V3.6...92.dll

windows10-ltsc 2021-x64

3

Delta V3.6...PI.dll

windows10-2004-x64

3

Delta V3.6...PI.dll

windows10-ltsc 2021-x64

3

Delta V3.6...ua.xml

windows10-2004-x64

1

Delta V3.6...ua.xml

windows10-ltsc 2021-x64

3

Delta V3.6...s.json

windows10-2004-x64

3

Delta V3.6...s.json

windows10-ltsc 2021-x64

3

Delta V3.6...rs.txt

windows10-2004-x64

1

Delta V3.6...rs.txt

windows10-ltsc 2021-x64

1

Delta V3.6...re.txt

windows10-2004-x64

1

Delta V3.6...re.txt

windows10-ltsc 2021-x64

1

Resubmissions

07/11/2024, 21:24 UTC

241107-z8z12ayfnb 8

07/11/2024, 21:23 UTC

241107-z8jdaa1pdl 6

07/11/2024, 21:21 UTC

241107-z7ptnsyjdx 7

Analysis

  • max time kernel
    1330s
  • max time network
    1148s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    07/11/2024, 21:21 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Delta V3.61/bin/592.dll

  • Size

    5.7MB

  • MD5

    1334786e5f623e65c3b7c4a8272655ef

  • SHA1

    9dbbf9dc8ecaa9096181ec217468e41acc6c0c84

  • SHA256

    f91da9a8fafbc3c5933e6f97e75e0c9251dc83c58d4cd419979d53859548fb02

  • SHA512

    1a988dc15818ac08fedcd0548f1e472ba034ab9a721bc50ac10dbd3dc0995127e3d5b1198f1bf5fea17b3ea3992be2a03c4447e438cc971bdf92c5c761034059

  • SSDEEP

    98304:zO0rvcHXlDZHYf5vibU6yFA/lgQ/6SPA3WO:zOV3HHbuG4m

Score
3/10
discovery

Malware Config

Signatures

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Delta V3.61\bin\592.dll",#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3640
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Delta V3.61\bin\592.dll",#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:420
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 676
        3⤵
        • Program crash
        PID:5084
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 420 -ip 420
    1⤵
      PID:272

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      64.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      64.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      79.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      79.190.18.2.in-addr.arpa
      IN PTR
      Response
      79.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-79deploystaticakamaitechnologiescom
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      fd.api.iris.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      fd.api.iris.microsoft.com
      IN A
      Response
      fd.api.iris.microsoft.com
      IN CNAME
      fd-api-iris.trafficmanager.net
      fd-api-iris.trafficmanager.net
      IN CNAME
      iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com
      iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com
      IN A
      20.223.35.26
    • flag-ie
      GET
      https://fd.api.iris.microsoft.com/v4/api/selection?&asid=BA4BF613B30448529BC6DA09B1491BD5&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1729692948&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3ABD1D82DF-500F-E4D5-DF24-8796A3BD9F3D&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=209743&lo=22026&tsu=22026
      Remote address:
      20.223.35.26:443
      Request
      GET /v4/api/selection?&asid=BA4BF613B30448529BC6DA09B1491BD5&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1729692948&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3ABD1D82DF-500F-E4D5-DF24-8796A3BD9F3D&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=209743&lo=22026&tsu=22026 HTTP/2.0
      host: fd.api.iris.microsoft.com
      accept-encoding: gzip, deflate
      x-sdk-hw-token: t=EwDoAppeBAAUGoFunEzxzyai/T0i5tnZAAR1eX0AAXWDtu1yFAxyIhOFx6qZ+6UT15Or9qHl+N40WWHwmlS++KQscfZ2k5Lqh7fsDt3sFzmScn34ESsQnjDC4XoyNYYsuGm/VJm98AR5lslXGSF5ZLa74kLgV+/XaR1klcdA6ZbVbF00gYUloAO311Dq4LkrUdDLXHiFCK4J55Kow+bfJzC4H92zmHok+T+BVmzP8pI/MQi4DGKvy5Ahw90HMm8E9rCRkKupLOXpSuD9YNwqR6lp8/rOzeaTGMKd00dn6pflOtJ/4okwwfdjb1eZNedNkkEVXRwcYcBAqYYrhSeb31kRMy4t26u+GKEJ6c3/I1N7hGWZKBdHBl8N5kyxHYgQZgAAEJGnHPRZe/rmXzZC+0O4eC2wAZ6gEjKnlLyFWZEuGXjsJZBHRIJdjaBRyzY0NBORKwt+iFELt+DrzIxkfZjtU2dK6yRaHDPKIPFnGgqoipafhCBDswOVMad7AvJYM3BQp7V+CI9F+1EwlPCjwLjVk6ld9ZAnapEfHsHTH2KIaGoC2eadaGnLqxbGy6ubfl9QGRwMVnwyvJaLyI5GyyNGHHj0EM4po/JEecSTiRL5IYCuqOsfrQMJ8zsCUwSljWCSaAvcq8morrn0e//KapV1jq9b/Sx5X+XREzd45+R6WNEmFgZRgQLYBm7X6quHcLsXF5ksgAp0BlWgrt2X3MRQT/G8Jo/QVJYiBZhHCvwJ8j8R7taGZ227sMklia3IXtDdLKS9PZR5KqzBgUxt5sMCCpiYKQ+S4UgBTNRuZK3iefRHJWdsW4j2+x2Ws+mGu/w2RPtCq2vovogJJvlkM1idDQrWuCtNupHzxgh3lYrPmllsHJ2kM/pMIhEXd5T3abYRYj+N/1lULvNOPCWhRqLi8PGqCY4f4njAtxuS5DDYi2eHgx2lngsTlP31bLRYI0kGL/jvpsmwCSaQBpr1a6POCaUoAtkB&p=
      Response
      HTTP/2.0 200
      cache-control: no-store, no-cache
      pragma: no-cache
      content-length: 131
      content-type: application/json; charset=utf-8
      expires: Mon, 01 Jan 0001 00:00:00 GMT
      server: Microsoft-IIS/10.0
      arc-rsp-dbg: [{"DcoPlusDebug":"Status: Ok"},{"OPTOUTSTATE":"256"},{"REGIONALPOLICY":"0"}]
      accept-ch: UA, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform, UA-Platform-Version
      x-aspnet-version: 4.0.30319
      x-powered-by: ASP.NET
      strict-transport-security: max-age=31536000; includeSubDomains
      date: Thu, 07 Nov 2024 21:22:53 GMT
    • flag-us
      DNS
      56.163.245.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.163.245.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      26.35.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.35.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      77.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      77.190.18.2.in-addr.arpa
      IN PTR
      Response
      77.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-77deploystaticakamaitechnologiescom
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      24.73.42.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      24.73.42.20.in-addr.arpa
      IN PTR
      Response
    • 20.223.35.26:443
      https://fd.api.iris.microsoft.com/v4/api/selection?&asid=BA4BF613B30448529BC6DA09B1491BD5&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1729692948&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3ABD1D82DF-500F-E4D5-DF24-8796A3BD9F3D&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=209743&lo=22026&tsu=22026
      tls, http2
      2.7kB
       7.4kB
       18
      12

      HTTP Request

      GET https://fd.api.iris.microsoft.com/v4/api/selection?&asid=BA4BF613B30448529BC6DA09B1491BD5&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1729692948&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3ABD1D82DF-500F-E4D5-DF24-8796A3BD9F3D&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=209743&lo=22026&tsu=22026

      HTTP Response

      200
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      64.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      64.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      79.190.18.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      79.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      fd.api.iris.microsoft.com
      dns
      71 B
       197 B
       1
      1

      DNS Request

      fd.api.iris.microsoft.com

      DNS Response

      20.223.35.26

    • 8.8.8.8:53
      56.163.245.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      56.163.245.4.in-addr.arpa

    • 8.8.8.8:53
      26.35.223.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      26.35.223.20.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      77.190.18.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      77.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      21.236.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      21.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      24.73.42.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      24.73.42.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/420-0-0x0000000001340000-0x0000000001341000-memory.dmp

      Filesize

      4KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.