Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

droidkit-en-setup.exe

windows7-x64

7

droidkit-en-setup.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...Vs.dll

windows7-x64

3

$PLUGINSDI...Vs.dll

windows10-2004-x64

3

$PLUGINSDI...ib.dll

windows7-x64

3

$PLUGINSDI...ib.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...up.exe

windows7-x64

7

$PLUGINSDI...up.exe

windows10-2004-x64

7

$PLUGINSDI...00.dll

windows7-x64

1

$PLUGINSDI...00.dll

windows10-2004-x64

1

$PLUGINSDI...00.dll

windows7-x64

1

$PLUGINSDI...00.dll

windows10-2004-x64

1

$PLUGINSDIR/nsDui.dll

windows7-x64

3

$PLUGINSDIR/nsDui.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...ss.dll

windows7-x64

3

$PLUGINSDI...ss.dll

windows10-2004-x64

3

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

$PLUGINSDI...ry.dll

windows7-x64

3

$PLUGINSDI...ry.dll

windows10-2004-x64

3

$PLUGINSDI...ll.exe

windows7-x64

7

$PLUGINSDI...ll.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...ib.dll

windows7-x64

3

$PLUGINSDI...ib.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    104s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 03:07 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/uninstall.exe

  • Size

    8.2MB

  • MD5

    dc81c01374e9543469920d763402b10a

  • SHA1

    535e9355a31bd2a06381e67ff24f52953071478a

  • SHA256

    87801f6c52b6660a9f1cb8a832a5bbad75f7d086e3c141f547eafd633bd7cb76

  • SHA512

    c37cc90e8b1319b5edb0a55f8462f664fa138d80938053b521d0cd713e04f137244b14d03063a2da9e4e3fdd6c4f8e5a219dc36752eb5caf190b5ef2a6204611

  • SSDEEP

    196608:JD18/QDptRqcnqnJ1CcWpxriRRpO/fg/OfPTsxnoygd5:Jh8/EtRqcqnJ8WRRp8g/oTXygX

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Users\Admin\AppData\Local\Temp\uninstall.exe
      "C:\Users\Admin\AppData\Local\Temp\uninstall.exe" "av:1.0.1" "gv:1.0.1.3" "gs:Official-com" "gi:UA-85655135-28" "an:DroidKit" "c:iMobie"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2772

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    c.pki.goog
    uninstall.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.187.227
  • flag-gb
    GET
    http://c.pki.goog/r/r1.crl
    uninstall.exe
    Remote address:
    142.250.187.227:80
    Request
    GET /r/r1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 854
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Sun, 10 Nov 2024 02:55:46 GMT
    Expires: Sun, 10 Nov 2024 03:45:46 GMT
    Cache-Control: public, max-age=3000
    Age: 732
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    238.187.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    238.187.250.142.in-addr.arpa
    IN PTR
    Response
    238.187.250.142.in-addr.arpa
    IN PTR
    lhr25s34-in-f141e100net
  • flag-us
    DNS
    227.187.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    227.187.250.142.in-addr.arpa
    IN PTR
    Response
    227.187.250.142.in-addr.arpa
    IN PTR
    lhr25s34-in-f31e100net
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.117.19.2.in-addr.arpa
    IN PTR
    Response
    75.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-75deploystaticakamaitechnologiescom
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 142.250.187.227:80
    http://c.pki.goog/r/r1.crl
    http
    uninstall.exe
    349 B
     1.7kB
     5
    4

    HTTP Request

    GET http://c.pki.goog/r/r1.crl

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    c.pki.goog
    dns
    uninstall.exe
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.187.227

  • 8.8.8.8:53
    238.187.250.142.in-addr.arpa
    dns
    74 B
     113 B
     1
    1

    DNS Request

    238.187.250.142.in-addr.arpa

  • 8.8.8.8:53
    227.187.250.142.in-addr.arpa
    dns
    74 B
     112 B
     1
    1

    DNS Request

    227.187.250.142.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    75.117.19.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    75.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nslA152.tmp\GoogleTracingLib.dll
    Filesize

    46KB

    MD5

    3a914fc853188765010b73ff99834383

    SHA1

    374b9c4bcc852e42e85aab7b142ecdd80f0c40a1

    SHA256

    5b8cadf540dd47d19b1020bf5c0aca1b6d14d9d875b0a5794b432401c60ee5c7

    SHA512

    1e1a26dcb480cae7dc0fb89c0e8b560206b23b85a6f56458e2019af9c67ca9f942e2c75e78052e4e0eebcfff5e7a3c5eafb5538ba776c0a40b39cafee0bce0e7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nslA152.tmp\SkinBtn.dll
    Filesize

    15KB

    MD5

    0325c49a03baf13592272fec2b36968e

    SHA1

    ab10d9f3b420d7192ce6e3ceb953d94b669bdded

    SHA256

    72ddf9ec65f49d38ed181b4e73e095524d9c83118e6d7ae705227c7351300b95

    SHA512

    9009b5ebd7c45ecf9aa967aeddaf6b7695581ee8e212432eeaefd0777df3fbff41842975e0d09774f01b3b994500299042a004efc030162576cca925bdc0f43c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nslA152.tmp\System.dll
    Filesize

    22KB

    MD5

    86a488bf743dfab80ff142713adb5d48

    SHA1

    02e4b39f2fa40cd4edcc42cb524dc3ce911bfdac

    SHA256

    3924b57f8993a880d53e1e4e18eb6ba9b5dc610cbb00345c954c7e8a9078c309

    SHA512

    0ed09bcddd5bd13a91e7b99b78e37a01a36d62a29ad74acaacbe0da6446c8523e83ed2c089d2847e4d1ba467da93e2fd2de104feb51bcda445511b334bf932c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nslA152.tmp\nsProcess.dll
    Filesize

    15KB

    MD5

    8205bee74d498724aa5508e93c6d21f8

    SHA1

    2564cc3032e59d538826596a88d80c3d022ef595

    SHA256

    382aad28fa439b18d3d41a4652201c1d1542d73ff756a738c4cee6b75ebeca8f

    SHA512

    67c1e7fcfbc03565ddcd0cde4a91104231b30e0e3edbfe338ba5da76085fe849ea2dea199554dd3b25b90ab9722c30fd22399932463ef4a95e6000fcb5ef3ca1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nslA152.tmp\un.exe
    Filesize

    7.4MB

    MD5

    be3bb1b8ec4f4dff02c1e7af5410ea2d

    SHA1

    5bc2a48ed40407018139e897a47df1d65ffe37e8

    SHA256

    d7d45e9e1db7e196bdfa365e6a17c6cf5ad356207e140e63358cd8272981336c

    SHA512

    0bffaa33eba62af045b2fc788fb2268eea2805dc86c68c4f4d2dd62589fe74140d56f7497f083332e4c67086f3e6fc835dc3848696472e307ea7b4a534a61859

    Download Submit

  • memory/2772-85-0x00000000057B0000-0x0000000005816000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2772-88-0x0000000006C50000-0x0000000006FA4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2772-84-0x00000000723B0000-0x0000000072B60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2772-82-0x00000000723BE000-0x00000000723BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2772-86-0x0000000006340000-0x000000000639A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2772-87-0x00000000067F0000-0x0000000006810000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2772-89-0x00000000072B0000-0x00000000072B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2772-83-0x0000000000500000-0x0000000000C76000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/2772-90-0x0000000009540000-0x0000000009548000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2772-91-0x00000000723B0000-0x0000000072B60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2772-93-0x00000000069C0000-0x00000000069CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2772-92-0x00000000069E0000-0x0000000006A18000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2772-94-0x00000000723BE000-0x00000000723BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2772-95-0x00000000723B0000-0x0000000072B60000-memory.dmp

    Filesize

    7.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.